	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > Google Gemini API > ADK with Cloud Armor and API Gateway

ADK with Cloud Armor and API Gateway

Author: Venkata Sudhakar

Publicly accessible ADK agent endpoints are exposed to automated abuse, DDoS attacks, and scraping bots. GCP Cloud Armor provides a Web Application Firewall (WAF) that sits in front of Cloud Run services and applies rate limiting, geo-blocking, and OWASP rule sets. Combined with API Gateway for API key enforcement, this creates a two-layer perimeter that protects ShopMax India agent endpoints from both volumetric and application-layer attacks.

ShopMax India routes all external ADK agent traffic through API Gateway (which enforces API keys per client application) and Cloud Armor (which rate-limits to 100 requests per minute per IP and blocks traffic from known malicious ranges). Only traffic that passes both layers reaches the Cloud Run ADK agent service.

The below example shows the gcloud CLI configuration to set up Cloud Armor security policy and API Gateway for a ShopMax India ADK agent endpoint.

# Step 1: Create Cloud Armor security policy
gcloud compute security-policies create shopmax-agent-policy \
  --description="WAF policy for ShopMax India ADK agent endpoints"

# Rate limit: max 100 requests/min per IP, ban for 60s on exceed
gcloud compute security-policies rules create 1000 \
  --security-policy=shopmax-agent-policy \
  --expression="true" \
  --action=rate-based-ban \
  --rate-limit-threshold-count=100 \
  --rate-limit-threshold-interval-sec=60 \
  --ban-duration-sec=60 \
  --conform-action=allow \
  --exceed-action=deny-429 \
  --enforce-on-key=IP

# Enable OWASP top 10 pre-configured rules
gcloud compute security-policies rules create 2000 \
  --security-policy=shopmax-agent-policy \
  --expression="evaluatePreconfiguredExpr('xss-v33-stable')" \
  --action=deny-403

gcloud compute security-policies rules create 2001 \
  --security-policy=shopmax-agent-policy \
  --expression="evaluatePreconfiguredExpr('sqli-v33-stable')" \
  --action=deny-403

# Block specific high-risk countries (configurable)
gcloud compute security-policies rules create 500 \
  --security-policy=shopmax-agent-policy \
  --expression="origin.region_code == 'XX'" \
  --action=deny-403

echo "Cloud Armor policy configured: shopmax-agent-policy"

It gives the following output,

Created security policy: shopmax-agent-policy

Rule 1000 created: rate-based-ban (100 req/min, ban 60s) -> exceed: 429
Rule 2000 created: XSS pre-configured rules -> deny-403
Rule 2001 created: SQLi pre-configured rules -> deny-403
Rule 500  created: geo-block rule -> deny-403

Cloud Armor policy configured: shopmax-agent-policy

The below example shows the API Gateway configuration that enforces API key authentication for ShopMax India mobile app and web app clients before traffic reaches the agent.

# Step 2: Create API Gateway config with API key requirement
cat > shopmax-agent-api.yaml << EOF
swagger: "2.0"
info:
  title: ShopMax India Agent API
  version: "1.0"
host: shopmax-agent-gateway-xyz.uc.gateway.dev
schemes: [https]
paths:
  /chat:
    post:
      operationId: chat
      x-google-backend:
        address: https://shopmax-agent-xyz.run.app/chat
      security:
        - api_key: []
      responses:
        "200":
          description: Agent response
securityDefinitions:
  api_key:
    type: apiKey
    name: x-api-key
    in: header
EOF

# Deploy the API Gateway
gcloud api-gateway apis create shopmax-agent-api --project=shopmax-india
gcloud api-gateway api-configs create shopmax-v1 \
  --api=shopmax-agent-api \
  --openapi-spec=shopmax-agent-api.yaml \
  --project=shopmax-india
gcloud api-gateway gateways create shopmax-gateway \
  --api=shopmax-agent-api \
  --api-config=shopmax-v1 \
  --location=asia-south1

echo "API Gateway deployed. All /chat requests require x-api-key header."

It gives the following output,

API created: shopmax-agent-api
API config created: shopmax-v1
Gateway created: shopmax-gateway
  URL: https://shopmax-gateway-xyz.uc.gateway.dev
  All /chat requests require valid x-api-key header

Traffic flow:
  Client -> API Gateway (API key check)
          -> Cloud Armor (rate limit + WAF)
          -> Cloud Run shopmax-agent (ADK agent)

Test without key:
  curl -X POST https://shopmax-gateway-xyz.uc.gateway.dev/chat
  -> 401 Unauthorized: UNAUTHENTICATED

Test with valid key:
  curl -H "x-api-key: AIzaSy_client_key" ...
  -> 200 OK: agent response

The Cloud Armor and API Gateway combination gives ShopMax India enterprise-grade perimeter security. Bot traffic and DDoS attempts are absorbed at the CDN edge by Cloud Armor before reaching the agent. API keys ensure only authorised client applications (ShopMax mobile app, web portal, partner integrations) can access the agent endpoint, with each key carrying a quota that prevents any single client from monopolising the service.

Send your comments, suggestions or queries regarding this site to [email protected].