Cloud CDN and Security Policies
According to the documentation "If you try to associate a Cloud Armor Security Policy for a backend service and Cloud CDN is enabled, the config will be rejected."
This is a confusing restriction. If I need to block some unwanted traffic from a load balancer, I first need to disable CDN. But disabling CDN is not possible because that would completely overwhelm the backend services with traffic is expected to be served by the CDN. Especially during an attack, this would be extremely inconvenient.
Why is this restriction in place? It would make more sense to remove it if possible.