Access AWS RDS Postgres through WARP + cloudflared

Hello,

We have a private VPC on AWS (172.31.0.0/16). In this VPC we have an AWS RDS Postgres database which does not allow for public connections, and must be accessed from a device within the VPC. Currently we are using an SSH tunnel through a jumpbox/bastion to connect to this database. We would like to change this to use a Cloudflare tunnel + WARP client.

Have been tinkering with configurations and have not been able to fully figure this use case out. Followed all tutorials I could find but unable to get it to come together.

Here are the steps I have taken so far:

  1. Created a small EC2 instance within VPC and installed cloudflared
  2. Updated Cloudflare Zero Trust Firewall settings (Allow UDP, HTTP Filtering)
  3. Created a Private network that matches the CIDR of my VPC (172.31.0.0/16)
  4. My first attempt was to add a Public hostname - I created postgres.mydomain.com and pointed it to the service tcp://postgres.cluster-abc123.us-west-1.rds.amazonaws.com:5432 which resolves to whichever is the promoted DB instance IP on the private network (172.31.1.123).
  5. Tried to connect to the database using postgres.mydomain.com:5432 while connected to WARP which times out.
  6. Tried to connect to the database using postgres.cluster-abc123.us-west-1.rds.amazonaws.com:5432 while connected to WARP which times out.
  7. Tried to connect to the database using 172.31.1.123:5432 while connected to WARP which times out.

All WARP connections are authenticated to the correct team, and certificates installed.

Tunnel configuration includes:

warp-routing:
  enabled: true

Have created “Access” Applications for Private Net with both the SNI and IP of the database set to Allow.

I feel like I may be missing something (read a few things about policies), or not fully understanding how the connection of the tunnel to a TCP service such as a Postgres database works. Any assistance would be appreciated.

Quick update here - I removed the 172.16.0.0/12 exclusion entry from the split tunnel configuration and am seeing some initial positive results by connecting directly to postgres.cluster-abc123.us-west-1.rds.amazonaws.com:5432 on WARP.

Going to try to get the public postgres.mydomain.com working next.