Access controls for the multiple tunneled vnets?


This is both a Cloudflare Access and Cloudflare Tunnel query.

Are we able to put access controls in place to ensure that only some groups of users are able to access some of the virtual networks?

Like only the ‘Admin Access Group’ is able to access the ‘mgmt-vnet’?

Thank you

Hey @haneef95 did you ever find an answer to this? Facing the same requirement.

I did see in the release blog post a comment at the bottom referencing zero trust policies as an upcoming feature.

Our next step will be to make Cloudflare Gateway aware of these virtual networks so that Zero Trust policies can be applied to these overlapping IP ranges. Once Gateway is aware of these virtual networks, we will also surface this concept with Network Logging for auditability and troubleshooting moving forward.

Cloudflare Access applies to traffic that arrives to Cloudflare via its DNS — i.e., public hostnames.

Virtual networks apply only to Zero Trust traffic, which arrives to Cloudflare via a ZT connector (such as WARP). For ZT traffic, you protect the traffic with Secure Web Gateway policies.

Spot on. Secure Web Gateway policies will have support for virtual networks.
@abe can chime in on updates for when that is coming through

Thanks for the tag, @nuno.diegues. That’s correct. And actually, Secure Web Gateway policies can already be applied to distinct Virtual Networks today. To get started, visit the Zero Trust dashboard and navigate to Gateway > Policies > Network. Then, select Create a Policy and for your selector click Virtual Network. This should surface is or is not operators and values for your accounts Virtual Networks.

However, I believe you’re also looking to control who has the ability to even view certain Virtual Networks via the Cloudflare WARP client. If this is the case, we’re tracking this feature request as well. I can share it is not on the immediate roadmap, but we do plan to develop this as well :slight_smile:

1 Like