Using Cloud CDN together with mTLS

We are planning to introduce Cloud CDN to a system where mTLS is configured on Cloud Load Balancing.

According to the Cloud CDN documentation [1], when using Cloud CDN, the request path is:

User → CDN → Load Balancer

With this architecture, requests pass through the CDN before reaching the Load Balancer, which means they go through the CDN prior to client certificate verification at the Load Balancer.
Because of this, it appears that Cloud CDN and mTLS cannot be used together.

If both are required, it seems necessary to separate the request paths, using Cloud CDN for some traffic and bypassing it for others.

While researching other public cloud providers, I found that AWS recently added mTLS support to CloudFront. Before this feature was available, it was apparently necessary to configure separate request paths as well.

I am currently investigating the situation on GCP, but I have not been able to find any documentation that explicitly mentions mTLS support for Cloud CDN.
Therefore, I would appreciate any insights or guidance from someone who has knowledge or experience in this area.

As of now, GCP CDN does not natively support mTLS. mTLS is supported only by Global External Application Load Balancers (ALB). You may consider raising a support ticket with Google to request this feature.

Thank you for your response.

Is it possible to change the request path to Load Balancer → Cloud CDN and use it together with mTLS?
Alternatively, are there any other approaches to achieve similar behavior?

Unfortunately, the answer may be no. If a CDN is not mandatory for your scenario, you can instead use a global load balancer. You may refer to the following document for guidance: GCP Mutual TLS overview.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.