Skip to content

Add an infrastructure application

New

Feature availability

WARP modesZero Trust plans
  • Gateway with WARP
  • Secure Web Gateway without DNS filtering
All plans
SystemAvailability
Windows
macOS
Linux
iOS
Android
ChromeOS

Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.

Prerequisites

1. Add a target

A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server.

To create a new target:

  1. In Zero Trust, go to Networks > Targets.
  2. Select Add a target.
  3. In Target hostname, enter a user-friendly name for the target resource. We recommend using the server hostname, for example production-server. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.

    Format restrictions

    • Case insensitive
    • Contain no more than 253 characters
    • Contain only alphanumeric characters, -, or . (no spaces allowed)
    • Start and end with an alphanumeric character
  4. In IP addresses, enter the IPv4 and/or IPv6 address of the target resource. If the IP address overlaps across multiple private networks, select the virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.
  1. Select Add target.

Next, create an infrastructure application to secure the target.

2. Add an infrastructure application

  1. In Zero Trust, go to Access > Applications.
  2. Select Add an application.
  3. Select Infrastructure.
  4. Enter any name for the application.
  5. In Target criteria, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
  6. Enter the Protocol and Port that will be used to connect to the server.
  7. (Optional) If a protocol runs on more than one port, select Add new target criteria and reconfigure the same target hostname and protocol with a different port number.
  8. Select Next.
  9. To secure your targets, configure a policy that defines who can connect and how they can connect:
    1. Enter any name for your policy.

    2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to Access policies and review the list of infrastructure policy selectors.

    3. In Connection context, configure the following settings:

      • SSH user: Enter the UNIX usernames that users can log in as (for example, root or ec2-user).
      • Allow users to log in as their email alias: (Optional) When selected, users who match your policy definition will be able to access the target using their email address prefix. For example, jdoe@company.com could log in as jdoe.
  10. Select Add application.

The targets in this application are now secured by your infrastructure policies.

3. Configure the server

Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:

4. Connect as a user

Users connect to the target's IP address using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a private DNS resolver to allow connections to the target's private hostname.

Connect to different VNET

To connect to targets that are in different VNETS, users will need to switch their connected virtual network in the WARP client.

Display available targets

Feature availability

SystemAvailabilityMinimum WARP version
Windows2024.9.346.0
macOS2024.9.346.0
Linux2024.9.346.0
iOS
Android
ChromeOS

Users can use warp-cli to display a list of targets they can access. On the WARP device, open a terminal and run the following command:

Terminal window
warp-cli target list
╭──────────────────────────────────────┬──────────┬──────┬────────────────────────────────┬───────────────────────────────────────────────────┬───────────╮
Target ID Protocol Port Attributes IP (Virtual Network) │ Usernames │
├──────────────────────────────────────┼──────────┼──────┼────────────────────────────────┼───────────────────────────────────────────────────┼───────────┤
0192027a-ef8a-7966-aff6-4576475db365 SSH 22 hostname: digital-ocean-target 10.116.0.3 (a663a21c-76e5-4e3c-8296-d856682269f9) │ root │
├──────────────────────────────────────┼──────────┼──────┼────────────────────────────────┼───────────────────────────────────────────────────┼───────────┤
0192027a-ef8a-7966-aff6-4576475db365 SSH 23 hostname: digital-ocean-target 10.116.0.3 (a663a21c-76e5-4e3c-8296-d856682269f9) │ root │
╰──────────────────────────────────────┴──────────┴──────┴────────────────────────────────┴───────────────────────────────────────────────────┴───────────╯

Revoke a user's session

To revoke a user's access to all infrastructure targets, you can either revoke the user from Zero Trust or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.

Infrastructure policy selectors

The following Access policy selectors are available for securing infrastructure applications:

  • Email
  • Emails ending in
  • SAML group
  • Country
  • Authentication method
  • Device posture
  • Entra group, GitHub organization, Google Workspace group, Okta group