Zero Trust Architecture & Implementation

Cloudflare Tunnel

Task

AcmeCorp’s users can now connect to Cloudflare with WARP. Next, let’s onboard company’s applications. There are 3 AcmeCorp’s applications running on your Linux server:

  • Public website (HTTP, port 80)
  • Private intranet (HTTP, port 8000)
  • Fileserver (SMB, ports 137-139, 445)

Use Cloudflare Tunnel (cloudflared) as an on-ramp for all of these.

Why?

  • Zero Trust security model requires granular access control to all your applications, including internal on-prem apps, apps hosted in private clouds, and SaaS apps.
  • Cloudflare Tunnel helps you connect two types (on-prem and cloud-hosted) to Cloudflare’s network, where access policies can be enforced. This is done by installing a lightweight daemon in your infrastructure (cloudflared).
  • As a bonus, this daemon creates outbound-only connections to Cloudflare’s edge. That means it doesn’t require any new inbound firewall rules.

Lab Steps

1. Connect to the Ubuntu VM

Note the 3 AcmeCorp’s applications running by typing this command:

sudo docker ps --format "{{.Names}}: {{.Ports}}"
⚙️ nocopy ⚙️
## You should see the following Output: ##
# website: 0.0.0.0:80->80/tcp, :::80->80/tcp
# intranet: 0.0.0.0:8000->80/tcp, :::8000->80/tcp
# samba: 0.0.0.0:139->139/tcp, :::139->139/tcp, 137-138/udp, 0.0.0.0:445->445/tcp, :::445->445/tcp

2. Create a tunnel and onboard public website

  • In the Zero Trust dashboard, navigate to Networks ‣ Tunnels and create a new tunnel by clicking Add a tunnel.
  • Name your Tunnel and then press Save Tunnel
  • In the Install connector step, select Debian ‣ 64-bit and copy the command on the left
Configure tunnel
  • Paste the command into the Ubuntu Linux terminal
  • This will install cloudflared and automatically configure the tunnel
  • When that command is successfully run on your Ubuntu machine, the connector should now provide a similar output as shown below on your tunnel page:
A screenshot of a computer Description automatically generated
ℹ️
If you receive an error when installing the tunnel, run these commands to remove cloudflared before you try installing it again:
sudo cloudflared service uninstall && sudo rm -rf /etc/systemd/system/cloudflare* && sudo systemctl daemon-reload
  • Press Next to move to the final step
  • Here we will create a public hostname for the AcmeCorp's website running on origin server's port 80
  • Whenever this hostname is accessed by anyone on the internet, cloudflared will tunnel that traffic to the origin server's port 80
  • Make sure you are switched to the Public Hostnames tab
  • Leave the subdomain field blank
  • Select your Domain from the dropdown
  • Under Service, enter Type: HTTP and URL: localhost:80
Tunnel hostname
  • Save your changes

3. Connector diagnostics

Now, your tunnel should be working. But before we test that, let’s open Connector diagnostics for our tunnel. Here, you can see the traffic coming through the tunnel, and you can troubleshoot any potential issues.

Connector diagnostics

Here you can see the Data Centers your tunnel is connected to, its cloudflared version, private IP, and so on.

Click on Begin log stream to start monitoring traffic going through the tunnel

Connector details

4. Test access to public website

Open the FQDN you just defined, for example, ancient-uncle.cfiq.io from any browser on your VM Windows host. You should see AcmeCorp’s website:

Public website can be opened in a browser

You can also see these requests coming through in the Connector Diagnostics you configured in Step 3:

Log stream