Serving multi-domain LEMP stack through Tunnel

Hello!

Currently I have a LEMP stack at GCP. The GCP firewall is set to only accept Cloudflare IP on port 443. This has worked well for the last couple of years but I thought that serving the ~12 domains hosted on this thing might be better done through a Tunnel; mostly to mitigate a SNAFU should Cloudflare ever alter its IP ranges.

I have near zero experience with Tunnels apart from setting up a proof-of-concept one a few months ago. So here goes:

  1. Am I to create a Tunnel and specify port 443 within a config file? Do the domains need to be included in that one centralized config file or should I establish a Tunnel per domain and run ~12 Tunnels?

Currently I just have domain.tld.conf entries per domain in /etc/nginx/sites-available (Debian Bullseye). Do I just open port 443 for this Tunnel like this?:

ingress:

  1. Do I then create CNAME entries for my domains to route them through that/ those tunnel(s)?

  2. Profit??? Is it that easy? Is there some documentation that’d walk me though this?

Thanks!