Add an infrastructure application

New

Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.

Prerequisites

Connect your private network to Cloudflare using cloudflared or WARP Connector.
Deploy the WARP client on user devices in Gateway with WARP mode.
Install and trust the Cloudflare root certificate on user devices.

1. Add a target

A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server.

To create a new target:

Dashboard
API

In Zero Trust ↗, go to Network > Targets.
Select Add a target.
In Target hostname, enter a user-friendly name for the target resource. We recommend using the server hostname, for example production-server. The hostname does not need to be unique and can be reused for multiple targets.
Format restrictions
- Case insensitive
- Contain no more than 255 characters
- Contain only alphanumeric characters, -, or . (no spaces allowed)
- Start and end with an alphanumeric character
In IP addresses, enter the private IPv4 and/or IPv6 address of the target resource. If the IP address overlaps across multiple private networks, select the virtual network where the resource is located.

Select Add target.

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "hostname": "infra-access-target",
  "ip": {
    "ipv4": {
      "ip_addr": "187.26.29.249",
      "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
    },
    "ipv6": {
      "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
      "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
    }
  }
}'

Next, create an infrastructure application to secure the target.

In Zero Trust ↗, go to Access > Applications.
Select Add an application.
Select Infrastructure.
Enter any name for the application.
In Target criteria, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
Enter the Protocol and Port that will be used to connect to the server.
(Optional) If a protocol runs on more than one port, select Add new target criteria and reconfigure the same target hostname and protocol with a different port number.
Select Next.

To add an infrastructure application using the API:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "name": "example app",
  "type": "infrastructure",
  "target_criteria": [
    {
      "target_attributes": {
        "hostname": [
          "infra-access-target"
        ]
      },
      "port": 22,
      "protocol": "SSH"
    }
  ],
  "policies": [
    {
      "name": "Allow a specific email",
      "decision": "allow",
      "include": [
        {
          "email": {
            "email": "[email protected]"
          }
        }
      ],
      "connection_rules": {
        "ssh": {
          "usernames": [
            "root",
            "ec2-user"
          ]
        }
      }
    }
  ]
}'

3. Add a policy

To secure your targets, configure a policy that defines who can connect and how they can connect:

Enter any name for your policy.
Create a rule that matches the users who are allowed to reach the targets. For more information, refer to Access policies.
In Connection context, enter the UNIX usernames that users can log in as (for example, root or ec2-user).
Select Add application.

The targets in this application are now secured by your infrastructure policies.

Selectors

The following Access policy selectors are available for securing infrastructure applications:

Email
Emails ending in
SAML group
Country
Authentication method
Device posture
Azure group, GitHub organization, Google Workspace group, Okta group

4. Configure the server

Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:

Connect as a user

Users connect to the target’s IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a private DNS resolver to allow connections to the target’s private hostname.

Connect to different VNET

To connect to targets that are in different VNETS, users will need to switch their connected virtual network in the WARP client.

Revoke a user’s session

To revoke a user’s access to all infrastructure targets, you can either revoke the user from Zero Trust or revoke their device. Cloudflare does not currently support revoking a user’s session for a specific target.

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings