I am excited to announce a major update coming to Access Applications and Policies!
Cloudflare Access Self-Hosted Applications can now be defined by Private IPs, Private Hostnames (on port 443) and Public Hostnames. Additionally, we made Access Policies into their own object which allows reusing across multiple applications. These updates involved significant updates to the overall Access Dashboard experience. I have provided an overview of those updates below. For more information, the developer documentation has been updated to reflect the new features: Secure a private IP or hostname · Cloudflare Zero Trust docs
We are in the process of rolling out these updates. These updates will be rolled out over the next few weeks. We will be enabling for subsets of our Free and Pay as you Go customers. If you are an Enterprise customer interested in beta testing, please comment below or reach out to your account team and we can discuss options.
The four major changes include:
Access applications support private IPs and hostname definitions
Caveats:
Private hostnames are currently only available over port 443 over HTTPS. In the future, we will expand to arbitrary hostname support
Private IPs and Hostnames must be reachable over WARP, Magic WAN or Browser Isolation
Gateway TLS decryption must be enabled if you would like to present a login page via the browser. Otherwise, users will receive a pop-up notification from the WARP Client.
Access policies are now reusable
Previously, Access policies were always scoped to a specific application. This meant that you had to define a distinct policy for every single application.
As part of the migration to reusable Access policies, all existing Access policies will remain as a “legacy” policy that is still scoped to an application. “Legacy” will show up in the new Policies tab as read-only.
How do I migrate to reusable policies?
Via UI: We recommend creating a reusable policy or set of policies and assigning those to the desired applications. Once a reusable policy has been assigned, the legacy policy can be deleted by opening the specific application and removing the policy directly.
Via API:
The above recommendation can be done in the API or Terraform. The API allows one additional option to convert a legacy policy to a reusable policy.
Use the following endpoint with a PUT: https://api.cloudflare.com/client/v4/$ACCOUNT_ID/access/apps/{appID}/policies/{legacy_policy_id}/make_reusable
The request body should be empty
This will convert any legacy policy into a reusable policy that can then be assigned to multiple applications. Once converted, the policy can only be edited through the reusable policies endpoints (i.e. you can no longer edit the policy through: PUT /apps/id/policies/id )
Access Groups are now Rule Groups
We renamed Access Groups to Rule Groups. We made this change based on feedback that Access Groups were easily mixed up with identity provider groups.
Additionally, Rule Groups were moved back to be a policy selector instead of their own section in the policy builder. We made this change because of feedback that it was often difficult to decipher how a policy would behave with both Rules Groups and specific policy clauses.
Added a Private Apps selector to Gateway
By default, Gateway will evaluate Access private applications at the end of the Network firewall.
If you would like Access private applications to be evaluated before or after specific Gateway network policies, you can add the All Access Private Apps selector with an Allow policy.
Note: All Access private applications are deny by default and a user must pass the associated Access policy. The Gateway policy is strictly for routing and connectivity purposes.
What’s happening to the existing Private Network application type?
This application type will eventually be deprecated in favor of private IP and Hostname support in Self Hosted Applications. We will communicate all deprecation dates but have not set a timeline. The initial deprecation will block creation of all new Private Network applications, while all existing private network applications will continue to be editable.
Feedback / Something’s broken
While we are very excited about these changes and have tested heavily, we know that upgrades can have unintended consequences. If you experience issues or have feedback to improve these new experiences, please share them on this community thread or, if you are an Enterprise customer, you can reach out to your account team.
-The Cloudflare Team
