Confused about how to use Cloudflare Access to use have SSH access to backend servers

I have a domain that has different services running on where xyz is the name of service. Each service runs on a droplet in digital ocean.

I want to use cf access to give only authorized people SSH access to the backend servers.

There are two interfaces for configuring this. One is the Access Tab in but if I understand correctly, It’s missing a lot of settings(I can’t really configure a Access Group there) and another is in

Which interface am I supposed to use to configure this?

Preferably, I want to use ssh.<service> domain as the facilitator for SSH but I am very open to other ideas as well.

Then, There is a lot of confusion in how to configure it. There is,

  1. Short lived certificates,
  2. SSH Connections,

They both seem to be doing the same thing so, What approach should I take? What is the preferred way of doing this?

Is there a way to access all my services at ssh.<service> Is there any more simpler documentation on how to configure this? We have a internal VPN configured with wireguard, It’s a pretty terrible setup and we are trying to move away from it.

I also tried Spectrum but all our servers listen on port 4556 for SSH and there doesn’t seem to be a way to configure port in spectrum. Plus, This will expose all the actual IP addresses of our backend servers/droplets since you have to configure spectrum on a subdomain which then opens them up to a lot of unwanted ssh traffic, Not that that’s a huge problem. I just prefer cf access approach where users have to authorize with the CF access portal before they are allowed in compared to Spectrum. But then, I am no expert and I will be happy to hear from everyone else on how it should be done. :slight_smile:

Hi! Sam from Cloudflare here.

You can use either interface, but we recommend where new features are being added and we’re addressing some confusion.

Short-lived certificates are an optional additional feature that you can add to securing SSH with Cloudflare Access. You do not need to use it to use the SSH in Access flow.

You will need to run cloudflared on each machine that you want to secure with Access, and assign each a unique hostname, but you can build an Access policy that wildcards those machines. You can also use the SSH flow as a bastion host model if preferred.