Security with reCAPTCHA and Cloud Armor


Welcome to gHacks+, a new and exciting streaming platform for all manner of Google Cloud related technology and skills.

At gHacks+ they’re seeing an increase in malicious bot attacks and user impersonation attempts against their platform. They have turned to Google Cloud to solve their security concerns using our reCAPTCHA and Cloud Armor security offerings.

It will be your job to ensure a successful deployment on their platform and save them from further attack.


Google Cloud HTTP(S) load balancing is deployed at the edge of Google’s network in Google points of presence (POP) around the world. User traffic directed to an HTTP(S) load balancer enters the POP closest to the user and is then load balanced over Google’s global network to the closest backend that has sufficient capacity available.

Cloud Armor is Google’s distributed denial of service and web application firewall (WAF) detection system. Cloud Armor is tightly coupled with the Google Cloud HTTP Load Balancer and safeguards applications of Google Cloud customers from attacks from the internet. reCAPTCHA Enterprise is a service that protects your site from spam and abuse, building on the existing reCAPTCHA API which uses advanced risk analysis techniques to tell humans and bots apart. Cloud Armor Bot Management provides an end-to-end solution integrating reCAPTCHA Enterprise bot detection and scoring with enforcement by Cloud Armor at the edge of the network to protect downstream applications.

Security Architecture

Learning Objectives

In this lab, you configure an HTTP Load Balancer with a backend, as shown in the diagram above. Then, you’ll learn to set up a reCAPTCHA session token site key and embed it in the gHacks+ website. You will also learn how to set up redirection to reCAPTCHA Enterprise manual challenge. We will then configure a Cloud Armor bot management policy to showcase how bot detection protects your application from malicious bot traffic.

  1. How to set up a HTTP Load Balancer with appropriate health checks.
  2. How to create a reCAPTCHA WAF challenge-page site key and associated it with Cloud Armor security policy.
  3. How to create a reCAPTCHA session token site key and install it on your web pages.
  4. How to create a Cloud Armor bot management policy.
  5. How to validate that the bot management policy is handling traffic based on the rules configured.



  • A new GCP project and a user having the Owner IAM role.
  • Basic Networking and HTTP knowledge
  • Basic Unix/Linux command line knowledge


  • Lexi Flynn
  • Gino Filicetti