I’m looking for some recommendations on securing my application and reducing its publicly visible presence (e.g. origin IPs).
My application runs as a set of microservices on AWS behind an application load balancer. I’m using CloudFlare for DNS and SSL termination (with full SSL enabled from CloudFlare to my ALB).
I have a number of CNAMEs in CloudFlare which point to various service subdomains which the ALB routes to the corresponding services which run in private subnets.
I’d like to hide my origin IPs which in the case would be the IP addresses of the ALB. However, the ALB 's DNS is publicly visible and discoverable. However, I’m not sure if it can be traced back to the domains in CloudFlare. Also, a co-worker has been suggesting that I configure Cloudflare in a way that completely hides the IPs and DNS names.
I don’t believe that this is possible if I’m using an ALB as I need to point Cloudflare records to something and ALB IP addresses are not stable. I know that I can configure listener rules in the ALB (or with an AWS WAF) to block traffic not originating from Cloudflare but the ALB’s DNS is still resolvable.
Does anyone here know of a way to couple Cloudflare together with an AWS ALB which completely hides the AWS infrastructure?