You could use the load balancer filter I would thin for all...
Possible setup:
force traffic filter to not allow traffic where URL
NOT */cloud/org/*
This would allow API access, and system admin access -- but users would not be able to get directly to the webGUI for org access (as that is on /cloud/org/SOMETHING) -- the system admin access goes to /cloud/#/ .
I have not tested this but seems like it would work.