Access application allows users access to RDS database despite not being added to allow policy.

Hello,

We’ve configured a test RDS database with Cloudflare Warp using “self-hosted private application” under Access. It’s currently set up with a dns name so it can be reached with a simple database.company.com address.

The trouble now comes when I try to set up the allow policy with my user and test it with another user who isn’t allowed - we are both able to connect to the DB. By default I believe Cloudflare blocks anyone who isn’t explicitly allowed access through a policy so not sure where it went wrong.

Could I please get some help on this? I mainly need to know if I’m setting it up wrong perhaps or there’s something else at play being overlooked.

Questions:

Does Cloudflare block users by default if they aren’t specifically allowed access through a policy?
If a DB is running on port 5432 - would it fall under self-hosted or infrastructure application? (I didn’t choose infrastructure because it seems to only work with SSH protocol)

Appreciate any help you can provide.

Cyb3r-Jak3•5/16/25, 9:55 PM

How are user connections to the DB? You should also see the policy logs in the Zero Trust dashboard

HeavyDistortionOP•5/17/25, 4:53 PM

Users would connect using the DB apps available so PSQL for PostgreSQL DBs as an example. When I check the logs there aren’t any connection logs to the Access app even though they are using the same hostname configured and through Warp. Not sure where it’s going wrong but I’ve been wondering if this is to do with how it is set up.

Are Access apps just for websites or something using HTTP/HTTPS and not DBs running on other ports? If that’s the case would I then need to create a tunnel and add the policy under Gateway to control traffic to the DB IP?

Cyb3r-Jak3•5/17/25, 4:59 PM

Access apps can be used for any TCP. It seems like the access requests are no going through cloudflare. For arbitrary TCP the user would need to access by running cloudflared access tcp --hostname tcp.site.com --url localhost:9210cloudflared access tcp --hostname tcp.site.com --url localhost:9210 then connect psql to localhost:9210localhost:9210. https://developers.cloudflare.com/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/#2-connect-to-the-resource
There is also Access for InfrastructureAccess for Infrastructure but I have not used that yet

Cloudflare Docs

Arbitrary TCP

Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to resources over arbitrary TCP without being on a virtual private network (VPN).

HeavyDistortionOP•5/17/25, 6:43 PM

I tried using the Infrastructure app option but it only has the SSH protocol available which I don’t think that works with DBs.

I looked into the Arbitrary TCP option but then I have around 20 DBs to get configured on CF so my users can connect to Warp and it acts as a VPN to allow them access to DBs. Doing the Arbitrary TCP option means they’d have to run the command to connect to every DB and that kinda makes it difficult for them. I was hoping to allow them access to it by just connecting to Warp and if they are allowed via the policy then they can connect or else be blocked. Do you know how that would be possible if not from Access apps?

HeavyDistortionOP•5/19/25, 12:23 PM

So, a bit weird that one test DB works with going through Access but the other doesn’t. I’m not sure what the reason could be since they are both set up identically.

The only difference is that one DB is configured with the endpoint directly and the one that doesn’t work is configured with a proxy endpoint. Could this be the reason for the DB not going through Access?

Access application allows users access to RDS database despite not being added to allow policy.

Similar Threads

Similar Threads

Similar Threads