You can use Access to control who can reach sites you manage on the internet. Cloudflare handles the requests and evaluates if the user should be allowed through based on policies you configure. To ensure Cloudflare proxies all traffic you can lock down your origin to only accept Cloudflare IPs to ensure that Cloudflare gates all traffic.
However, some organizations want to keep applications or tools off of the internet. Whether the decision is motivated by security concerns or regulatory requirements, the result is that historically your teams would need to connect to your VPN to reach them. With Access, you can still avoid the hassle of a VPN while keeping applications off of the internet. keep on-premise applications off of the internet by leveraging Cloudflare Argo Tunnel.
Argo Tunnel offers an easy way to expose web servers securely to the internet, without opening up firewall ports and configuring ACLs. Argo Tunnel ensures requests route through Cloudflare before reaching the web server, protecting your server through Cloudflare’s WAF and DDOS mitigation.
Argo Tunnel requires that you first create a zone in Cloudflare with a domain you registered. Argo Tunnel creates a DNS entry for a given hostname so that visitors can find the newly exposed web service. It needs an available hostname first.
Follow the standard Cloudflare setup steps for your zone. Argo Tunnel can use a subdomain, or the domain itself, as the hostname for your locally running web service.
Before creating a tunnel to your application, lock it down with Access. In the Cloudflare dashboard, select the site that will serve as the hostname. You can start by building a simple rule that limits access to only you. You can return to configure rules for your team and more granular policies later.
Follow the detailed instructions here to set up Argo Tunnel.
The walkthrough will take you through the steps to install
cloudflared, the software that runs Argo Tunnel, on your server. You will use
cloudflared to login with your Cloudflare account credentials and select the domain that will serve as the hostname for your server.
Argo Tunnel establishes long-lived connections between the two closest Cloudflare data centers and your locally running web server. To do so securely, Cloudflare issues a certificate to authenticate your machine to the Cloudflare edge.
When you have confirmed that your tunnel has been configured successfully, attempt to reach the hostname in a web browser. You will be presented with the Access login page; once authenticated, you can proceed to use your on-prem application from any location without a VPN.