why do you want to mask the internal URL? Is the internal one pointed at your load balancer? I don't think there will be any 100% sure way to hide the URL, it can be captured by a debugging tool quite easily such as Fiddler. If you are trying to only make sure proper traffic comes in, then you can use trusted authentication with whitelisting of the callers. And you can install rules within your load balancer in order to match on specific URI patterns.