HTTPS Load balancer in front of Cloud Run

• As per the Google documentation , GFE(Google Front End) stands before a cloud run and redirects HTTP to HTTPS.
• External Application Load Balancers are implemented as managed services either on Google Front Ends (GFEs) or Envoy proxies.

So if I put a HTTPS Load Balancer in front of Cloud run , What happens ?

My Understanding

1. When a request is made to LB , it does SSL termination and send HTTP request to the cloud run.
2. The default GFE which is a part of cloud run again redirects HTTP to HTTPS and sends out 302.
3. Then for the HTTPS , does it do the Cloud Run GFE's SSL termination and sends the HTTP request to cloud run ?

Do let me know if my understanding is correct. It looks like it will be stuck in some infinite loop where LB does SSL termniation and GFE does http to https redirect.

Please explain the flow.

Also , Is there any security benifit of having a Load balancer in front of cloud run.

GFE is a Google layer. not only a Google Cloud layer, but a Google layer that protects all the Google's assets (Gmail, Drive, Maps, ...)

By default, Cloud Run has a generic/default GFE to protect the service. The HTTPS Load Balancer is a kind of custom GFE that you set up with your parameters, certificate and own backends.

So, when you use a Load Balancer with Cloud Run, you no longer use the Cloud Run default GFE.

In addition, YES, only HTTP traffic is delivered to Cloud Run services. But it's not "real" HTTP plain text traffic. The HTTP request is wrapped in gRPC layer, and encrypted to travel in the internal Google Network.

Viewed from your app, it's an HTTP request, but physically, it's encrypted by GFE and decrypted just before being delivering to your Cloud Run service.

Note: I didn't mention this, but GFE, and HTTPS load balancer, are proxies. It means, the https connexion is terminated at GFE level, and a new one is created between GFE and your Cloud Run services