--- title: "Google Cloud Armor Integration" slug: "google-cloud-armor" description: "Learn how to integrate Traceable with Google Cloud Armor to protect applications and APIs against DDoS, SQL injection, XSS, and other attacks. This guide covers prerequisites, integration setup, malicious source and threat actor rules, and custom signature policies for enhanced security." updated: 2026-05-14T06:50:50Z published: 2026-05-14T06:50:50Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # Google Cloud Armor Integration ##### Updates (April 2026 to June 2026) - *May 2026*— Updated the topic to add information about the availability of the enable and disable options for configured Google Cloud Armor integration. For more information, see [Manage configured integration](/v1/docs/google-cloud-armor#viewing-configured-integration1). Google Cloud Armor is a security service provided by Google Cloud Platform (GCP) to protect web applications and services from various types of cyber threats, including distributed denial-of-service (DDoS) attacks and application-layer attacks. Google Cloud Armor features a Web Application Firewall (WAF) as one of its key components. A WAF protects web applications from various security threats, such as SQL injection, cross-site scripting (XSS), and other malicious activities targeting web applications. ## What will you learn in this topic? By the end of this topic, you will be able to understand: - An [overview](/v1/docs/google-cloud-armor#integration-overview)of the steps required to set up the Azure integration. - The [prerequisites](/v1/docs/google-cloud-armor#before-you-begin) for setting up the integration. - The detailed [steps](/v1/docs/google-cloud-armor#add-new-google-cloud-armor-integration)for the Google Cloud Armor integration with Traceable. - The [support matrix](/v1/docs/google-cloud-armor#custom-signature-rules-support-matrix) for the creation of Custom Signature rules in Traceable. --- ## Integration Overview This section provides high-level information on integrating Google Cloud Armor (GCA) WAF with your environment and managing threats. 1. **Integration Setup** — After deploying the agent, you can retrieve the credentials and configure the Google Cloud Armor integration. To do so, you must complete the following steps: 1. **Prerequisites** — Log in to your Google Cloud Armor account and fetch the required credentials to configure the integration. For more information, see [Before you begin](/v1/docs/google-cloud-armor#before-you-begin). 2. **Integration** — After obtaining the credentials from the previous step, navigate to the Traceable platform and configure the integration. For more information, see [Add New Google Cloud Armor Integration](/v1/docs/google-cloud-armor#add-new-google-cloud-armor-integration). 2. **Threat Management** — After setting up the integration, you can establish rules to allow, block, or monitor IP addresses according to your specific requirements. Traceable supports the following rules for the Google Cloud Armor integration: 1. **Threat Actor****s** — Traceable enables you to track any status change of a threat actor and communicate it to Google Cloud Armor. Traceable allows creating allowlists using allowed and snoozed states, and supports blocking using deny and suspended states under threat actors. For example, if Traceable detects a threat actor and changes it to a deny state, then the requests from this threat actor can be blocked using Google Cloud Armor. For more information, see [Threat actors](https://docs.traceable.ai/docs/threat-actors-new). 2. **Malicious Source Rules** (**IP Range only**) — Traceable allows you to configure any malicious source rules under **Protection** → **Policies** → **Custom Policies** → **Malicious Sources** tab to enforce blocking or allow for IP ranges to be executed through Google Cloud Armor. For more information, see [Custom policy](https://docs.traceable.ai/docs/custom-policy). Traceable recommends going through the allow list conditions before creating any IP-range rules. For more information, see [IP address allowlist](https://docs.traceable.ai/docs/custom-policy#ip-address-allowlist). 3. **Custom Signature Rules** — Traceable allows you to set up Custom Signature rules under **Protection** → **Policies** → **Custom Policies** → **Custom Signatures** tab to block incoming requests from a specific URL by matching the corresponding endpoints. For more information, see [Custom Policy](https://docs.traceable.ai/docs/custom-policy#creating-custom-rules) and [Custom signature rules support matrix](/v1/docs/google-cloud-armor#custom-signature-rules-support-matrix). The following is a high-level integration diagram: ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_WAF_GCA_INtegration_diagram.png) Traceable Google Cloud Armor Integration Diagram --- ## Before you begin Make a note of the following before you proceed with Google Cloud Armor’s integration with Traceable. - **Google****Cloud Armor security policy**— A security policy is a set of rules that defines what action needs to be taken under which conditions, how traffic should be handled by the Web Application Firewall (WAF), and other security features. Security policies enable you to define criteria and take actions to safeguard your web applications against various attacks and security threats. - Make sure you have the following from Google Cloud Armor security policy: - The **Name**of the security policy, for example,*traceableai.* - Whether the **Scope**of the policy is **Regional**or **Global**. - The configured **Response code**. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_WAF_GCA_Policy-config.png) Google security policy configuration - **Roles required******— The following is a list of roles needed for the integration: - `compute.securityPolicies.get` - `compute.securityPolicies.list` - `compute.securityPolicies.use` - `compute.securityPolicies.update` - `compute.securityPolicies.delete` - `compute.backendServices.setSecurityPolicies` - `compute.regionSecurityPolicies.create` - `compute.regionSecurityPolicies.delete` - `compute.regionSecurityPolicies.get` - `compute.regionSecurityPolicies.list` - `compute.regionSecurityPolicies.update` For more information on Google Cloud Armor security policy, see [Configure Cloud Armor security policies](https://cloud.google.com/armor/docs/configure-security-policies). - **Google Cloud Armor Project ID** — Each Google project has a unique project ID. - **Service account key**— A **Service Account Key**, also known as the JSON key, is a credentials file that allows authentication of a service account within Google Cloud Platform (GCP). It is required for enabling secure, programmatic access to GCP services and is essential for configuring a Google Cloud integration. For more information, see [Create Service Account Key](https://cloud.google.com/iam/docs/keys-create-delete#creating). Ensure that the service account key is created with the roles specified in the above section. --- ## Add new Google Cloud Armor integration To add a new Google Cloud Armor integration, navigate to the **Integrations** page from the bottom left corner of your Traceable account, and do one of the following: - Search for *Google Cloud Armor* in the search bar. - Navigate to **WAF** → *Google Cloud Armor*. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_WAF_GCA_navigation_.png) GCA Navigation Click **Configure** the **Google Cloud Armor******tile and complete the following steps in the **Add New Google Cloud Armor Integration** slide-out panel: 1. **Integration Name**—****A unique name for your integration, for example,*****Google******Cloud Armor integration.* 2. (Optional) **D****escription**—****A summary for your integration, for example, *GCA Traceable integration*. 3. **Environments**—****The environment for which you wish to integrate from the drop-down list. 4. **Google Cloud Armor Project ID —** A project ID associated with the integration fetched above in the [Before you begin](/v1/docs/google-cloud-armor#before-you-begin) section. 5. **Service account key**—****The service key associated to your account****fetched above in the [Before you begin](/v1/docs/google-cloud-armor#before-you-begin) section. 6. **Policy Name**—****The name of the policy configured****in the Google Cloud Armor security policy, for example, *traceableai*. 7. **Policy type**—****The type of policy****you configured in the Google Cloud Armor security policy above in the [Before you begin](/v1/docs/google-cloud-armor#before-you-begin) section. 8. **Blocking Action Response Code —**The blocking action response code****from the drop-down list. This should match the response code you configured in the Google Cloud Armor security policy above, in the [Before you begin](/v1/docs/google-cloud-armor#before-you-begin), for example, *403*. 9. Click **Test Connection**. 10. Click **Save**. It****is enabled only after Traceable validates a successful connection. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_WAF_GCA_Add_new_integration_window.png) Add new GCA Integration > [!NOTE] > Note > > - Traceable assigns a priority to each rule. Make sure that this priority is not changed in the Google Cloud Armor security policy. > - If you are creating a Malicious source rule in Traceable, there is a limit of 10 IP addresses per single rule. If you have more than 10 IP addresses in a rule, the first 10 IP addresses are considered, while the remaining addresses are ignored. > - If you delete the integration, the security policy in Google Cloud Armor gets deleted. However, if you do not wish the policy to be deleted, do not add `compute.securityPolicies.delete` role to the service account key. However, if your security policy is attached to a target, such as a virtual load balancer, the policy will not be deleted. > - X-Forwarded-For (XFF) and X-Real-IP are not supported, only public IPs are supported. Upon successful integration, you can see the Traceable-created rules in your Google Cloud Armor security policy. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_cloud_armor_synced_rules.png) Traceable created rules in GCA --- ## Manage configured integration After configuring the integration, you can view it under **Configured WAF Integrations**. Traceable gives you the flexibility to control how the integration operates. You can choose either of the following actions using the drop-down, according to your requirements: - **Enabled** — You allow Traceable to actively update the WAF with the latest rules to enforce protection and monitor or block threats. When enabled, Traceable continuously sends new rules and updates to the WAF based on policy activity, helping enforce protections with the latest threat information and block suspicious traffic. - **Disabled** — You stop Traceable from updating the WAF, so it no longer enforces new protections for that environment or region. When disabled, Traceable stops sending new rules and updates to the WAF for the selected environment or region, while other environments continue using their existing integration settings without impact. The WAF continues to enforce existing rules based on their last applied state, without receiving new updates. Traceable continues to detect and evaluate threats, but it does not enforce them through WAF. --- ## Custom signature rules support matrix Custom signature rules allow you to define precise security policies in Google Cloud Armor using the Common Expression Language (CEL). These rules evaluate the specific request attributes, such as IP addresses, headers, URIs, and HTTP methods, to help protect your applications from unwanted or malicious traffic. For more information on attributes and expressions, see [Google Cloud Armor Language Support](https://cloud.google.com/armor/docs/rules-language-reference#operations). The Support Matrix table below describes the attributes and the supported operations to create custom signature rules in Traceable. For more information, see [Support Matrix for Custom Signature Rules](https://docs.traceable.ai/docs/support-matrix-custom-signature-rules). Custom Signature rules allow you to define precise conditions for evaluating incoming requests by examining attributes, such as headers, cookies, parameters, or payloads. By specifying operators and values for these attributes, you can detect and block malicious or unwanted traffic that may bypass default security protections. These rules provide fine-grained control over threat detection, enabling you to enforce security policies according to your requirements. Using these rules, you can improve your API and application security, reducing false positives, and address attack patterns that standard signatures may not cover.