# Edge Security: Google Cloud Armor

To support social network scale and protect the Cloud Run backend from varied volumetric and layer 7 attacks, Google Cloud Armor operates globally at the edge load balancer.

## Defense Strategy

```mermaid
sequenceDiagram
    participant Attacker as Malicious IP
    participant Legit as Legitimate User
    participant Edge as Cloud Armor (Edge)
    participant WAF as Adaptive Protection Rules
    participant Backend as Cloud Run API

    Attacker->>Edge: Floods Endpoint (3000 RPS)
    Edge--xAttacker: 429 Too Many Requests (Throttle Drop)
    
    Legit->>Edge: High volume unusual payload
    Edge->>WAF: Analyze Pattern via ML
    WAF-->>Edge: Generate Custom Signature Rule
    Legit->>Edge: High volume unusual payload (Repeated)
    Edge--xLegit: 403 Forbidden (Blocked by Signature)

    Legit->>Edge: Normal Traffic (30 RPS)
    Edge->>Backend: Pass through
    Backend-->>Legit: 200 OK
```

### 1. Hard Rate Limiting (Throttle)
We apply coarse-grained volumetric rate limiting based on the source IP to prevent singular actors from degrading service performance for others.

*   **Rule Type:** Throttle
*   **Condition:** IP-based token bucket
*   **Constraint:** `2,000 requests per minute` per unique IP address.
*   **Action:** Enforce HTTP `429 Too Many Requests` or drop connection at the edge.

### 2. Adaptive Protection (Machine Learning)
Given the unpredictable nature of L7 DDoS attacks (HTTP floods, low-and-slow attacks, credential stuffing):

*   **Learning:** Adaptive Protection builds baselines of Duuble's normal web, API traffic footprints.
*   **Creation:** When anomaly variations are detected, it builds targeted WAF blocking rules based on specific attack signatures (e.g. unique malicious headers, geolocations, or request patterns).
*   **Deployment:** (Optional/Enterprise feature) These signatures can automatically be deployed to drop malicious traffic dynamically when under attack without ops team intervention.

### 3. Bot Management & VPN/Proxy Handling
Duuble explicitly distinguishes between legitimate human actors and automated bots, scrapers, and anonymizing networks.

*   **reCAPTCHA Enterprise Integration:** Cloud Armor pairs natively with reCAPTCHA Enterprise. Risk scores generated by the client SDK are evaluated directly at the edge layer. 
    *   *Action:* Traffic with a score `< 0.3` targeting critical paths (like Auth or Post creation) is silently blocked at the edge before hitting Cloud Run compute instances.
*   **VPNs, Tor, and Datacenter IPs:** By default, Cloud Armor can be configured with Threat Intelligence feeds.
    *   *Action:* Traffic originating from known Tor exit nodes, malicious proxies, or public cloud ranges (e.g., AWS, DigitalOcean) is subjected to heavy rate-limiting overrides or outright blocks, as legitimate mobile app traffic rarely originates from commercial server farms.