How to protect origin server on Google Cloud that are behind Cloudflare?
I have a some DNS A records pointing to the public IP addresses of some Load Balancers on Goolge Cloud Platform. The domains are protected by Cloudflare but is there a way for me to protect them in case their public IP addresses are exposed somewhere? I need this mostly for compliance reasons.
I'm thinking of using Google Cloud Armor (https://cloud.google.com/security/products/armor?hl=en) to only allow Cloudflare's IP addresses but people can still hit my load balancers using Cloudflare Workers and Cloud Armor seems expensive even with pay-as-you-go. Is there a better way to do it?
Google Cloud
Cloud Armor Network Security
Google Cloud Armor is a network security service that provides defenses against DDoS and application attacks, and offers a rich set of WAF rules.
3 Replies
I believe GCP load balancers support mTLS. If so then you can use origin pull which means all request to your site will have to go through Cloudflare
Cloudflare Docs
Authenticated Origin Pulls (mTLS)
Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network.
thank you!