Cloud Armor pricing (GCP): model baseline traffic, attack spikes, and logging

Reviewed by CloudCostKit Editorial Team. Last updated: 2026-01-27. Editorial policy and methodology.

Start with a calculator if you need a first-pass estimate, then use this guide to validate the assumptions and catch the billing traps.


WAF pricing is a request-volume problem with tail risk. A good model includes two scenarios: baseline traffic and an incident spike. If you only model baseline, the bill will surprise you exactly when you are under attack.

0) Define the layer (where Cloud Armor sits)

Make sure you understand which requests Cloud Armor sees: edge traffic, load balancer traffic, or a subset by hostname and path. This prevents double counting.

  • CDN requests: counted at the CDN edge.
  • WAF requests: counted where the WAF is enforced (often at the edge/load balancer).
  • Origin requests: what reaches your backend after caching and filtering.

Guide: CDN request pricing.

1) Baseline request volume (requests/month)

Convert baseline RPS to monthly requests. If your traffic is seasonal, model the high-traffic month rather than the average month.

Tool: RPS to monthly requests.

2) Incident scenario (peak RPS × duration)

Budget an incident scenario: peak RPS multiplied by hours or days. This captures bot surges and DDoS windows. If you do not have history, choose a conservative multiplier (e.g., 5× baseline for 24–72 hours) and refine later.

  • Peak requests ~= peak RPS × 86,400 × days
  • Keep incident traffic as a separate line item, not blended into baseline.

3) Logging and analytics (the hidden second bill)

Logging is often the second spike driver. If you log every request during an incident, log ingestion can become material even when WAF request pricing is acceptable.

Tools: Log ingestion, Tiered log storage, Log scan.

  • Decide whether you log all requests, blocked only, or a sampled subset.
  • Model retention separately (hot window + archive) so incident logs do not create a long-term bill.

Worked estimate template (copy/paste)

  • Baseline requests/month = baseline RPS × 86,400 × days
  • Incident requests = peak RPS × 86,400 × incident days
  • Logs = requests × bytes/request (baseline + incident), then retention + scan if applicable

Common pitfalls

  • Modeling baseline only and ignoring attack spikes.
  • Double-counting requests across CDN + WAF + origin layers.
  • Turning on verbose logging during incidents without modeling ingestion and retention.
  • Using one blended request volume that hides a short but expensive attack window.
  • Not validating what is actually logged (all vs blocked vs sampled).

How to validate

  • Validate baseline and peak RPS from historical analytics or load balancer metrics.
  • Validate incident duration assumptions (hours vs days) using real timelines.
  • Validate logging strategy and retention (do not keep incident noise forever).
  • After changes, validate that request and log volumes move in the expected direction.

Related tools

Sources


Related guides

GCP Cloud Run Pricing: Request-Based vs Instance-Based Billing, vCPU, Memory, and Egress
Understand Cloud Run pricing through request-based billing, instance-based billing, vCPU-seconds, memory GiB-seconds, request charges, jobs, egress, logs, and adjacent build or image storage costs.
Cloud NAT cost (GCP): why it spikes and how to model outbound traffic
A practical Cloud NAT estimate: baseline configuration + outbound GB processed through NAT, with a peak scenario for retries, node churn, and dependency storms. Includes a validation checklist and cost-reduction levers.
GCP Cloud Logging Pricing: Ingestion, Retention, Query Costs, and Log Buckets
Understand GCP Cloud Logging pricing through ingestion charges, retention beyond 30 days, query and analysis behavior, log buckets, routed logs, and adjacent BigQuery, Pub/Sub, or SIEM costs.
Google Kubernetes Engine (GKE) pricing: nodes, networking, storage, and observability
GKE cost is not just nodes: include node pools, autoscaling, requests/limits (bin packing), load balancing/egress, storage, and logs/metrics. Includes a worked estimate template, pitfalls, and validation steps to keep clusters right-sized.
AWS WAF Pricing: Web ACLs, Request Charges, Bot Control, and Logging Boundaries
Understand AWS WAF pricing through Web ACL baselines, rule and request charges, blocked-traffic evaluation, Bot Control, CAPTCHA or Challenge actions, and the logging or SIEM costs that belong beside WAF.
Azure Application Gateway pricing: how to model L7 load balancer costs
Model Azure Application Gateway pricing with gateway hours, request volume, traffic processed, WAF exposure, and log volume so peak traffic and the second bill do not disappear from the estimate.

Related calculators


FAQ

What usually drives WAF cost?
Request volume is the main driver. Attack traffic (bots, DDoS) can multiply requests and create cost spikes if you don’t budget a peak scenario.
How do I estimate quickly?
Estimate monthly requests at baseline, then add an incident scenario (peak RPS × hours/days). Keep WAF request costs separate from CDN request fees and origin request costs.
Why do WAF bills spike during incidents?
Because incident traffic often increases request volume by 2–10×. If you also enable verbose logging during the incident, log ingestion becomes a second spike.
How do I validate?
Validate baseline and peak RPS from analytics, validate what you log (all requests vs blocked only), and validate whether you are double-counting requests across layers (CDN + WAF + origin).

Last updated: 2026-01-27. Reviewed against CloudCostKit methodology and current provider documentation. See the Editorial Policy .