What would be the suggested architecture for a mTLS endpoint using Nomad and Consul on GCP

I’m setting up a Nomad + Consul cluster on GCP, and some services that are run on the cluster should be accessible from outside using mutual TLS (mTLS).

The Google Cloud Load Balancers cannot handle mTLS, so I was thinking about running a NGINX / Traefik / other reverse proxy which handles mTLS on one of my node, and then attributing a public static IP to this node.

Is that the way to do it? Is there a better way to do this?