Google CloudGoogle Cloud ArmorSecurity & Identity

`google_compute_security_policy_advanced` cost estimation

A Cloud Armor (Enterprise tier) WAF/DDoS policy billed per policy plus per rule, plus request inspection. A policy with 5 rules is ~$10/month before requests.

A google_compute_security_policy_advanced is a Cloud Armor security policy on the Enterprise (advanced) tier — WAF rules, DDoS protection, and rate limiting applied at the Google edge in front of load balancers. Cost has a policy base fee (~$5/month per policy) plus a per-rule charge (~$1/rule/month), plus per-request inspection charges for requests evaluated. A policy with 5 rules is ~$5 + $5 = $10/month before request volume.

The structure mirrors AWS WAF: a base per-policy fee, a per-rule fee, and request-based charges that scale with traffic. The Enterprise tier adds managed protection, adaptive (ML-based) DDoS defense, and advanced rules over the standard tier — so it's priced higher, with the Enterprise subscription itself being a larger commitment in some configurations.

The levers: prune rules that never match (each bills monthly), share one policy across backends rather than one per service where the rules are the same, and scope rules so you're not inspecting traffic that doesn't need it at the per-request rate.

c3x prices the policy from its rule count (base + per-rule); request inspection is usage-driven.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "google_compute_security_policy" "armor" {
  name = "edge-waf"
  type = "CLOUD_ARMOR"

  rule {
    action   = "deny(403)"
    priority = 1000
    match {
      expr {
        expression = "evaluatePreconfiguredExpr('xss-stable')"
      }
    }
    description = "Block XSS"
  }
  # ... additional rules
}

Pricing dimensions

What you actually pay for when you provision google_compute_security_policy_advanced.

Dimension	Unit	What's being charged
Security policy	per policy-month	Base fee per Cloud Armor policy. $5/policy-month
Rules	per rule-month	Per rule attached to the policy. Charged whether or not the rule matches. $1/rule-month → 5 rules = $5/month
Requests inspected	per million	Requests evaluated by the policy, billed per million. Usage-based.

Sample C3X output

One policy with 5 rules (before request volume):

google_compute_security_policy_advanced.armor
├─ Security policy   1 policy-month   $5.00
└─ Rules             5 rule-months    $5.00
                     Monthly         $10.00

Optimization tips

Common ways to reduce google_compute_security_policy_advanced cost without changing the workload.

Prune rules that never match

$1/month per rule removed

Each rule bills ~$1/month whether or not it fires. Review rule-match metrics and remove rules that haven't matched — dead rules are pure cost.

Share one policy across backends

Per duplicate policy avoided

A policy can attach to multiple backend services. Where the rule set is the same, share one policy rather than duplicating it per service — avoiding repeated base and per-rule fees.

Use the standard tier if you don't need Enterprise features

Tier difference

The Enterprise (advanced) tier adds managed protection and adaptive DDoS over the standard tier, at higher cost. If you only need basic WAF rules, the standard Cloud Armor tier may suffice for less.

Scope rules to traffic that needs inspection

Per-request charge on un-needed inspection

Request inspection bills per million. Scope rules so static-asset or health-check traffic isn't inspected for no security value, keeping the per-request charge down.

FAQ

How is Cloud Armor billed?

A base fee per policy (~$5/month) plus per rule (~$1/rule/month) plus per-request inspection charges. A 5-rule policy is ~$10/month before request volume. The Enterprise (advanced) tier adds managed and adaptive DDoS protection at higher cost than the standard tier.

Why is my Cloud Armor cost higher than expected?

Usually rule count and request volume. Each rule bills monthly whether it matches or not, and request inspection scales with traffic. Prune dead rules, share policies across backends, and scope inspection to traffic that needs it.

How does c3x estimate the cost?

From the rule count (base policy fee + per-rule fee). Request inspection is usage-driven and modelled separately, since it depends on traffic.

Related resources

Google Cloud

google_compute_instance

Backends behind the load balancer the policy protects

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including google_compute_security_policy_advanced.

Get Started Star on GitHub

← Browse all Google Cloud resources