What's the best way to secure Dgraph Cloud (via GCP with HA (and replication) setup) from DDoS attacks?

Juri · November 22, 2021, 10:06am

Hi,
If I use Dgraph Cloud on Google Cloud with High Availability (and replication) setup;

how can I secure my Dgraph Cloud (Endpoints) from DDoS attacks?

I know that it’s done by Google Load Balancer + Google Cloud Armor;

but that’s how it’s done if you run your own Kubernetes.

But Dgraph Cloud is a managed service, GKE are managed by the Dgraph Team. So I don’t really want to mess up with any settings.

So, how should I handle/solve this problem/use-case?

Or is there already a service by Dgraph Cloud to enable anti-ddos?

MichelDiz · November 22, 2021, 5:19pm

Dgraph has no solution for this, you should use things like CloudFlare and such.

PS. I think Dgraph uses CloudFlare. Need to check, but we use it everywhere.

Juri · November 22, 2021, 6:03pm

Can I secure my GraphQL endpoint with Cloudflare? how? Sure with CNAME or something like that, but the original endpoint would be still accesable. This requires once again a setup like VPC, and this has to be done on Google Cloud. And i dunno if I even have access to that if I use dgraph cloud, else I still don’t wanna mess up with that (changing dgraph cloud network settings and so on)

I would really appreciate a Tutorial to safely do that

https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel

Juri · November 23, 2021, 11:47am

Would be really cool if you guys would establish a partnership for that product (DDoS protection) as well @dmai So that we can activate Cloudflare DDoS protection in Dgraph Cloud out of the box. Being able to build applications with peace of mind without having to fear exposing the GraphQL/DQL endpoints to the internet

but it also doesn’t has to be cloudflare, GCP Armor is OK too

Juri · November 25, 2021, 9:29pm

Holy Moly I just read that, sorry!! Maybe I overread that, I just read that now

Did you check that? Is dgraph cloud already using cloudflare protection? So that means my Dgraph Cloud GraphQL/DQL endpoints are protected?

this would be awesome! if yes, then maybe adding that as information on the website/docs would be good since that’s a very nice feature and one more reason to use dgraph

MichelDiz · November 26, 2021, 3:03am

I’m pretty sure that we use in the websites, like the UI, docs, main site and such. But not sure about the servers.

Pinging @dmai

Can you tell if we use some level of DDOS protection from CloudFlare in Dgraph Cloud?

dmai · November 26, 2021, 8:56pm

There’s no specific DDoS protection set up today for Dgraph Cloud. The major cloud providers (AWS, GCP, and Azure at least) already provide built-in basic DDoS protection for up to layer 4 traffic.

We’ll be enabling layer 7 DDoS protection with a WAF soon, but I wouldn’t expect anything specifically from CloudFlare at this time.

thelovesmith · January 2, 2023, 7:30pm

Did you check that? Is dgraph cloud already using cloudflare protection? So that means my Dgraph Cloud GraphQL/DQL endpoints are protected?

Just seeing this thread, guys. Is there any update on this?

We’ll be enabling layer 7 DDoS protection with a WAF soon, but I wouldn’t expect anything specifically from CloudFlare at this time.

Also, did you guys ever enable layer 7 DDOS with WAF? I want to know what things I need to take care of security-wise before our app goes live.

@dmai @MichelDiz Hey guys, Any updates on the protection mentioned above?

MichelDiz · January 10, 2023, 11:19pm

No, but we can check about this this year

cc @Raphael