How to secure GCP behind Cloudflare

Put simply, I want to proxy my API hosted on Google Cloud Platform behind Cloudflare, for securty reasons: to utilise Cloudflare’s unmetered DDoS protection and rate limiting, and for performance: zero-egress fee CDN.

The key here is that my GCP resources must not be accessible at all except via Cloudflare. How to I create a secure (on both ends) connection between Cloudflare and GCP?

My attempt:

On the GCP side it will be a Cloud Load Balancer to provide an external entrypoint into my internal resources (including serverless Cloud Run). This means give me an external IP address which must be secured behind Cloudflare. No Cloud Armor or Cloud CDN here as they are metered and costly compared to Cloudflare. It would be great if I didn’t need Cloud Load Balancer, it seems to be the most cost-effective way to route into multiple different serverless Cloud Run services. Any suggestions there welcome, but that’s a little off topic.

Proxying the GCP IP address behind Cloudflare is easy, but the IP address itself remains vulnerable to DDoS etc, if someone manages to learn the IP address.

I assumed I can use mTLS and Authenticated Origin Pulls between Cloudflare and the GCP origin.

So I created an origin certificate on Cloudflare and the Cloud Load Balancer to use it. Cloudflare can verify my GCP backend no problem. However Cloud Load Balancer still accepts any connection.

So I go about configuring Cloud Load Balancer to implement mTLS on the GCP side using this documentation https://cloud.google.com/load-balancing/docs/https/setting-up-mtls-ccm, however it requires both a root certificate (trust anchor) and an immediate certificate. Cloudflare only provides me an origin certificate (I assume this is the immediate certificate?) and the private key.

How do I reconcile these two different sets of certificates?

Discovered that I can specify my own CSR for Cloudflare to create the certificate, and in this way, I can create a root certificate first.

However the problem is that, when creating the TrustConfig resource on GCP gcloud beta certificate-manager trust-configs import TRUST_CONFIG_NAME --source=trust_config.yaml , it fails with submitted certificate must be a certificate authority (CA) with Basic Constraints set to CA:true.

It seems that Cloudflare doesn’t set this constraint when creating the certificate, and there is no way to make it do so (we can only specify a CSR)?

Securing GCP resources behind Cloudflare shouldn’t be this hard? Surely I’m not the first to do it, am I missing an easier way to do it?

There is no such thing as an immediate certificate. An intermediate certificate is typically signed by the root certificate and used to sign the leaf certificate. In the case of multiple intermediate certificates, the chain will flow accordingly: root → intermediate → intermediate → leaf.

You can obtain the Cloudflare Origin CA root for upload to GCP resources.

1 Like

Thanks for the quick reply! Thanks for the link to the Cloudflare root certificate.

However the problem remaims that GCP requires a certificate with “Basic Constraints set to CA:true” whereas Cloudflare only generates certificates containing X509v3 Basic Constraints: critical CA:FALSE.

Any workaround?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.