Cloud Armor pricing (GCP): model baseline traffic, attack spikes, and logging

WAF pricing is a request-volume problem with tail risk. A good model includes two scenarios: baseline traffic and an incident spike. If you only model baseline, the bill will surprise you exactly when you are under attack.

0) Define the layer (where Cloud Armor sits)

Make sure you understand which requests Cloud Armor sees: edge traffic, load balancer traffic, or a subset by hostname and path. This prevents double counting.

  • CDN requests: counted at the CDN edge.
  • WAF requests: counted where the WAF is enforced (often at the edge/load balancer).
  • Origin requests: what reaches your backend after caching and filtering.

Guide: CDN request pricing.

1) Baseline request volume (requests/month)

Convert baseline RPS to monthly requests. If your traffic is seasonal, model the high-traffic month rather than the average month.

Tool: RPS to monthly requests.

2) Incident scenario (peak RPS × duration)

Budget an incident scenario: peak RPS multiplied by hours or days. This captures bot surges and DDoS windows. If you do not have history, choose a conservative multiplier (e.g., 5× baseline for 24–72 hours) and refine later.

  • Peak requests ~= peak RPS × 86,400 × days
  • Keep incident traffic as a separate line item, not blended into baseline.

3) Logging and analytics (the hidden second bill)

Logging is often the second spike driver. If you log every request during an incident, log ingestion can become material even when WAF request pricing is acceptable.

Tools: Log ingestion, Tiered log storage, Log scan.

  • Decide whether you log all requests, blocked only, or a sampled subset.
  • Model retention separately (hot window + archive) so incident logs do not create a long-term bill.

Worked estimate template (copy/paste)

  • Baseline requests/month = baseline RPS × 86,400 × days
  • Incident requests = peak RPS × 86,400 × incident days
  • Logs = requests × bytes/request (baseline + incident), then retention + scan if applicable

Common pitfalls

  • Modeling baseline only and ignoring attack spikes.
  • Double-counting requests across CDN + WAF + origin layers.
  • Turning on verbose logging during incidents without modeling ingestion and retention.
  • Using one blended request volume that hides a short but expensive attack window.
  • Not validating what is actually logged (all vs blocked vs sampled).

How to validate

  • Validate baseline and peak RPS from historical analytics or load balancer metrics.
  • Validate incident duration assumptions (hours vs days) using real timelines.
  • Validate logging strategy and retention (do not keep incident noise forever).
  • After changes, validate that request and log volumes move in the expected direction.

Related tools

Requests/month CDN request fees Logs Request-based pricing

Sources

Related guides

Cloud Logging pricing (GCP): ingestion, retention, and query scans
A practical model for Cloud Logging costs: GB ingested, retention storage (GB-month), and query/scan behavior. Includes a fast method to estimate GB/day from events/sec × bytes/event and a checklist to find dominant sources.
Cloud NAT cost (GCP): why it spikes and how to model outbound traffic
A practical Cloud NAT estimate: baseline configuration + outbound GB processed through NAT, with a peak scenario for retries, node churn, and dependency storms. Includes a validation checklist and cost-reduction levers.
Google Kubernetes Engine (GKE) pricing: nodes, networking, storage, and observability
GKE cost is not just nodes: include node pools, autoscaling, requests/limits (bin packing), load balancing/egress, storage, and logs/metrics. Includes a worked estimate template, pitfalls, and validation steps to keep clusters right-sized.
Azure Application Gateway pricing: how to model L7 load balancer costs
Model Application Gateway costs using measurable drivers: hours, request volume, traffic processed, WAF, and logs - plus a validation checklist.
Cloud CDN pricing (GCP): bandwidth, requests, and origin egress (cache fill)
A practical Cloud CDN cost model: edge bandwidth, request volume, and origin egress (cache fill). Includes validation steps for hit rate by path, heavy-tail endpoints, and purge/deploy events that reduce hit rate.
Cloud Functions pricing (GCP): invocations, duration, egress, and log volume
A practical Cloud Functions cost model: invocations, execution time, outbound transfer, and logs. Includes a workflow to estimate baseline + peak and validate retries, cold starts, and log bytes per invocation.

Related calculators

Log Cost Calculator
Estimate total log costs: ingestion, storage, and scan/search.
Log Ingestion Cost Calculator
Estimate monthly log ingestion cost from GB/day or from event rate and $/GB pricing.
Log Retention Storage Cost Calculator
Estimate retained log storage cost from GB/day, retention days, and $/GB-month pricing.
Log Search Scan Cost Calculator
Estimate monthly scan charges from GB scanned per day and $/GB pricing.
RPS to Monthly Requests Calculator
Estimate monthly request volume from RPS, hours/day, and utilization.
API Request Cost Calculator
Estimate request-based charges from monthly requests and $ per million.

FAQ

What usually drives WAF cost?
Request volume is the main driver. Attack traffic (bots, DDoS) can multiply requests and create cost spikes if you don’t budget a peak scenario.
How do I estimate quickly?
Estimate monthly requests at baseline, then add an incident scenario (peak RPS × hours/days). Keep WAF request costs separate from CDN request fees and origin request costs.
Why do WAF bills spike during incidents?
Because incident traffic often increases request volume by 2–10×. If you also enable verbose logging during the incident, log ingestion becomes a second spike.
How do I validate?
Validate baseline and peak RPS from analytics, validate what you log (all requests vs blocked only), and validate whether you are double-counting requests across layers (CDN + WAF + origin).
Last updated: 2026-01-27