Two Different Approaches to DDoS
Google Cloud Armor is GCP's native DDoS protection and web application firewall service. It operates at the edge of Google's global network, protecting resources served through Google Cloud Load Balancers — including HTTP(S) Load Balancers, SSL Proxy, and TCP Proxy. Its headline feature, Adaptive Protection, uses machine learning to detect and automatically suggest mitigation rules for L7 DDoS attacks.
Flowtriq is a server-level detection agent that runs on any Linux server, regardless of cloud provider. It monitors traffic at the network interface, classifies attacks, captures PCAP evidence, and sends real-time alerts through multiple channels. It does not filter or scrub traffic — it provides the detection data your team needs to respond.
These products do not compete directly. Cloud Armor is a cloud-native protection service tied to GCP infrastructure. Flowtriq is a cloud-agnostic detection layer. The overlap exists only in the narrow sense that both detect DDoS attacks — but what each protects, what data each provides, and where each operates are fundamentally different.
Google Cloud Armor: Capabilities and Architecture
Cloud Armor leverages Google's global network infrastructure — one of the largest on the planet, serving YouTube, Search, Gmail, and GCP workloads across 187+ edge locations. When traffic arrives at a Google Cloud Load Balancer, Cloud Armor evaluates it against configured security policies before forwarding it to your backend services.
Cloud Armor's key capabilities include:
- Always-on DDoS protection: Network-layer (L3/L4) DDoS protection is always active for all resources behind Google Cloud Load Balancers. This is included at no additional cost for Standard tier and provides protection against volumetric and protocol attacks leveraging Google's massive network capacity.
- Adaptive Protection (Managed Protection Plus): Machine learning models analyze baseline traffic patterns and detect anomalous surges that indicate L7 DDoS attacks. When an attack is detected, Cloud Armor generates suggested WAF rules that you can apply with a single click. This ML-driven approach can detect sophisticated application-layer attacks that rule-based systems miss.
- WAF rules and preconfigured rule sets: OWASP Top 10 protection, custom rules using Common Expression Language (CEL), IP allowlists/denylists, geo-based filtering, and rate limiting. These operate in the same policy pipeline as DDoS protection.
- Bot management: reCAPTCHA Enterprise integration for distinguishing human users from automated traffic.
- Named IP lists: Integration with third-party threat intelligence feeds for blocking known-bad IP ranges.
- Threat intelligence integration: Google's threat intelligence data feeds into Adaptive Protection's detection models.
Adaptive Protection is genuinely innovative. Most DDoS protection products rely on static thresholds or manually configured rules. Cloud Armor's ML approach automatically learns your traffic baseline and can detect subtle application-layer attacks — the kind where each individual request looks legitimate, but the aggregate pattern is anomalous. This is a real advantage for complex web applications with dynamic traffic patterns.
Cloud Armor's Adaptive Protection represents some of the most sophisticated L7 DDoS detection available from any cloud provider. For GCP-native web applications behind load balancers, it is excellent protection. The limitations are about scope, not quality.
Where Cloud Armor's Scope Ends
Load Balancer Requirement
Cloud Armor only protects resources behind Google Cloud Load Balancers. If your GCP deployment includes Compute Engine instances with direct external IP addresses, those instances are not protected by Cloud Armor. GKE pods exposed via NodePort, standalone VMs running game servers or custom protocols, and instances in other cloud providers are all outside Cloud Armor's protection boundary.
This is a significant architectural constraint. Many GCP deployments include a mix of load-balanced web services and standalone instances running databases, cache layers, backend processors, or non-HTTP services. Cloud Armor sees traffic to the former and is blind to the latter.
GCP Only
Cloud Armor does not protect infrastructure outside GCP. If your organization runs servers on AWS, Azure, bare metal at Hetzner or OVH, on-premises equipment, or edge nodes at Vultr or DigitalOcean, those resources are entirely outside Cloud Armor's scope. For multi-cloud or hybrid-cloud organizations, Cloud Armor covers one slice of the infrastructure.
No PCAP Forensics
Cloud Armor provides security event logs through Cloud Logging, including details about blocked requests — source IP, request attributes, matched rule, action taken. These logs are valuable for L7 analysis. However, Cloud Armor does not provide packet captures. For network-layer attacks, you get aggregate metrics through Cloud Monitoring but not the raw packet data needed for deep forensic analysis.
Limited Alerting Channels
Cloud Armor's alerting works through Cloud Monitoring, which can send notifications via email, SMS, PagerDuty, Slack (via webhook), and Pub/Sub. This is more flexible than some cloud providers, but setting up multi-channel alerting requires configuring Cloud Monitoring alert policies, notification channels, and potentially Cloud Functions for custom routing. It is not a one-click setup for operational channels. There is no native Discord integration, and the alert latency depends on Cloud Monitoring's evaluation intervals rather than real-time detection-to-alert delivery.
No Per-Server Visibility
Cloud Armor operates at the load balancer level. Its metrics show request rates, blocked requests, and security policy evaluations for the backend service as a whole. It does not show per-instance traffic metrics. If one of your 20 backend instances is experiencing anomalous traffic patterns (perhaps due to session affinity concentrating attack traffic), Cloud Armor's metrics will not surface that per-instance detail.
What Flowtriq Adds
Flowtriq's agent runs on each server independently, providing capabilities that Cloud Armor's architecture cannot:
- Any cloud, any server: Flowtriq works on GCP, AWS, Azure, bare metal, VPS, on-premises — any Linux server with a network interface. One detection platform across your entire infrastructure, regardless of provider mix.
- Direct-to-IP detection: Servers with external IP addresses that are not behind load balancers get full detection coverage. This covers the exact gap that Cloud Armor's load-balancer requirement creates.
- Per-server metrics: Each server reports independently. You see exactly what traffic each individual server is receiving, not just aggregate load-balancer metrics.
- PCAP capture: 60-second packet captures for every detected incident. Downloadable forensic data for post-incident analysis, upstream provider communication, and compliance documentation.
- Attack classification: Automatic classification of L3/L4 attack types — SYN flood, UDP flood, DNS amplification, NTP amplification, ICMP flood, TCP ACK flood — with confidence scoring. Cloud Armor's L3/L4 protection is automatic but does not provide this level of attack-type granularity in its reporting.
- Sub-5-second alerting: Detection to alert delivery in under 5 seconds through Discord, Slack, email, SMS, PagerDuty, OpsGenie, and custom webhooks. No Cloud Monitoring configuration required.
Detection that works on every server, every cloud
Flowtriq gives you per-server DDoS detection with PCAP forensics and instant alerts — on GCP, AWS, Azure, bare metal, or anywhere else. 7-day free trial.
Start Free Trial →Side-by-Side: Same Attack, Different Data
Scenario: A 120-second SYN flood at 310,000 PPS targets a GCP Compute Engine instance that serves a custom TCP protocol on port 8443. This instance has a direct external IP and is not behind a Cloud Load Balancer.
Google Cloud Armor: No data. Cloud Armor is not active for this instance because it is not behind a load balancer. GCP's built-in network-tier DDoS protection may absorb some traffic automatically, but no Cloud Armor policy is evaluated, no security event is logged, and no alert is generated. The instance absorbs the attack directly. You may see elevated CPU and network metrics in Cloud Monitoring if you have those dashboards configured, but there is no attack classification, no source analysis, and no automated detection event.
Flowtriq: Alert fires at second 2. Incident record: SYN Flood (confidence 98%), duration 120 seconds, peak 314,200 PPS at 16:08:33 UTC, 1,244 unique source IPs across 41 ASNs, top source countries US (22%), DE (17%), BR (13%), target port 8443, average packet size 60 bytes (SYN packets). 60-second PCAP captured. Alerts sent to Slack and PagerDuty within 3 seconds of detection.
Now consider the reverse scenario: an HTTP flood at 850,000 requests per second targets a web application behind a GCP HTTPS Load Balancer with Cloud Armor Adaptive Protection enabled.
Google Cloud Armor: Adaptive Protection detects the anomalous request surge within 30-60 seconds. It generates a suggested rule identifying the attack signature (unusual User-Agent concentration, abnormal geographic distribution, request rate deviation from baseline). An operator can apply the rule with one click, or it can be auto-deployed if configured. Security events are logged with source IPs, request attributes, and matched rules. The attack is mitigated at Google's edge.
Flowtriq: If Cloud Armor blocks the attack at the edge effectively, Flowtriq sees minimal impact at the server level — perhaps a slight PPS elevation during the initial seconds before Adaptive Protection engaged. Cloud Armor deserves the mitigation credit here. Flowtriq's value in this scenario is limited to confirming that the backend instances are not experiencing residual attack traffic.
Each product has a scenario where it is the primary defense and a scenario where it is irrelevant. Coverage depends on having both layers.
Pricing Comparison
Google Cloud Armor pricing (as of early 2026):
- Standard tier: Pay-per-use — $0.75/million requests evaluated, $1/policy/month, $1/rule/month. For a moderate-traffic application processing 50 million requests/month with 5 policies and 20 rules, that is approximately $57.50/month.
- Managed Protection Plus: $200/month base fee plus $0.75/million requests. This tier includes Adaptive Protection, DDoS response support, and advanced features. Same application example: approximately $237.50/month.
- Always-on L3/L4 DDoS protection: Included for resources behind Cloud Load Balancers at no additional cost.
Flowtriq pricing:
- $9.99/node/month on monthly billing
- $7.99/node/month on annual billing
- A 10-instance GCP deployment: $99.90/month (monthly) or $79.90/month (annual)
- 7-day free trial
The pricing comparison is complicated by the fact that Cloud Armor's costs scale with request volume, while Flowtriq's costs scale with server count. For a high-traffic application on few servers, Cloud Armor may cost more. For a many-server deployment with moderate per-server traffic, Flowtriq costs more per protected point. The more relevant question is whether you need what each product provides — because they provide different things.
For a typical GCP deployment with both load-balanced and standalone instances, running Cloud Armor on the load-balanced resources and Flowtriq on everything provides comprehensive coverage. The combined cost for a 10-instance deployment with moderate traffic is typically under $350/month — less than a single engineer-hour of incident response during a DDoS attack you did not detect in time.
Hybrid Deployment: Cloud Armor + Flowtriq
The strongest GCP security posture uses both products in their natural positions:
Cloud Armor covers:
- L3/L4 volumetric protection for all load-balanced resources (included automatically)
- L7 adaptive protection for web applications behind HTTPS Load Balancers
- WAF rules, rate limiting, and bot management at Google's edge
- Geo-blocking and IP reputation filtering
Flowtriq covers:
- Standalone Compute Engine instances not behind load balancers — the Cloud Armor blind spot
- Non-HTTP services (game servers, DNS, custom protocols, VoIP) on any port
- Per-instance traffic visibility across the entire deployment
- PCAP forensics for every detected incident
- Real-time multi-channel alerting with sub-5-second latency
- Any non-GCP infrastructure — bare metal, other clouds, on-premises servers
- Post-scrub verification: confirming that Cloud Armor's mitigation is effective at the instance level
For organizations running hybrid or multi-cloud infrastructure with GCP as one component, Flowtriq provides the single-pane detection layer that works consistently everywhere. Cloud Armor is excellent within its GCP scope, but it stops at the GCP boundary. Flowtriq follows your infrastructure wherever it runs.
When to Use Each Product
Google Cloud Armor is the right choice when:
- Your application runs entirely on GCP behind Cloud Load Balancers. Cloud Armor provides tight integration with the GCP stack, and the always-on L3/L4 protection is free.
- You need ML-driven L7 adaptive protection. Adaptive Protection is genuinely sophisticated and catches application-layer attacks that static rules miss.
- Your WAF, rate limiting, and DDoS protection need to be in a single policy framework with GCP-native management.
- You need bot management integrated with reCAPTCHA Enterprise.
Flowtriq is the right choice when:
- You have GCP instances that are not behind load balancers — standalone VMs, custom protocol servers, or direct-IP services.
- Your infrastructure spans multiple cloud providers or includes bare-metal servers.
- You need per-server detection data, not aggregate load-balancer metrics.
- You need PCAP forensics for incident response and post-mortem analysis.
- You need real-time alerts through Discord, PagerDuty, OpsGenie, or Slack without building custom Cloud Monitoring pipelines.
- Your budget requires predictable per-server pricing rather than request-volume-based pricing.
Use both when:
- Your GCP deployment includes both load-balanced web services and standalone instances.
- You run multi-cloud infrastructure where GCP is one of several providers.
- You need both mitigation (Cloud Armor) and forensics (Flowtriq) for compliance or incident response requirements.
- You want independent verification that Cloud Armor is effectively protecting your backend instances.
Final Thoughts
Google Cloud Armor is one of the most technically sophisticated cloud-native DDoS protection products available. Its Adaptive Protection feature represents real innovation in ML-applied DDoS defense, and for GCP-native web applications behind load balancers, it provides excellent protection with tight platform integration.
Its limitations are not technical failures — they are architectural boundaries. Cloud Armor protects what is behind a GCP load balancer. That is its design scope. Everything else — standalone instances, non-HTTP protocols, other cloud providers, bare metal — is outside that boundary.
Flowtriq fills the space outside that boundary. It provides per-server detection, PCAP forensics, attack classification, and real-time alerting on any server, anywhere. For GCP-centric organizations, it covers the instances Cloud Armor does not reach. For multi-cloud organizations, it provides a single detection layer across the entire infrastructure.
Neither product replaces the other. Cloud Armor mitigates; Flowtriq detects and documents. Cloud Armor operates at Google's edge; Flowtriq operates at each server. The question is not which to choose but whether your detection coverage matches your infrastructure footprint.
Complete your GCP security stack
Add Flowtriq alongside Cloud Armor for per-server detection, PCAP forensics, and instant multi-channel alerts across your entire infrastructure. $9.99/node/month with a 7-day free trial.
Start your free 7-day trial →