Best way to replace a VPN to AWS load balancers?

I am looking to replace our VPN with Cloudflare Zero Trust. Currently, users vpn into our office router and then, only traffic to our AWS hosted app is proxied through the router in order to appear to come from our office IP using a “Published Networks” option. Our AWS apps are behind AWS load balancers with security groups that only allow specified IPs, listed in security groups for ingress, to access the app instances. What is the best way to deploy a cloudflare zero-trust solution to replicate our VPN route, or use a different approach with Cloudflare Zero Trust?

Adding info…
I have seen threads that discuss adding cloudflared to a separate ec2 instance that has internal VPC access to the app instances; however, since we are running a scalable app with 2 instances running at all times, we would need our solution to point to the domain pointing to the load balancers to handle the traffic properly. Currently with our VPN, I have to dig the domain to find out the load balancer IP’s and manually add to the “Published Networks” of our VPN config. It doesn’t allow for a domain entry, only IP’s. So, when AWS changes the IP’s of our load balancers (as they often do) my users lose connection to the app. Hence, why I am trying to find another solution.

For the connection between the load balancer and Cloudflare, I would recommend using mTLS.
That way, only connections from your Cloudflare account are accepted by the load balancer.

Then, on Cloudflare, you create a proxied DNS record to your load balancer that you secure via a Zero Trust Access Application.
In the Access Application, you can decide who can access the application in a variety of ways.

The simplest way is to list the email addresses of the people that should have access, or allow all emails ending in @example.com. The user will then receive a login code to the email that allows them to access the application for period X.
Or they can use that address to log in with an identity provider if you have one in use for your company.

But there are a lot more options that you can use, see here:

You could also replicate your VPN route with Cloudflare’s VPN (WARP), but I don’t see why you would want to do that.

Is that what you had in mind?

Thanks for the info; however, all our apps are behind classic load balancers. Looks like mTLS would need application load balancers. Besides, not sure how this would be easy to set up end users with a simple client to connect.

Do you use an HTTPS or TCP listener on your load balancer?

mTLS is only set up on the load balancer and Cloudflare. The end user has different options to access the site (based on what you configure), for example a one time pin sent to their email entered directly into the browser, or by installing the WARP client and using their company email to login.

The WARP client can be configured to only be used for certain IPs or domains:

Again, thanks for the reply. I think I would not be able to use this as the Domain and it’s DNS are tied into Route53 of AWS. And routing is dynamic as the A record points to the beanstalk application that created the running app itself. Or is there a work-around for that using your suggestion?

Also, I would only need the VPN type users to use this solution. The people in the office, would not use any logins and such since the IP to the office is currently allowlisted in the load balancer.