Cloud Armor doesn't help during attack

Even though Cloud Armor shows “Mitigation is enforced,” your VM may still be unavailable because the attack is saturating resources outside Cloud Armor’s scope (like your VM’s network, firewall, or backend service). You’ll need to verify backend health checks, logging, and firewall rules, and possibly add load balancing or rate limiting to ensure availability.

Why This Happens
Cloud Armor protects against Layer 3/4 volumetric DDoS and Layer 7 application attacks, but:
- VM health checks may fail if the backend is overwhelmed or misconfigured.  
- Firewall rules or IAM policies may still block traffic even if Cloud Armor allows it.  
- Resource exhaustion (CPU, memory, bandwidth) can occur if the attack volume exceeds what the VM can handle.  
- Mitigation messages only confirm Cloud Armor rules are applied, not that your VM is healthy or reachable.

Recommended actions to be taken...

1. Confirm your VM is behind a Google Cloud Load Balancer. Cloud Armor policies only apply to traffic routed through load balancers. If you’re exposing the VM directly, Cloud Armor won’t protect it.  

2. Check Cloud Logging for denied/allowed requests. This will show if legitimate traffic is being blocked or if the VM is simply failing health checks.  

3. Scale your backend. Consider auto scaling or adding more instances to absorb traffic.  

4. Add rate limiting rules. For example, limit requests per IP to prevent floods.  

5. Verify firewall rules. Ensure external traffic is allowed on the correct ports.  

6. Test availability internally. Try accessing the VM from within the VPC to confirm if the issue is external only.  

Bottom Line:  

Cloud Armor is mitigating attacks at the edge, but your VM may still be failing due to backend health check issues, resource exhaustion, or missing load balancer integration. Start by checking Cloud Logging and backend health, then ensure your VM is properly integrated with a Google Cloud Load Balancer for full protection.

Would you like me to walk you through setting up rate limiting rules in Cloud Armor step by step?

Thank you ​@Absonny00-coder for your detailed reply.

I think you are right. Cloud Armor is blocking some traffic but not enough for our VMs or internal network to handle the load.

Yes, please let me know about rate limiting in Cloud Armor.

Rate limiting in Google Cloud Armor lets you control how many requests clients can send to your backend within a defined time window. It’s a defense mechanism against floods of traffic (like DDoS or bot abuse) that could overwhelm your VM or application, even if Cloud Armor is already mitigating attacks