I am wondering how Cloud Armor works. Is DDoS protection enabled by default when I create "empty rule in policy" (allow all trafic)? Or is DDoS protection only part of HTTP(s) Load Balancer?
There is my notes:
Can You please tell me where I am wrong and what is your best advice how to protect your network in GCP? Thanks.
Even though the HTTP(S) load balancer offers some of the DDoS mitigation features you're mentioning, DDoS encompasses a lot of different attack vectors, hence there's no feature to "block all DDoS" but to provide protection on some specific common attacks:
When you enable HTTP(S) Load Balancing or SSL proxy Load Balancing, Google infrastructure mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc.
Considering the diverse nature of DDoS attacks, Cloud Armor is meant to complement and expand this protection and to adapt to specific needs on the user's projects.
On the specific regard of setting an "empty policy" and get an extra layer of protection: Even though some products support setting empty policies (like IAM), the Cloud Armor API reference doesn't seem to be accepting it, so this doesn't seem to add any extra protection.
Not sure where you get that but the Cloud Armor "adding an extra filtering [...] for better protection" part seems to be on point: You need to configure policies according to your needs in order to improve security. I think the confusiong might be related to Cloud Armor working thightly coupled with the HTTP(S) load balancer.
Finally on "best advice on how to protect your network", sounds really opinion-based and might need some concrete details to improve it. However, in this context, I think you might benefit from a GCP paper on DDoS that is a bit outdated (2016) but it includes all the products that you're mentioning and based on your comment, might be what you're looking for.