Architecture: Where Each Product Operates

Google Cloud Armor is a network security service built into Google's global load balancing infrastructure. It operates at the edge of Google's network, inspecting traffic as it passes through Google's Cloud Load Balancer (HTTP/S, TCP Proxy, or SSL Proxy load balancers). Cloud Armor provides DDoS protection, WAF rules, rate limiting, bot management, and adaptive protection powered by machine learning.

The key architectural detail: Cloud Armor only protects resources behind a Google Cloud Load Balancer. GCE instances with external IP addresses that are not behind a load balancer, internal VMs communicating within the VPC, and non-HTTP services running on arbitrary ports are outside Cloud Armor's coverage.

Flowtriq operates on the GCE instance itself, monitoring the network interface regardless of whether the instance sits behind a load balancer. It sees all traffic that arrives at the VM — proxied through the load balancer, direct to the instance's external IP, or from within the VPC.

Internet Traffic
    |
    v
Google Cloud Edge Network
    |
    v
Cloud Load Balancer + Cloud Armor
    |-- WAF rules, rate limiting, bot management
    |-- DDoS absorption (volumetric + application layer)
    |-- Adaptive Protection (ML-based detection)
    |
    v
GCE Instance (backend)
    |-- Flowtriq agent (per-VM monitoring)
    |-- Per-second PPS/BPS detection
    |-- Attack classification + confidence scoring
    |-- PCAP capture on detection
    |-- Alerts: Discord, Slack, PagerDuty, etc.
    |
    v
Application Stack

For GCE instances NOT behind a load balancer:

Internet Traffic
    |
    v
Google Cloud Edge (basic DDoS protection)
    |-- No Cloud Armor (requires load balancer)
    |
    v
GCE Instance (external IP)
    |-- Flowtriq agent (primary DDoS detection)
    |-- Full detection, classification, PCAP, alerting
    |
    v
Application Stack

This second scenario is common for game servers, DNS resolvers, VPN endpoints, and any GCE workload that uses direct external IPs instead of load-balanced frontends. Flowtriq is particularly important here because Cloud Armor is not an option.

What Flowtriq Adds to Cloud Armor

Visibility on VMs Not Behind a Load Balancer

Cloud Armor's most significant limitation is its dependency on Google's Cloud Load Balancer. If your GCE instance has an external IP and receives traffic directly (not through a load balancer), Cloud Armor provides no protection and no visibility. Google's general network-level DDoS protection handles basic volumetric attacks, but there is no WAF, no rate limiting, no adaptive protection, and no detailed attack logging.

Flowtriq fills this gap completely. Install the agent on any GCE instance and get per-second detection, classification, PCAP capture, and multi-channel alerting regardless of whether a load balancer is in the path.

PCAP Forensics

Cloud Armor provides detailed request-level logging for HTTP/HTTPS traffic through Cloud Logging. These logs include request headers, client IP, matched security policy rule, and action taken. This is valuable for analyzing L7 attack patterns.

However, Cloud Armor logs are HTTP request logs, not packet captures. They do not include TCP/UDP packet headers, protocol-level details for non-HTTP traffic, payload data, or the timing precision needed for forensic analysis of network-level attacks. Cloud Armor also does not capture any data about traffic that does not flow through the load balancer.

Flowtriq captures raw PCAP data at the network interface level. When an incident is detected, the capture includes full packet headers, source IPs, protocol details, and timing information at microsecond granularity. This data can be analyzed in Wireshark, fed into your SIEM, or used for compliance and incident response documentation.

Richer Attack Classification

Cloud Armor's Adaptive Protection uses machine learning to detect anomalous traffic patterns and suggest security policy rules. It provides attack signatures and recommended actions through the Google Cloud Console and Cloud Logging. This works well for HTTP/HTTPS attack patterns that Adaptive Protection has been trained on.

Flowtriq classifies attacks at the network level across all protocols. It identifies specific attack vectors — SYN floods, UDP amplification (DNS, NTP, CLDAP, memcached, SSDP), ICMP floods, GRE floods, fragmentation attacks, slowloris, and dozens more — with confidence scores. Classification happens within the 2-second detection window, giving your team immediate actionable information about the attack type.

Multi-Channel Alerting

Cloud Armor alerting runs through Google Cloud's monitoring and alerting stack: Cloud Monitoring, Cloud Logging, and alert policies that can send notifications via email, SMS, PagerDuty, Slack (through notification channels), or Pub/Sub. Setting this up requires configuring log-based metrics, alert policies, and notification channels within the GCP console.

Flowtriq sends alerts directly to Discord, Slack, PagerDuty, OpsGenie, email, SMS, and custom webhooks. Configuration takes minutes. Each alert includes full incident context — attack type, confidence score, PPS/BPS metrics, top source IPs, and a direct link to the incident in your Flowtriq dashboard.

Cloud Armor guards the front gate (your load balancer). Flowtriq watches every entrance to each building (your VMs). If traffic enters through a path that does not cross the gate, only Flowtriq sees it.

Step 1: Install the Flowtriq Agent on GCE Instances

Install the Flowtriq agent on each GCE instance you want to monitor. The agent supports all major Linux distributions available on GCE.

# Install the Flowtriq agent
pip install ftagent --break-system-packages

# Run the setup wizard
sudo ftagent --setup

Configure the agent with GCE-specific metadata for easy identification in the dashboard:

# /etc/ftagent/config.yaml
api_key: "ft_your_api_key_here"
server: "https://flowtriq.com/api/v1"
interface: "ens4"               # Default interface on most GCE instances

detection:
  pps_threshold: auto
  bps_threshold: auto
  sensitivity: medium
  detection_window: 2s

pcap:
  enabled: true
  max_size: 100MB
  capture_duration: 30s

tags:
  role: "web-server"
  provider: "gcp"
  project: "my-gcp-project-id"
  zone: "us-central1-a"
  behind_lb: "true"             # or "false" for direct-IP instances

For instances managed by Managed Instance Groups (MIGs), include the agent installation in your instance template's startup script:

#!/bin/bash
# GCE startup script — install Flowtriq agent on instance creation
pip install ftagent

mkdir -p /etc/ftagent
cat > /etc/ftagent/config.yaml <<EOF
api_key: "ft_your_api_key_here"
server: "https://flowtriq.com/api/v1"
interface: "ens4"

detection:
  pps_threshold: auto
  bps_threshold: auto
  sensitivity: medium
  detection_window: 2s

pcap:
  enabled: true
  max_size: 100MB
  capture_duration: 30s

tags:
  role: "web-server"
  provider: "gcp"
  project: "$(curl -s -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/project/project-id)"
  zone: "$(curl -s -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/zone | awk -F/ '{print $NF}')"
  instance_name: "$(curl -s -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/name)"
EOF

systemctl enable ftagent
systemctl start ftagent

Step 2: Firewall Rules

The Flowtriq agent communicates outbound to flowtriq.com/api/v1 on port 443. GCP's default firewall rules allow all outbound (egress) traffic, so no changes are needed in most configurations.

If you have restrictive egress firewall rules, create an egress allow rule:

# Allow outbound HTTPS for Flowtriq agent communication
gcloud compute firewall-rules create allow-flowtriq-egress \
  --direction=EGRESS \
  --action=ALLOW \
  --rules=tcp:443 \
  --destination-ranges=0.0.0.0/0 \
  --target-tags=flowtriq-agent \
  --description="Allow Flowtriq agent outbound HTTPS"

No inbound firewall rules are required for Flowtriq. The agent initiates all connections outbound. No GCP IAM roles or service account permissions are needed either — the agent does not interact with GCP APIs.

Step 3: Configure Detection and Alerting

In your Flowtriq dashboard, configure alert channels and detection settings.

Alert Channel Configuration

# Slack for GCP operations team
Channel: Slack
Webhook URL: https://hooks.slack.com/services/T.../B.../xxx
Severity: Medium and above

# PagerDuty for on-call escalation
Channel: PagerDuty
Integration Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Severity: Critical only

# Discord for real-time security monitoring
Channel: Discord
Webhook URL: https://discord.com/api/webhooks/...
Severity: All incidents

Detection Tuning

The default auto threshold mode uses dynamic baselines and works well for most GCE workloads. If your instances have predictable traffic patterns, you can set static thresholds. For auto-scaled MIG instances, use auto mode — the baseline adapts as instances scale up and receive varying traffic volumes.

Complete your GCP DDoS coverage

Deploy Flowtriq on your GCE instances for per-VM detection, PCAP forensics, and instant multi-channel alerting. Works alongside Cloud Armor for VMs behind load balancers. Essential for VMs with direct external IPs.

Start your free 7-day trial →

Layered Defense in Practice

Scenario: Attack on a Load-Balanced Application

  1. Cloud Armor absorbs — A 10 Gbps HTTP flood targets your application through the Cloud Load Balancer. Cloud Armor's Adaptive Protection detects the anomaly, auto-deploys a suggested security policy rule, and blocks the malicious traffic at Google's edge. Cloud Logging records the blocked requests.
  2. Residual traffic reaches VMs — A portion of the attack traffic uses patterns not covered by the auto-deployed rule and reaches your backend GCE instances.
  3. Flowtriq detects residual — The Flowtriq agent on each backend instance detects the abnormal PPS spike within 2 seconds, classifies the attack vector, and begins PCAP capture.
  4. Alerts fire — Flowtriq sends alerts to Slack and PagerDuty with per-VM metrics, showing your team exactly which instances are receiving residual attack traffic and what the attack pattern looks like.
  5. Response — Your team uses Flowtriq's PCAP data to craft a more precise Cloud Armor security policy rule that blocks the remaining attack pattern. The feedback loop between Flowtriq's detection data and Cloud Armor's policy engine closes the gap.

Scenario: Attack on a Direct-IP Instance

  1. No Cloud Armor coverage — Your game server runs on a GCE instance with a direct external IP, no load balancer. Cloud Armor is not in the path.
  2. Flowtriq detects — A UDP flood targets the game server on port 27015. Flowtriq detects it within 2 seconds, classifies it as a UDP volumetric flood, and begins PCAP capture.
  3. Alerts fire — PagerDuty pages the on-call engineer, Discord notifies the operations channel.
  4. Response — The engineer reviews source IPs from Flowtriq's analysis, adds GCP firewall rules to block the attack sources, and uses the PCAP evidence to communicate with GCP support if needed.

What Each Layer Provides

Google Cloud Armor provides:

  • Edge-level DDoS absorption at Google's global network scale
  • WAF rules, rate limiting, and bot management for HTTP/HTTPS traffic
  • Adaptive Protection with ML-based anomaly detection and auto-suggested rules
  • Named IP lists and geo-based access control
  • Integration with Cloud Logging and Cloud Monitoring

Flowtriq provides:

  • Per-VM, per-second detection on every GCE instance regardless of load balancer presence
  • Coverage for non-HTTP protocols and services not behind Cloud Armor
  • PCAP forensics — packet-level evidence unavailable from Cloud Armor logs
  • 2-second attack classification across dozens of attack vectors
  • Direct alerting to Discord, Slack, PagerDuty, OpsGenie, SMS, email, and webhooks
  • $9.99/node/month — no minimum commitment, no GCP-specific dependencies

Together:

  • Edge mitigation (Cloud Armor) plus VM-level detection (Flowtriq)
  • HTTP-focused protection (Cloud Armor) plus all-protocol visibility (Flowtriq)
  • Flowtriq's PCAP data helps craft more precise Cloud Armor security policies
  • Complete coverage for both load-balanced and direct-IP workloads

Cloud Armor is excellent for protecting load-balanced HTTP workloads. Flowtriq extends that protection to every VM in your GCE infrastructure with per-second detection and packet-level forensics that Cloud Armor does not provide.

Deployment Checklist

  • Flowtriq agent installed on each GCE instance (manually or via startup script)
  • Firewall rules verified — egress HTTPS (443) allowed for Flowtriq API
  • Instance metadata tags configured for dashboard organization (project, zone, role)
  • behind_lb tag set — distinguish load-balanced from direct-IP instances in your dashboard
  • Alert channels configured — at least one real-time channel
  • PCAP capture enabled for forensic evidence
  • MIG startup script updated if using auto-scaling instance groups
  • Cloud Armor security policies reviewed and active on load-balanced backends
  • Test alert verified — confirm end-to-end notification flow

Deploy Flowtriq on GCE today

Per-second detection, PCAP forensics, and instant multi-channel alerting for every GCE instance. Works alongside Cloud Armor or as standalone protection. $9.99/node/month with a 7-day free trial.

Start your free 7-day trial →
Back to Blog

Related Articles

Integrations

How to Use Azure DDoS Protection with Flowtriq

Deploy Flowtriq alongside Azure DDoS Protection for per-VM detection and PCAP forensics on Azure.
Integrations

How to Use AWS Shield with Flowtriq: layered DDoS defense

Deploy Flowtriq alongside AWS Shield for per-instance visibility and real-time alerting on EC2.
Comparisons

Cloud DDoS protection comparison: AWS, Cloudflare, and beyond

How the major cloud providers' DDoS protection stacks compare on coverage, data, and cost.