Google Cloud Armor is Google's Network Security service that provides protection against DDoS and web application based attacks. If you have been thinking about enabling Google Cloud Armor for leveraging its DDoS protection and WAF capabilities, you must know the following restrictions: 1. Cloud Armor cannot be enabled on non-HTTP Load balancers. 2. If your HTTP load balancers have Cloud CDN enabled on them, then you cannot enable Cloud Armor on them. 3. If your HTTP Load Balancer has backend buckets instead of backend services, you cannot enable Cloud Armor. This is evident in the below snapshot, where the only option you get is to enable Armor for "Load Balancer backend service". The above restriction is also mentioned in the official GCP document. Click here : Cloud Armor Limitations . Summary: You can enable Cloud Armor only on HTTP load balancers which have backend services (not buckets) as the backend resources.