ARGO, CNAMES and Monitoring

online4 · February 25, 2021, 11:09pm

Hi,

I’m looking at setting up some load balances for entry points to my Applications and wanted a generic health check spread across my Load balancers associated with a shared pool.
I found I could hit my Argo tunnels directly without going through my Load balancer which I guess is understandable given the tunnels are CNAMES.
I want to hide those CNAMES from the wider world and only be used within my Load Balancer pools and for monitoring purposes.
Would I need to setup a WAF or FIREWALL rule or something like that to do this. So in short I want to block any CNAMES from being hit externally but still able to interrogate within my Cloudflare Argo tunnel setup and only present my LB’s as entry points for certain names.

Thanks,

nuno.diegues · February 25, 2021, 11:40pm

Hello @online4 ,

It looks to me that you’d want to use this: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb

You can then remove the CNAMEs records that point to your tunnels, and just use the LB that you set up (and for which you routed to via the command linked in that page).

online4 · February 26, 2021, 1:35am

Thanks for the quick reply.
So to clarify, you setup a LB which is uses the Argo Tunnel(have done this already) but point existing DNS records for my Apps to that Load balancer via DNS? And use the tunnel address as the “origin name” and destination so hiding it behind the load balancer?

erictung · February 26, 2021, 1:39am

Once you create a new load balancer, you are effectively creating a new DNS record. I guess you can delete the existing record after you create the load balancer.

Yes

online4 · February 26, 2021, 2:56am

@erictung Thats great, thanks for clarifying.
So for pinging my backend App to check I have end to end connectivity for my Tunnel checks, how would I hide that behind my load balancer?
As I have a reverse proxy expecting different host names on my origins I am not sure how to configure my get requests for the pool checks.
As an example, I have one pool with 2 servers. I have a proxy on my origins that looks for example1.com and example2.com.
example2.com is my test url to check end 2 end connectivity, I don’t want example2.com exposed externally, just used to determine connectivity to my origins. I have example2.com in my ingress rules but the test keeps defaulting to the catch all I have in my ingress rules. If I do specific checks on my Apps that works fine.
I looked at custom rules for LB’s but I don’t have that option as I assume thats Enterprise plan.

nuno.diegues · February 26, 2021, 9:11am

The LB will have 1 entry for each named tunnel in its pool.

As I have a reverse proxy expecting different host names on my origins I am not sure how to configure my get requests for the pool checks.

Would this help? https://developers.cloudflare.com/load-balancing/understand-basics/monitors