Hi all.

We have a requirement to inspect all traffic coming into multiple websites through application load balancers.

our current flow is:- client -> Application load balancer -> backend service.

my desired flow is the following:-

client -> application load balancer OR Passthrough load balancer -> NGFW -> internal passthrough load balancer (to distribute traffic to backends) -> backend services

I have multiple questions regarding the desired flow:

1. I would like to use application load balancer instead of passthrough if applicable in order to leverage GCP's cloud armor WAF, layer 7 DDos protection, and managed google certificates.

   • in case of ALB, will i need a separate load balancer per application or can one load balancer with multiple forwarding rules and backends be enough?

2. In case the application load balancer is not applicable and I have to go with a passthrough load balancer as per this google documentation.

   1. How do I provision certificates for my websites? will google managed certificates work or will it have to be managed on the server level.

3. for the internal load balancer distributing traffic to the backends, will the passthrough lb be sufficient? or is another type needed? 

Any help would be appreciated as i have gone through multiple documentations and most only mention Passthrough LBs only and I would prefer to use Application load balancers for the reasons mentioned above.

Thank you in advance to anyone who provides feedback on this matter.