+1I’ve created a firewall rule to stop all traffic on all protocols from all countries except one.
However when I look at my VMs network stats, the chart titled “Firewall incoming packets denied” shows less than one packet stopped per second.
This is during a DDOS attack with millions of hits per second from around the world.
How come the firewall does not stop 99% of these, if 99% of all countries are blocked?
Best answer by yaskelly
Hi, thanks for sharing this — it’s a very common and understandable question when facing a DDoS situation.
What you’re observing is expected behavior in Google Cloud and usually comes down to where traffic is actually being dropped.
In Google Cloud, VPC firewall rules are not the first line of defense against large-scale DDoS traffic. Most volumetric attacks are mitigated upstream, at Google’s edge infrastructure, before packets ever reach your VPC or VM network interface.
Because of this, the metric “Firewall incoming packets denied” only reflects packets that:
Reach the VPC firewall evaluation stage, and
Are explicitly denied by a firewall rule at that level.
Traffic that is absorbed or filtered earlier (for example by Google’s global DDoS protection) will not appear in VM-level firewall metrics, even if it represents the majority of the attack traffic.
In other words, the low number of denied packets does not mean the firewall is ineffective — it usually means that most of the attack never reaches the firewall at all.
For DDoS scenarios, firewall rules are best seen as fine-grained access controls, while large-scale mitigation relies on Google’s edge protections and, if needed, services like Cloud Armor for more visibility and control.
Hope this helps clarify what you’re seeing.
+1Hi, thanks for sharing this — it’s a very common and understandable question when facing a DDoS situation.
What you’re observing is expected behavior in Google Cloud and usually comes down to where traffic is actually being dropped.
In Google Cloud, VPC firewall rules are not the first line of defense against large-scale DDoS traffic. Most volumetric attacks are mitigated upstream, at Google’s edge infrastructure, before packets ever reach your VPC or VM network interface.
Because of this, the metric “Firewall incoming packets denied” only reflects packets that:
Reach the VPC firewall evaluation stage, and
Are explicitly denied by a firewall rule at that level.
Traffic that is absorbed or filtered earlier (for example by Google’s global DDoS protection) will not appear in VM-level firewall metrics, even if it represents the majority of the attack traffic.
In other words, the low number of denied packets does not mean the firewall is ineffective — it usually means that most of the attack never reaches the firewall at all.
For DDoS scenarios, firewall rules are best seen as fine-grained access controls, while large-scale mitigation relies on Google’s edge protections and, if needed, services like Cloud Armor for more visibility and control.
Hope this helps clarify what you’re seeing.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.