Calling a private service behind a cloudflared tunnel

I currently have service running in a private VPC on AWS that I want to talk to from CloudFlare Workers. So I set up a cloudflared tunnel to it. I got everything working by setting up a public hostname and protecting it with a "Self-Hosted" Application using aa service auth token.

However I'm a bit uncomfortable with having a public DNS record (even if it's technically protected by the Application policies). e.g. what if someone accidentally deletes the Application?

Is it possible to get rid of the public hostname altogether and call the

*.cfargotunnel.com

*.cfargotunnel.com

*.cfargotunnel.com

*.cfargotunnel.com address directly from Workers?

Ttskuzzy I currently have service running in a private VPC on AWS that I want to talk to ...

Chaika•5/11/24, 1:31 AM

Is it possible to get rid of the public hostname altogether and call the *.cfargotunnel.com address directly from Workers?

No sadly, tried that before myself. Would be cool though.

However I'm a bit uncomfortable with having a public DNS record (even if it's technically protected by the Application policies). e.g. what if someone accidentally deletes the Application?

Under Additional Application Settings -> Access, you can make it so that public hostname verifies the request passed through a specific application

Chaika•5/11/24, 1:31 AM

slightly better screenshot

tskuzzyOP•5/11/24, 3:40 AM

Let me know If I understand correctly: if I enable that option, when a user visits the hostname, CF will send an "application JWT" to cloudflared, which will automatically verify that JWT?

isn't that kind of unnecessary since the only way to access cloudflared in the first place is through the hostname?

Ttskuzzy Let me know If I understand correctly: if I enable that option, when a user visi...

Chaika•5/11/24, 3:54 AM

when a user visits the hostname, CF will send an "application JWT" to cloudflared, which will automatically verify that JWT?

When the user passes through the access application successfully, passing the application's policies, CF Access will send a JWT verifying they passed it, and cloudflared (running on your origin) will verify the token

isn't that kind of unnecessary since the only way to access cloudflared in the first place is through the hostname?

No, as you said above

. what if someone accidentally deletes the Application?

it verifies they passed through the specific application you select too, not just any

tskuzzyOP•5/11/24, 5:03 AM

ah I see, thanks for the clarification! That was helpful

tskuzzyOP•5/13/24, 4:41 PM

btw, do you have any idea how to configure this via Terraform? Is it this option? https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/tunnel_config#nested-schema-for-configorigin_requestaccess

And if so, how do I specify the hostname? is it aud_tag / team_name?

Terraform Registry

Ttskuzzy btw, do you have any idea how to configure this via Terraform? Is it this option...

Chaika•5/13/24, 5:12 PM

idk much about terraform but yea, it's under the ingress rule and it's the aud_tag/team_name

Chaika•5/13/24, 5:14 PM

your team name is under Settings -> Custom Pages and the Aud tag is under the Application Overview in the first section/Application Configuration in the zt dash

Calling a private service behind a cloudflared tunnel

Similar Threads

Similar Threads

Similar Threads