Which requirement must be met when using Google Cloud Armor security policies?

When leveraging Google Cloud Armor security policies, one essential requirement is that the backend service’s load balancing scheme must be EXTERNAL. This is important because Google Cloud Armor is designed to provide DDoS protection and application defense for services that are exposed to public internet traffic through external load balancers.

External load balancers serve traffic that is routed from the internet, and by integrating with Cloud Armor, organizations can enforce security policies that help safeguard their applications from various types of threats, such as Layer 3/4 DDoS attacks. The functionality of Cloud Armor is fundamentally meant for protection at the edges of Google Cloud’s infrastructure, which is where external load balancers come into play.

Therefore, the requirement for the load balancing scheme to be EXTERNAL ensures that the policies applied can adequately monitor and protect traffic entering the Google Cloud environment from the internet, which is pivotal for maintaining secure operations and compliance with security best practices.