Hey all, sorry to ask this here but I couldn’t find a channel for zero trust.

I’ve been trying to set up AWS VPC peering using Cloudflare Tunnel without much success though this piece of documentation seems to indicate it is possible. The use case I’m trying to build is accessing an AWS ElastiCache Redis cluster from a Vercel Serverless Function without exposing the whole VPC to the internet.

This has led me to the following approach and I’d like to know if it makes sense?

1. Create a VPC with public and private subnets.
2. Deploy an ElastiCache Redis cluster to the private subnet with a security group only allowing internal traffic.
3. Deploy an EC2 instance to the public subnet where cloudflared tunnel create would be run, pointing to either the private subnet’s IP range or the ElastiCache primary endpoint.
4. Route all external traffic to the tunnel endpoint which would get routed to the private subnet and hopefully make the Redis instance accessible?

I’m also wondering why cloudflare tunnel login asks to pick a website from the CF dashboard whereas creating a tunnel from the UI doesn’t?

Note that today it is possible to use Tunnel without a website (e.g. for private routing), but for legacy reasons this requirement is still necessary.

Note that using warp-routing / private network routing with Tunnels requires that you have WARP for Teams installed & configured on any devices that you’ll be wanting to reach the IP ranges you’re advertising on the tunnel. It’s a Point-to-Site model.

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/private-hostnames-ips/#prerequisites