Put simply, I want to proxy my API hosted on Google Cloud Platform behind Cloudflare, for securty reasons: to utilise Cloudflare’s unmetered DDoS protection and rate limiting, and for performance: zero-egress fee CDN.
The key here is that my GCP resources must not be accessible at all except via Cloudflare. How to I create a secure (on both ends) connection between Cloudflare and GCP?
On the GCP side it will be a Cloud Load Balancer to provide an external entrypoint into my internal resources (including serverless Cloud Run). This means give me an external IP address which must be secured behind Cloudflare. No Cloud Armor or Cloud CDN here as they are metered and costly compared to Cloudflare. It would be great if I didn’t need Cloud Load Balancer, it seems to be the most cost-effective way to route into multiple different serverless Cloud Run services. Any suggestions there welcome, but that’s a little off topic.
Proxying the GCP IP address behind Cloudflare is easy, but the IP address itself remains vulnerable to DDoS etc, if someone manages to learn the IP address.
I assumed I can use mTLS and Authenticated Origin Pulls between Cloudflare and the GCP origin.
So I created an origin certificate on Cloudflare and the Cloud Load Balancer to use it. Cloudflare can verify my GCP backend no problem. However Cloud Load Balancer still accepts any connection.
So I go about configuring Cloud Load Balancer to implement mTLS on the GCP side using this documentation
https://cloud.google.com/load-balancing/docs/https/setting-up-mtls-ccm, however it requires both a root certificate (trust anchor) and an immediate certificate. Cloudflare only provides me an origin certificate (I assume this is the immediate certificate?) and the private key.
How do I reconcile these two different sets of certificates?