I have a question regarding Cloudflare Zero Trust (further referred as ZT) and Cloudflare WAF Zone Lockdown (further referred as ZL). I have some websites protected by ZL rules which allow access only from certain IP addresses. Now I want to also allow the developers to access those websites in case they have ZT WARP installed on their devices, and are enrolled in the team (which they do and are). I have seen a similar question asked on this link Allow WARP VPN in WAF Zone Lockdown Rule with no response provided.
Furthermore if you ask why I don’t just migrate the ZL rules to ZT. I have paired some custom rules regarding URL’s for those websites (to allowlist some specific API endpoints) for our clients with WAF - ZL. Therefore I would just need to add a rule for my developers to access those sites with WARP turned on.
And that begs the question how do I do that if it is even possible to do so? Any help or at least a pointer in the right direction would be much appreciated.
You can create multiple zero trust applications, and the most specific one wins: Application paths · Cloudflare Zero Trust docs
For example, you could create one with no path (applying to all paths on a (sub)domain), that bypass/service auth if Gateway posture check succeeds, and then create a few more applications, with wildcards or exact paths, with a policy to include everyone for the public endpoints and bypass/service auth action.
It’s important to note as well, the “Service Auth” access is the normal zero trust flow, but without an identity. If your service, like if you were using CF Tunnels, was verifying the Access Token/JWT, you would need to use Service Auth. Bypass goes back to normal zone security settings and leaves the access flow: Access policies · Cloudflare Zero Trust docs