Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Deploy cloudflared in AWS

The purpose of this guide is to walk through some best practices for accessing private resources on AWS by deploying Cloudflare’s lightweight connector, cloudflared.

We will walk through how to initialize a service on a Linux VM in AWS, and route to it from another VM running cloudflared. This deployment guide does not take into account routing beyond basic security groups and default VPCs.

​​ Prerequisites

​​ Create your environment

  1. From the AWS console, go to Build a Solution and select Launch a Virtual Machine with EC2.

    AWS console
  2. Next, select the appropriate AMI. In this instance, we are using Ubuntu 18.0.

    AWS console
  3. When selecting your instance type, choose t2.micro. This type is available for the free tier.

  4. Select Next: Configure Instance Details.

  5. Because we are leaving this device on the default VPC, you will not need to make any changes in the next couple of steps, nor will you need to add additional storage or tags. Select Next: Add Storage, and then select Next: Add Tags.

    AWS console
  6. Next, advance to Security Group Settings and add two policies:

    • Ensure SSH is only accessible from your IP to prevent it being publicly accessible.
    • Allow traffic from, which is the default internal IP range that AWS will give your device.
  7. Deploy two t2.micro devices, and then build a key pair. You will need to download the .pem file in order to use SSH in the next steps.

  8. Finally, make sure you locate the Public IPv4 DNS address inside the instance summary on the AWS console. You will need that parameter as well in order to use SSH.

AWS console

The next step is to build out and route a service.

​​ Deploy cloudflared

Now that we have EC2 up and running in AWS, you can log in to your instance.

  1. SSH into your AWS instance using the command line.

    $ cd Downloads
    $ ssh -i "TestKeyPair.pem" [email protected]
  2. Run sudo su to gain full admin rights to the Virtual Machine.

  3. Run apt install curl to install any relevant dependencies for your new instance.

  4. Install cloudflared on your instance. In this example, we are running a Debian-based instance, so use the Debian package of cloudflared:

    1. Add Cloudflare’s package signing key:
    $ sudo mkdir -p --mode=0755 /usr/share/keyrings
    $ curl -fsSL | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
    1. Add Cloudflare’s apt repo to your apt repositories:
    $ echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
    1. Update repositories and install cloudflared:
    $ sudo apt-get update && sudo apt-get install cloudflared
  5. Run the following command to authenticate cloudflared with your Cloudflare account. The command will launch a browser window where you will be prompted to log in with your Cloudflare account and pick any zone you have added to Cloudflare.

    $ cloudflared tunnel login
  6. Create a tunnel.

    $ cloudflared tunnel create AWS-01
  7. Route your tunnel. In this example, we will expose the smallest range available. We can add more IP routes later if necessary.

    $ cloudflared tunnel route ip add AWS-01

​​ Complete tunnel configuration

  1. Make a directory for your configuration file.

    $ mkdir /etc/cloudflared
    $ cd /etc/cloudflared
  2. Build a configuration file. Before moving forward and entering vim, copy your Tunnel ID and credentials path to a notepad.

    $ vim config.yml
  3. Type i to begin editing the file and copy-paste the following settings in it.

    tunnel: <Tunnel ID/name>
    credentials-file: /root/.cloudflared/<Tunnel ID>.json
    protocol: quic
    enabled: true
    logfile: /var/log/cloudflared.log
    #cloudflared to the origin debug
    loglevel: debug
    #cloudflared to cloudflare debug
    transport-loglevel: info
  4. Press esc and then enter :x to save and exit.

  5. Run cloudflared as a service.

$ cloudflared service install
$ systemctl start cloudflared
$ systemctl status cloudflared

Next, visit Zero Trust and ensure your new tunnel shows as active. Optionally, begin creating Access policies to secure your private resources.