Backend topology in GCP

Overview

Each region the backend is deployed in, is structured as follows:

All incoming traffic to our servers is routed through Cloudflare
Cloudflare serves as the DNS for our domain (legionsecurity.ai)
In addition, we use the Cloudflare zero trust access policies to limit access to the internal management pages viewer ({subdomain}.legionsecurity.ai/mgmt) only to Legion internal users.

All incoming requests from the internet to our subdomains ({subdomain}.legionsecurity.ai) have a DNS record in CloudFlare routing them to the relevant region's public inbound IP address in our VPC
Incoming traffic is limited only to traffic coming from CloudFlare (defined by the list of official Cloudflare IP ranges)
The HTTPs proxy is the SSL termination point - it presents a managed certificate for the subdomain back to CloudFlare, and forwards the traffic internally as HTTP traffic.
The proxy has a URL map defined, set to map all incoming traffic to the network endpoint group containing our Cloud Run backend service

Cloud Run is the serverless infra used to run our containers
The Cloud Run service template for the backend service defines how to run our service - which image to run, which environment variables and secrets to pass to it when the service is booting, how to check for service health after container boot and periodically, etc.
The service is assigned a service account which it uses to authenticate against GCP service and defines its permissions on them (read secrets from secret manager, pull the image from the repository, etc.)
Outgoing traffic from the service to the internet is routed through a VPC serverless connector to a NAT and from it to a dedicated outbound public IP address - allowing us to have a fixed IP when calling external resources

All outgoing calls from our service to the internet, including to OpenAI, go from our task (in the private subnet) to the NAT Gateway (in the public subnet) which sends those calls to the internet through a single public IP address per NAT Gateway