Controlling Access to non-HTTP service using Access Policies

Hello everyone, I have a challenge that I would appreciate your input in resolving:

I currently set up a Cloudflare Tunnel for my private VPC on AWS through which I connect to the Cloudflare Edge using Cloudflared running on a container.

I went ahead to create a private network in the Zero Trust dash board in the specific tunnel I created which represents my VPC, and was able to use a WARP client on my Mac to connect to port 3306 of my MySql server using it’s private IP address.Of course, in the split tunneling of the WARP client profile, I used exclude mode and deleted the CIDR of my private network.

Now, I wanted to be able to access the same MySQL server using it’s domain name instead of IP, and without just adding an A record to the DNS on Cloudflare which will make it publicly available. What I did was to create a Resolver policy in Cloudflare Gateway for Cloudflare to fallback to my local DNS address linked to Route53 when it tries to go to that particular domain and can’t find it on Cloudflare DNS.

That also works pretty well. Now, I can connect to my private MySQL server on port 3306 using it’s domain name.

The challenge here now is that by default, all devices enrolled in my organization can access the service and I want to block or allow specific users.

I have tried using Cloudflare access application which is integrated with okta as my Identity Provider, but it does not work. Is this because, the DNS record that points to my MySql server is not on the publicly available Cloudflare DNS?

Can anyone assist with how I can make accessing that private mysql server only possible for specific users when connected to the WARP client?

Thank you very much. I’ll be looking forward to your responses

Hi there, you could enable Gateway proxy and create Gateway policies to restrict access to your domain or IPs by blocking or allowing specific users via their emails or identity group.

Make sure the users you want to allow are authenticated through your Identity Provider (Okta) and their identities are recognized by Cloudflare. This way, the rule will permit access only to those specific users when they are connected to the WARP client.