Google Cloud Armor provides a rule-based policy framework that can be used by customers of the Google Cloud Platform to mitigate various types of common web application attacks. The Cloud Armor service has a documented limitation of 8 KB as the maximum size of web request that it will inspect. The default behavior of Cloud Armor in this case can allow malicious requests to bypass Cloud Armor and directly reach an underlying application.

Introduction

Web application firewall suites provide a critical layer of security for modern web applications and can protect them from a wide variety of attacks, such as: code execution, SQL injection, cross-site scripting, et cetera even when the underlying application is vulnerable. GCP customers can use Cloud Armor to protect applications served with Google Cloud Load Balancing.

Cloud Armor supports the definition of custom expressions for rules, while also providing a set of pre-configured web application firewall rules that draw from the OWASP ModSecurity Core Rule Set.

The 8 KB limitation

The web application firewall component of Cloud Armor inspects incoming HTTP requests and compares them against rule-based policies defined by the user. The Cloud Armor service can be configured to allow or deny a request to the underlying application based on the rules triggered by a given request.

The web application firewall component of Cloud Armor has a non-configurable HTTP request body size limit of 8 KB. This means that Cloud Armor will only inspect the first 8192 bytes or characters of an HTTP POST request body.

This is similar to the well-documented 8 KB limitation of the AWS web application firewall, however, in the case of Cloud Armor, the limitation is not as widely known and is not presented to customers as prominently as the limitation in AWS.

As of the time of writing this article, customers are not shown a prompt or notice when configuring Cloud Armor rules from within the web