diff --git a/README.md b/README.md
index 780aa5e..de70b43 100644
--- a/README.md
+++ b/README.md
@@ -66,7 +66,7 @@ definition [here](https://github.com/chainguard-dev/sdk/blob/main/proto/platform
 If a `${TOKEN}` suitable for federation is sent like so:
 ```
 curl -H "Authorization: Bearer ${TOKEN}" \
-  "https://octo-sts-cp2estmhja-uc.a.run.app/sts/exchange?scope=${REPO}&identity=${NAME}"
+  "https://octo-sts.dev/sts/exchange?scope=${REPO}&identity=${NAME}"
 ```
 
 The App will attempt to load the trust policy from
diff --git a/iac/gclb.tf b/iac/gclb.tf
index 866691e..d72aeb3 100644
--- a/iac/gclb.tf
+++ b/iac/gclb.tf
@@ -9,3 +9,23 @@ resource "google_dns_managed_zone" "top-level-zone" {
     state = "on"
   }
 }
+
+// Put the above domain in front of our regional services.
+module "serverless-gclb" {
+  source = "github.com/chainguard-dev/terraform-infra-common//modules/serverless-gclb"
+
+  name       = var.name
+  project_id = var.project_id
+  dns_zone   = google_dns_managed_zone.top-level-zone.name
+
+  // Regions are all of the places that we have backends deployed.
+  // Regions must be removed from serving before they are torn down.
+  regions         = keys(module.networking.regional-networks)
+  serving_regions = keys(module.networking.regional-networks)
+
+  public-services = {
+    "octo-sts.dev" = {
+      name = var.name
+    }
+  }
+}
diff --git a/iac/main.tf b/iac/main.tf
index 0f1ff34..b72c9b0 100644
--- a/iac/main.tf
+++ b/iac/main.tf
@@ -94,8 +94,8 @@ module "sts-service" {
   name       = var.name
   regions    = module.networking.regional-networks
 
-  // TODO: Put this behind GCLB
-  ingress = "INGRESS_TRAFFIC_ALL"
+  // Only accept traffic coming from GCLB.
+  ingress = "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"
   // This needs to egress in order to talk to Github
   egress = "PRIVATE_RANGES_ONLY"
 
@@ -120,17 +120,3 @@ module "sts-service" {
     }
   }
 }
-
-// TODO: Remove this when we shift the above to be behind GCLB.
-resource "google_cloud_run_v2_service_iam_member" "public-services-are-unauthenticated" {
-  for_each = module.networking.regional-networks
-
-  // Ensure that the service exists before attempting to expose things publicly.
-  depends_on = [module.sts-service]
-
-  project  = var.project_id
-  location = each.key
-  name     = var.name
-  role     = "roles/run.invoker"
-  member   = "allUsers"
-}