My requirement: Prevent non Twilio access to my ALB managed Application using CloudFlare.
My restrictions: Due to the nature of Twilio's cloud design, it is not possible to whitelist access down to a set of IPs due to the wide pool of IPs a request could come from.
Possible solution: Twilio suggest a couple of options under https://www.twilio.com/docs/usage/security but I don't know how to use any of these methods as a means to only allow twilio Traffic. But any designed validation must only be applied to the dns record of /api in the url to my site.
Further Info: The underlying application is written in php. I would prefer a CloudFlare solution over changing code in the application.
A possible approach could be:
X-Twilio-Signature on your api path (as a first, basic check), block requests that do not have it.X-Twilio-Signature and the request data, and use the procedure described in the Twilio documentation to validate it. If it matches, forward the request to your load balancer. If it doesn't, return an error to the caller.Also, make sure your origin server only accepts traffic from Cloudflare to prevent direct tampering.