Configure Zero Trust Network Access in Cloudflare for Teams
In this tutorial we will cover how to configure a Zero Trust Private Network in Cloudflare for Teams by combining device enrollment rules, Cloudflare Tunnels, and identity-based network policies.
🗺️ This tutorial covers how to:
- Create device enrollment rules and connect a device to Teams
- Connect your private network server to Cloudflare's edge using Cloudflare Tunnels
- Create identity-aware network policies
⏲️Time to complete:
The first step is to enroll your devices into the WARP client. The WARP client is responsible for forwarding your traffic to Cloudflare and eventually to your private network.
In this example, we require that users have a hard key inserted and are connecting from the United States.
Enroll your device into your Teams account. To do that, click the WARP icon in your navigation bar, open Settings and select Account > Login with Cloudflare for Teams.
Enable the WARP client on the device to forward traffic to Cloudflare.
Next, you will need to configure your private network server to connect to Cloudflare’s edge using Cloudflare Tunnel. This will establish a secure outbound connection to Cloudflare.
Identify the server you want to use to securely make your private network available to users. This can be the origin server directly, a jumphost, or load balancer.
cloudflaredon the server by running the following command, then follow the prompt to authenticate via URL provided.$ cloudflared tunnel login
Next, create a tunnel for the device:$ cloudflared tunnel create <TUNNEL NAME>
Create a YAML config file for the tunnel with the following configuration:tunnel: <YOUR TUNNEL ID>credentials-file: /root/.cloudflared/<YOUR TUNNEL ID>.jsonwarp-routing:enabled: true
Now run the tunnel:$ cloudflared tunnel run <TUNNEL NAME>
Finally, you will need to establish the private RFC 1918 IP address or range that you would like to advertise to Cloudflare, as well as set the identity policies determining which users can access that particular IP or range.
- Route the private IP addresses of your server’s network to Cloudflare, where:
10.0.0.0/10is the IP or CIDR range of your server
8e343b13-a087-48ea-825f-9783931ff2a5is your tunnel ID$ cloudflared tunnel route ip add 10.0.0.0/10 8e343b13-a087-48ea-825f-9783931ff2a5
Open your Teams dashboard to the Gateway > Policies tab.
Create a second network policy to block all traffic to the IP range that was routed.
Verify that you do not have the desired target private IP range in the Split Tunnel configuration menu. This menu can be found at Settings > Network > Split Tunnels.