Pointing DNS record directly at Load Balancer IP?

What is best practices regarding using a Cloudflare DNS record with a load balancer ip?

Keeping end to end HTTPS in mind, should I create an additional A record pointing at the load balancer ip with an SSL cert? And then point a Cloudflare CNAME record at that A record? The issue I find with that is it leaves you open to DDOS attacks at the A record, is the solution just to whitelist Cloudflare IPs only?

Or is it better to point a Cloudflare DNS record directly at the IP address? Will the Origin CA cert still work without a hostname for the loadbalancer?

I have not been able to find the answers to these questions in the docs, but if I have overlooked something please let me know. Thank you!

I don’t have anything definitive to reference, but I just point the end user facing DNS record at the LB IP address. I don’t see a need to chain multiple records.

If you are using the same LB IP across multiple hostnames, then it can be convenient to CNAME them, but all the records can be :orange:, unless they are in different accounts.

The names on the origin certificate need to match the name the user is requesting. By default, origin certs are valid for the same names as you find on a universal certificate, so unless you changed the default, there should be no issue. You can also generate an Origin cert that is valid for any combination of hostnames for multiple domains on the same
account, if that is needed.

I see. Does this reply change if there is a Cloudflare Worker involved? The DNS name doesn’t necessarily always go to the Load Balancer IP, which is why I implemented the CNAME in the first place. Attached for reference.