Quoting https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless#enabling
While Google Cloud Armor can be configured for backend services with Cloud Run (fully managed), Cloud Functions, and App Engine backends, there are certain limitations associated with this capability, especially with Cloud Run (fully managed) and App Engine. Users who have access to the default URLs assigned to these services by Google Cloud can bypass the load balancer and go directly to the service URLs, circumventing any configured Google Cloud Armor security policies.
What would be the best way to avoid the bypass of Cloud Armor by an attacker targetting the Cloud Run URL (*.run.app)?
Normally I would make Cloud Run only invocable by a service account but Cloud Load Balancer can't use service accounts to call Cloud Run. An alternative is to configure Cloud Load Balancer to use a token in a header and configure the app running in Cloud Run to only accept calls with the correct header/token but I would prefer not to have to do that in the app.
