You can protect your Internet-facing applications by using Google Cloud’s Web App and API protection (WAAP) solution. WAAP combines Cloud Armor, reCAPTCHA Enterprise, and Apigee to help you mitigate many common threats.

Here’s a sample web application and API security architecture that could include these components:

1. When a user tries to log into the website or mobile app, the reCAPTCHA token is obtained.
2. reCAPTCHA Enterprise deciphers the token in the incoming request and enforces allow/deny decisions in Cloud Armor.
3. If Cloud Armor allows the request, then it is forwarded to Load Balancer.
4. Load Balancer then sends the request to the respective backend with Apigee API Gateway in the middle, which allows/denies or routes API calls based on client credentials and quotas.