Skip to content
Runway Documentation

Cloudflare Authenticated Origin Pulls (mTLS)

Cloudflare Authenticated Origin Pulls (mTLS)

Section titled “Cloudflare Authenticated Origin Pulls (mTLS)”

Runway uses Cloudflare Authenticated Origin Pulls (AOP) with mutual TLS (mTLS) to ensure all traffic to your Kubernetes applications flows through Cloudflare’s security controls. This prevents direct origin access attacks and ensures that WAF rules, rate limiting, and other security features cannot be bypassed.

How It Works

Section titled “How It Works”

When a user requests your application, the request flows through multiple validation layers:

  1. User → Cloudflare: The request reaches Cloudflare’s edge network
  2. Cloudflare → Your Origin: Cloudflare presents a client certificate signed by Runway’s certificate authority
  3. Load Balancer Validation: Your cloud load balancer validates the certificate against the trusted CA
  4. Application Access: Only requests with valid certificates reach your application pods
┌─────────────┐
│   Internet  │
│   Users     │
└──────┬──────┘
       │ HTTPS
       
┌──────────────────┐
│   Cloudflare     │
│   Edge Network   │
└──────┬───────────┘
       │ HTTPS + mTLS
       │ (client cert)
       
┌──────────────────────────┐
│  Cloud Load Balancer     │
│  (validates cert)        │
└──────┬───────────────────┘
       │ (only if valid)
       
┌──────────────────────────┐
│  Your Application Pods   │
└──────────────────────────┘

Certificate Management

Section titled “Certificate Management”

Runway automatically manages the complete certificate lifecycle using HashiCorp Vault:

Certificate Hierarchy

Section titled “Certificate Hierarchy”
Root CA (20 years)
  └─ Intermediate CA (10 years)
      └─ Client Certificates (90 days, auto-rotated)
  • Root CA: Stored securely in Vault, signs the intermediate CA
  • Intermediate CA: Stored in Vault, issues client certificates for Cloudflare
  • Client Certificates: Short-lived (90 days), automatically rotated before expiration

Automatic Rotation

Section titled “Automatic Rotation”

Client certificates are automatically rotated every 90 days with zero downtime. Runway detects expiring certificates, issues new ones from Vault, uploads them to Cloudflare, and your load balancers continue validating against the same intermediate CA without requiring any manual intervention.

Security Benefits

Section titled “Security Benefits”
AspectProtection
Direct Origin Access❌ Blocked - only Cloudflare can connect
WAF Bypass❌ Prevented - all traffic validated
Rate Limiting Bypass❌ Prevented - all traffic validated
DDoS Attacks✅ Mitigated at Cloudflare edge
Certificate Compromise✅ Limited exposure (90-day rotation)

Enabling Cloudflare AOP

Section titled “Enabling Cloudflare AOP”

AOP is enabled by default for all workloads. To explicitly configure it, add the following to your workload in config/runtimes/[eks|gke]/workloads.yml:

- runway_service_id: my-service
  project_id: 12345
  cloudflare:
    enabled: true

Set enabled: false to disable AOP for a specific workload.

Additional Protection: When enabled, Runway also blocks non-Cloudflare originated requests at the load balancer layer as an extra security measure.

GKE Considerations

Section titled “GKE Considerations”

For GKE services, contact the Runway team in #g_runway when enabling AOP. The GCP Gateway API currently lacks native mTLS support, so Runway performs additional configuration steps to ensure certificate validation. GCP has indicated native mTLS support will be available in H2 2026. See issue #713 for details.

Implementation Details

Section titled “Implementation Details”

Runway implements mTLS validation differently depending on your cloud provider, but both use the same certificate hierarchy and validation logic.

AWS EKS

Section titled “AWS EKS”
  • Trust Store: Stores the Intermediate CA certificate
  • Ingress Annotations: Configure mTLS validation on ingress resources
  • Validation: AWS Application Load Balancer (ALB) validates all incoming client certificates

GCP GKE

Section titled “GCP GKE”
  • Trust Config: Stores the Intermediate CA certificate
  • Server TLS Policy: Configures mTLS validation on Cloud Load Balancer Target HTTPS Proxy
  • Validation: GCP Cloud Load Balancer validates all incoming client certificates

Monitoring

Section titled “Monitoring”

Runway provides observability for mTLS validation:

  • Certificate Expiration Tracking: Monitor and alert when certificates are approaching rotation
  • Validation Metrics: Track and alerts based on HTTP 525(TLS Handshake) error rates

Contact the Runway team in #g_runway if you notice any certificate-related issues or validation failures.

Support

Section titled “Support”

For questions about mTLS, certificate rotation, or security configuration, reach out to the Runway team in #g_runway.