Well we have been talking about it, and now the reality has been realised.
Back to the Shared Responsibility Model from the cloud provider; who responsibility when we know those who do not read the documentation i.e. the client - you must not should place a gateway in front of all public access to your stack. A load balancer is not sufficient, a Web Application Firewall is a good idea, but remember there are many high end ports left open by default by Cloud Providers, which can provide direct insights from the internet directly. So read, read again, and check with the cloud provider and other sources to validate that you are protected or not.