I successfully got rate-based-limit working in Cloud Armor. reCaptcha works for me too. But I'm looking for a solution if cloud armor rate based can redirect users to recaptcha after exceeding some number of requests?
gcloud beta compute security-policies rules create 100 \
--security-policy=$CA_POLICY \
--expression="true" \
--action=rate-based-ban \
--rate-limit-threshold-count=50 \
--rate-limit-threshold-interval-sec=120 \
--ban-duration-sec=300 \
--conform-action=allow \
--exceed-action=deny-404 \
--enforce-on-key=IP
gcloud compute security-policies rules create 101 \
--security-policy $CA_POLICY \
--expression "request.path.matches(\"/index.php\")" \
--action redirect \
--redirect-type google-recaptcha
On this page there is an example which shows how cloud armor rate based can redirect users to recaptcha after exceeding some number of requests:
You can also issue rate-based bans for users who have a valid reCAPTCHA exemption cookie. For example, the following gcloud command creates a throttle rule at priority 115 with a rate limit of 20 requests per 5 minutes for each unique reCAPTCHA exemption cookie across all requests that have a valid reCAPTCHA exemption cookie. Requests that exceed the throttling limit are redirected for reCAPTCHA Enterprise assessment. For more information about exemption cookies and reCAPTCHA Enterprise assessment, see the bot management overview.
gcloud compute security-policies rules create 115 \
--security-policy sec-policy \
--expression="token.recaptcha_exemption.valid" \
--action=throttle \
--rate-limit-threshold-count=20 \
--rate-limit-threshold-interval-sec=300 \
--conform-action=allow \
--exceed-action=redirect \
--exceed-redirect-type=google-recaptcha \
--enforce-on-key=HTTP-COOKIE \
--enforce-on-key-name="recaptcha-ca-e"