Systems status: [ OK ]
  • [ OK ]proxy
  • [ OK ]mailserver
  • [ OK ]sunrise
  • [ OK ]
1 min read

Multi-cloud load balancing with Traefik

If you're managing a complex infrastructure spread across multiple cloud providers, you know the challenges of balancing traffic and ensuring high availability.

Multi-cloud load balancing with Traefik

Running workloads across multiple cloud providers sounds good on paper: you avoid vendor lock-in, optimize costs, and gain resilience if one provider goes down. In practice, the hard part is balancing traffic across those providers without adding complexity or latency.

We solved this by combining two tools: Traefik for routing and load balancing, and Cloudflare Tunnel for securely exposing backends across clouds.

Traefik is a modern reverse proxy and load balancer that natively supports service discovery. In a multi-cloud setup, Traefik lets you define backends living on AWS, GCP, Azure, or even bare metal, and route traffic intelligently between them.

Normally, Traefik would need direct network access to all your backends. That means public IPs, firewalls, and potential latency across regions. Cloudflare Tunnel changes that: each backend connects outbound to the nearest Cloudflare POP, and Traefik connects to those tunnels instead of hitting the backends directly. This removes the need for public IP exposure and usually reduces cross-region latency.

Minimal example

Here’s a simplified Traefik dynamic config that balances between two backends, each connected via Cloudflare Tunnel:

http:
  services:
    app-backends:
      loadBalancer:
        servers:
          - url: http://tunnel-aws:8000
          - url: http://tunnel-gcp:8000

  routers:
    app-router:
      rule: "Host(`app.example.com`)"
      service: app-backends
      entryPoints:
        - websecure

On each backend, you’d run cloudflared tunnel run <name> so Cloudflare provides a local endpoint (tunnel-aws:8000, etc.). Traefik only has to balance between those local tunnel connections.

Lessons learned

  • don’t assume multi-cloud = faster. Tunnels add a hop, so measure RTTs before committing.
  • when AWS had a regional hiccup, traffic automatically shifted to GCP without DNS changes.
  • once traffic flows through Cloudflare, your usual TCP monitoring may not see the full picture. We had to instrument Traefik metrics and Cloudflare logs together.

Multi-cloud isn’t free lunch — you trade simplicity for resilience. But with Traefik and Cloudflare Tunnel, you can build a setup that hides the network plumbing complexity and lets you actually benefit from running across providers.