Your company runs a popular gaming platform with backend instances that have only private IP addresses. These instances receive traffic through a global external HTTP(S) load balancer. Recently, you’ve partnered with a third-party traffic-scrubbing service to mitigate potential attacks, and now you want to ensure that only traffic from this scrubbing service can reach your origin servers. What is the most appropriate way to enforce this restriction?