Hello,
We have a private VPC on AWS (172.31.0.0/16). In this VPC we have an AWS RDS Postgres database which does not allow for public connections, and must be accessed from a device within the VPC. Currently we are using an SSH tunnel through a jumpbox/bastion to connect to this database. We would like to change this to use a Cloudflare tunnel + WARP client.
Have been tinkering with configurations and have not been able to fully figure this use case out. Followed all tutorials I could find but unable to get it to come together.
Here are the steps I have taken so far:
- Created a small EC2 instance within VPC and installed
cloudflared - Updated Cloudflare Zero Trust Firewall settings (Allow UDP, HTTP Filtering)
- Created a Private network that matches the CIDR of my VPC (172.31.0.0/16)
- My first attempt was to add a Public hostname - I created
postgres.mydomain.comand pointed it to the servicetcp://postgres.cluster-abc123.us-west-1.rds.amazonaws.com:5432which resolves to whichever is the promoted DB instance IP on the private network (172.31.1.123). - Tried to connect to the database using
postgres.mydomain.com:5432while connected to WARP which times out. - Tried to connect to the database using
postgres.cluster-abc123.us-west-1.rds.amazonaws.com:5432while connected to WARP which times out. - Tried to connect to the database using
172.31.1.123:5432while connected to WARP which times out.
All WARP connections are authenticated to the correct team, and certificates installed.
Tunnel configuration includes:
warp-routing:
enabled: true
Have created “Access” Applications for Private Net with both the SNI and IP of the database set to Allow.
I feel like I may be missing something (read a few things about policies), or not fully understanding how the connection of the tunnel to a TCP service such as a Postgres database works. Any assistance would be appreciated.