Cloudflare Zero Trust

Secure access to internal services without VPNs using Cloudflare's Zero Trust platform (Access, Tunnel, Gateway, and WARP).

When to Use

• Replacing VPN access to internal web applications, SSH, or RDP.
• Enforcing identity-aware access policies on internal tools (dashboards, admin panels).
• Exposing on-premises or private-network services securely to remote teams.
• Filtering DNS traffic to block malware, phishing, and shadow IT.
• Enforcing device posture checks (managed devices, OS version, disk encryption).

Prerequisites

• Cloudflare account with Zero Trust plan (free tier supports up to 50 users).
• A domain on Cloudflare (for Access application hostnames).
• Identity provider configured (Google Workspace, Okta, Azure AD/Entra ID, GitHub).
• cloudflared CLI installed on the server hosting internal services.

# Install cloudflared
# macOS
brew install cloudflared

# Debian/Ubuntu
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install -y cloudflared

# Docker
docker pull cloudflare/cloudflared:latest

Cloudflare Tunnel Setup

Tunnels create encrypted outbound connections from your infrastructure to Cloudflare's edge, eliminating the need to open inbound ports.

Create and Configure a Tunnel

# Authenticate with Cloudflare
cloudflared tunnel login

# Create a named tunnel
cloudflared tunnel create internal-apps

# This creates credentials at ~/.cloudflared/<TUNNEL_ID>.json

# List tunnels
cloudflared tunnel list

# Route DNS to the tunnel (creates a CNAME record)
cloudflared tunnel route dns internal-apps grafana.example.com
cloudflared tunnel route dns internal-apps wiki.example.com
cloudflared tunnel route dns internal-apps ssh.example.com

Tunnel Configuration File

# ~/.cloudflared/config.yml
tunnel: <TUNNEL_ID>
credentials-file: /home/deploy/.cloudflared/<TUNNEL_ID>.json

ingress:
  # Grafana dashboard
  - hostname: grafana.example.com
    service: http://localhost:3000

  # Internal wiki
  - hostname: wiki.example.com
    service: http://localhost:8080
    originRequest:
      noTLSVerify: true

  # SSH access via browser
  - hostname: ssh.example.com
    service: ssh://localhost:22

  # Private network access (CIDR routing)
  - hostname: internal.example.com
    service: http://10.0.0.0/24

  # Catch-all — required as the last rule
  - service: http_status:404

Run the Tunnel

# Run in foreground (for testing)
cloudflared tunnel run internal-apps

# Install as a systemd service
sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

# Or run via Docker
docker run -d --name cloudflared \
  --restart unless-stopped \
  -v /home/deploy/.cloudflared:/etc/cloudflared \
  cloudflare/cloudflared:latest \
  tunnel run internal-apps

Docker Compose with Tunnel

# docker-compose.yml
version: "3.8"
services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=${TUNNEL_TOKEN}
    networks:
      - internal

  grafana:
    image: grafana/grafana:latest
    networks:
      - internal

  wiki:
    image: requarks/wiki:2
    networks:
      - internal

networks:
  internal:
    driver: bridge

Access Policies

Access policies control who can reach applications behind Cloudflare.

Create an Access Application

# Via API — create a self-hosted application
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \
  -H "Authorization: Bearer $CF_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Grafana",
    "domain": "grafana.example.com",
    "type": "self_hosted",
    "session_duration": "12h",
    "auto_redirect_to_identity": true,
    "allowed_idps": ["<IDP_UUID>"]
  }'

Policy Types and Examples

# Allow policy — members of the engineering group
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/<APP_ID>/policies" \
  -H "Authorization: Bearer $CF_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Engineering Team",
    "decision": "allow",
    "include": [
      { "group": { "id": "<GROUP_UUID>" } }
    ],
    "require": [
      { "login_method": { "id": "<MFA_METHOD_UUID>" } }
    ]
  }'

Common Policy Patterns

Pattern	Include Rule	Require Rule
All employees	Email domain @company.com	-
Engineering only	Access Group "Engineering"	MFA
Contractors (time-limited)	Email list	Device posture
CI/CD automation	Service token	-
External partners	Specific emails	Country check

Service Tokens for Automation

# Create a service token for CI/CD
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \
  -H "Authorization: Bearer $CF_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "github-actions-deploy"}'

# Response includes Client ID and Client Secret
# Use in CI with headers:
# CF-Access-Client-Id: <CLIENT_ID>
# CF-Access-Client-Secret: <CLIENT_SECRET>

# Use service token in CI/CD
curl -H "CF-Access-Client-Id: $CF_CLIENT_ID" \
     -H "CF-Access-Client-Secret: $CF_CLIENT_SECRET" \
     https://grafana.example.com/api/health

Device Posture Checks

Enforce endpoint requirements before granting access.

Configure Posture Checks (Dashboard)

1. Go to Settings > WARP Client > Device posture.
2. Add checks:
   • Disk encryption: Require FileVault (macOS) or BitLocker (Windows).
   • OS version: Minimum macOS 14.0 or Windows 11.
   • Firewall: Ensure host firewall is enabled.
   • Crowdstrike/SentinelOne: Verify EDR agent is running.
3. Reference posture checks in Access policies under Require rules.

Gateway DNS Filtering

Block malicious domains and enforce acceptable use policies at the DNS level.

DNS Locations

# Configure DNS endpoints for offices or networks
# Dashboard: Gateway > DNS Locations > Add a location
# Assign the Gateway DNS IPs to your network's DNS resolver:
# IPv4: 172.64.36.1, 172.64.36.2
# IPv6: 2606:4700:4700::1111
# DoH: https://<UNIQUE_ID>.cloudflare-gateway.com/dns-query

DNS Policies

# Create a DNS policy to block malware and phishing
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \
  -H "Authorization: Bearer $CF_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Block Security Threats",
    "enabled": true,
    "action": "block",
    "traffic": "any(dns.security_category[*] in {80 83 131 134 151 153})",
    "filters": ["dns"]
  }'

Common DNS Policy Rules

Rule Name	Traffic Expression	Action
Block malware	any(dns.security_category[*] in {80 83})	Block
Block phishing	any(dns.security_category[*] in {131 134})	Block
Block social media	any(dns.content_category[*] in {75})	Block
Allow exceptions	dns.fqdn == "allowed.example.com"	Allow

WARP Client Deployment

Deploy the Cloudflare WARP client to route traffic through Gateway.

# MDM deployment — macOS configuration profile
# Use Cloudflare's managed deployment:
# Dashboard: Settings > WARP Client > Device enrollment

# Manual enrollment
# 1. Install WARP client from https://1.1.1.1
# 2. Click gear icon > Account > Login with Cloudflare Zero Trust
# 3. Enter your team name (from Settings > General)

# Verify WARP is connected
curl https://connectivity.cloudflare.com/cdn-cgi/trace
# Look for: warp=on

WARP Split Tunnels

# Configure split tunnels to exclude certain traffic from WARP
# Dashboard: Settings > WARP Client > Device settings > Split Tunnels

# Exclude mode (default): WARP handles everything except listed IPs
# Include mode: WARP only handles listed IPs/domains

# Common exclusions:
# - Local network: 192.168.0.0/16, 10.0.0.0/8
# - Video conferencing: zoom.us, *.teams.microsoft.com
# - Printer subnets

SSH and Browser-Based Terminal

# In cloudflared config.yml — expose SSH via browser rendering
ingress:
  - hostname: ssh.example.com
    service: ssh://localhost:22

# Users access ssh.example.com in their browser
# Cloudflare renders an in-browser terminal after Access authentication

# Or use cloudflared on the client side for native SSH
cloudflared access ssh --hostname ssh.example.com

# Add to SSH config for seamless access
# ~/.ssh/config
# Host ssh.example.com
#   ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

Troubleshooting

Symptom	Cause	Fix
Tunnel shows ERR in dashboard	cloudflared not running or config error	Check systemctl status cloudflared; validate config YAML
Access returns 403 despite correct identity	Policy order or missing require rule	Policies are evaluated top-to-bottom; ensure Allow is above Block
WARP shows "Unable to connect"	Team name wrong or enrollment disabled	Verify team name in Settings > General; check enrollment permissions
Service token auth fails	Token expired or wrong headers	Regenerate token; use both CF-Access-Client-Id and CF-Access-Client-Secret
DNS filtering not blocking	Client not using Gateway DNS resolvers	Verify DNS is set to 172.64.36.1; check WARP is connected
Tunnel latency spikes	Tunnel running on overloaded host	Monitor cloudflared resource usage; run on dedicated infra
"No healthy origins" error	Backend service is down	Check the service at the configured ingress port; review cloudflared logs

Related Skills

• cloudflare-workers - Edge compute behind Access policies
• dns-management - DNS routing and record management
• reverse-proxy - Alternative gateway patterns
• service-mesh - Internal service-to-service security