In this article I’ll be covering how to configure Cloudflare Zero Trust to access your private network without opening up any external firewall ports.
We’ll be deploying a Cloudflare tunnel agent into Kubernetes as a means of accessing resources on your private network via Cloudflare.
In this article I won’t be covering how to configure access groups or applications to provide user/role-level access to specific resources but will follow up with another article on this soon.
What is Cloudflare Zero Trust?
Cloudflare Zero Trust has a number of concepts / names in order to provide access to your private and public resources through it’s infrastructure.
Tunnels are the bread and butter of the Cloudflare Zero Trust network. They are a network of agents deployed in your private networks that handle the routing for traffic proxied via the Cloudflare infrastructure into your private networks.
They exist as an agent that can run on any number of operating systems or container platforms (installation instructions can be found depending on your requirement, in the Cloudflare Zero Trust dashboard).
Applications can be used within Cloudflare Zero Trust to provide access to users of your account to specific resources via the Cloudflare network depending on their account type, IP source etc.
Applications will be presented to users in the form of a dashboard (served from https://<team name>.cloudflareaccess.com, users can simply click on the application they require access to and will be forwarded on to the application (via the Cloudflare infrastructure). Access can be granted on a temporary basis and for a restricted period of time as required (configurable per app).
We won’t be covering Applications in this article but will be included in one to follow.
Gateways are additional functionality provided by Cloudflare Zero Trust, that can be deployed onto a network to secure browsing on a DNS level (blocking things like adverts, specific websites, categories of websites any many more).
We won’t be covering Gateways in this article but will be included in one to follow.