[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-08-19 (世界標準時間)。"],[[["\u003cp\u003eBefore configuring Adaptive Protection, it's recommended to review the Adaptive Protection overview and use cases for a better understanding.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring, modifying, and deleting Google Cloud Armor security policies requires the Compute Security Admin role, whereas setting a security policy for a backend service requires the Compute Network Admin role.\u003c/p\u003e\n"],["\u003cp\u003eAdaptive Protection can be enabled or disabled for a security policy through the Google Cloud console or by using gcloud commands with the \u003ccode\u003e--enable-layer7-ddos-defense\u003c/code\u003e or \u003ccode\u003e--no-enable-layer7-ddos-defense\u003c/code\u003e flags respectively.\u003c/p\u003e\n"],["\u003cp\u003eGranular models allow for configuring specific hosts or paths as units for Adaptive Protection analysis, which can be done using the \u003ccode\u003eadd-layer7-ddos-defense-threshold-config\u003c/code\u003e command with various flags for customization.\u003c/p\u003e\n"],["\u003cp\u003eYou can configure Adaptive Protection to detect attacks based on custom thresholds, such as when attack volume exceeds the baseline average queries per second (QPS) by a certain percentage and when backend service load is above a specific threshold.\u003c/p\u003e\n"]]],[],null,["# Configure Google Cloud Armor Adaptive Protection\n\nThis page contains information about configuring Adaptive Protection. Before\nyou configure Adaptive Protection, make sure that you're familiar with the\ninformation in the\n[Adaptive Protection overview](/armor/docs/adaptive-protection-overview)\nand with the\n[Adaptive Protection use cases](/armor/docs/adaptive-protection-use-cases).\n\nBefore you begin\n----------------\n\nThe following sections explain all of the Identity and Access Management (IAM) roles and\npermissions required to configure Cloud Armor security policies. For\nthe use cases in this document, you only need the\n`compute.securityPolicies.update` permission.\n\n### Set up IAM permissions for Cloud Armor security policies\n\nThe following operations require the Identity and Access Management (IAM)\n[Compute Security Admin role (`roles/compute.securityAdmin`)](/iam/docs/understanding-roles#compute.securityAdmin):\n\n- Configuring, modifying, updating, and deleting a Cloud Armor security policy\n- Using the following API methods:\n - `SecurityPolicies insert`\n - `SecurityPolicies delete`\n - `SecurityPolicies patch`\n - `SecurityPolicies addRule`\n - `SecurityPolicies patchRule`\n - `SecurityPolicies removeRule`\n\nA user with the [Compute Network Admin role (`roles/compute.networkAdmin`)](/iam/docs/understanding-roles#compute.networkAdmin)\ncan perform the following operations:\n\n- Setting a Cloud Armor security policy for a backend service\n- Using the following API methods:\n - `BackendServices setSecurityPolicy`\n - `BackendServices list` (`gcloud` only)\n\nUsers with the [Security Admin role (`roles/iam.securityAdmin`)](/iam/docs/understanding-roles#iam.securityAdmin)\nand the Compute Network Admin role can view Cloud Armor security\npolicies by using the `SecurityPolicies` API methods `get`, `list`, and\n`getRule`.\n\n### Set up IAM permissions for custom roles\n\nThe following table lists the IAM roles' base permissions and\ntheir associated API methods.\n\nEnable Adaptive Protection\n--------------------------\n\nUse the following steps to enable Adaptive Protection for your security\npolicy. Adaptive Protection is applied to each security policy individually. \n\n### Console\n\nTo activate Adaptive Protection for a security policy:\n\n1. In the Google Cloud console, go to the **Network Security** page.\n\n [Go to Network Security](https://console.cloud.google.com/net-security/)\n2. On the **Policies** page, click the name of a security policy.\n\n3. Click **Edit**.\n\n4. Under **Adaptive Protection** , select **Enable**.\n\n5. Click **Update**.\n\nTo deactivate Adaptive Protection for a security policy:\n\n1. In the Google Cloud console, go to the **Network Security** page.\n\n [Go to Network Security](https://console.cloud.google.com/net-security/)\n2. On the **Policies** page, click the name of a security policy.\n\n3. Click **Edit**.\n\n4. Under **Adaptive Protection** , clear **Enable**.\n\n5. Click **Update**.\n\n### gcloud\n\nTo activate Adaptive Protection for a security policy: \n\n```\ngcloud compute security-policies update MY-SECURITY-POLICY \\\n --enable-layer7-ddos-defense\n```\n\nTo deactivate Adaptive Protection for a security policy: \n\n```\ngcloud compute security-policies update MY-SECURITY-POLICY \\\n --no-enable-layer7-ddos-defense\n```\n\nConfigure granular models\n-------------------------\n\nThe granular models feature lets you configure specific hosts or paths as the\ngranular units that Adaptive Protection analyzes. In the following examples,\nyou create granular traffic units for each host, customize a granular traffic\nunit, and configure Adaptive Protection to take action when traffic exceeds\nyour baseline queries per second (QPS). For more information about granular\nmodels, see the\n[Adaptive Protection overview](/armor/docs/adaptive-protection-overview#granular-models).\n\n### Configure granular traffic units\n\nThe examples in this section use the\n[`add-layer7-ddos-defense-threshold-config`](/sdk/gcloud/reference/compute/security-policies/add-layer7-ddos-defense-threshold-config)\ncommand with some or all of the following flags:\n\nIn the first example, you configure Adaptive Protection to detect attacks on\nand suggest independent mitigations for each host behind your backend service,\nwithout overriding any default thresholds. \n\n### gcloud\n\n1. Create a security policy with the name \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e, or use an existing security policy.\n2. If Adaptive Protection is not already enabled, use the following command to enable Adaptive Protection for your policy: \n\n ```\n gcloud compute security-policies update POLICY_NAME \n\n --enable-layer7-ddos-defense\n ```\n3. Apply the security policy to a backend service with multiple hosts.\n4. Use the following `add-layer7-ddos-defense-threshold-config` command with the `--traffic-granularity-configs` flag to configure a granular traffic unit: \n\n ```\n gcloud compute security-policies add-layer7-ddos-defense-threshold-config POLICY_NAME \n\n --threshold-config-name=per-host-config \n\n --traffic-granularity-configs=type=HTTP_HEADER_HOST;enableEachUniqueValue=true\n ```\n\nIn the second example, you configure different auto-deploy and detection\nthresholds for some or all of the granular traffic units that you configured in\nthe first example. \n\n### gcloud\n\n1. If Adaptive Protection auto-deploy is not already enabled, [create a placeholder rule](/armor/docs/adaptive-protection-auto-deploy#example_placeholder_rules).\n2. The following command customizes the auto-deploy threshold for a granular traffic unit with an `HTTP_HEADER_HOST` of \u003cvar translate=\"no\"\u003eHOST\u003c/var\u003e and an `HTTP_PATH` of \u003cvar translate=\"no\"\u003ePATH\u003c/var\u003e. Use this command for each granular traffic unit that you want to customize, replacing the variables as needed for each host and URL path: \n\n gcloud compute security-policies add-layer7-ddos-defense-threshold-config \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e \n\n --threshold-config-name=my-host-config \n\n --auto-deploy-impacted-baseline-threshold=0.01 \n\n --auto-deploy-expiration-sec=3600 \n\n --traffic-granularity-configs=type=HTTP_HEADER_HOST;value=\u003cvar translate=\"no\"\u003eHOST\u003c/var\u003e,type=HTTP_PATH;value=\u003cvar translate=\"no\"\u003ePATH\u003c/var\u003e\n\n### Detect when attack volume exceeds baseline average QPS\n\nIn the following example, you configure Adaptive Protection to detect an\nattack only when the attack volume exceeds your baseline average QPS by more\nthan 50%, and only when the backend service's load is more than 90% of its\ncapacity. \n\n### gcloud\n\n1. Create a security policy with the name \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e, or use an existing security policy.\n2. If Adaptive Protection is not already enabled, use the following\n command to enable Adaptive Protection for your policy:\n\n ```\n gcloud compute security-policies update POLICY_NAME \\\n --enable-layer7-ddos-defense\n ```\n3. Apply the security policy to a backend service.\n\n4. Use the following command to configure Adaptive Protection with\n customized detection thresholds:\n\n ```\n gcloud compute security-policies add-layer7-ddos-defense-threshold-config POLICY_NAME \\\n --threshold-config-name=my-customized-thresholds \\\n --detection-load-threshold=0.9 \\\n --detection-relative-to-baseline-qps=1.5\n ```\n\nWhat's next\n-----------\n\n- [Google Cloud Armor Adaptive Protection overview](/armor/docs/adaptive-protection-overview)\n- [Google Cloud Armor Adaptive Protection use cases](/armor/docs/adaptive-protection-use-cases)"]]
