Creating an Access Application hosted in a Private Network

Is it possible to setup a cloudflared to connect my private network to Cloudflare and register an internal application with the Access so it shows on App Launcher without having to use WARP?

I’d imagine so from the docs, but I can’t figure out how to do it. Here’s what I did:

  1. Set up cloudflared: works perfect, when using the WARP app I can get to all Public Hostname and Private Network I configure
  2. Set up an Access Application using the “Private Network” option: typed my internal IP
  3. Create a Policy: I created a network policy allowing every traffic (tried matching my email or regex .*)

Am I misinterpreting something? Access seems to have no knowledge of the tunnels. I either make it work on both Access and internet, or not.

I also tried creating a Public Hostname and a policy to only allow specific emails but policy doesn’t seem to apply to Public Hostname

Instead of using the “Private Network” option, instead select “Self-hosted” and input the exact hostname you use to access the app mentioned here:

Thanks Andrew, with your help I was able to get it working. A few things were throwing me off:

  1. The UI: it’s counter intuitive to me to have to register my server under Publish Hostname then add to Access, at which time it will be permissioned (but not shown under Policies)
  2. The logout behavior: Seems that just logging off of Access does not revoke application tokens (which I argue is not standard, see OAuth and SAML specs).

What would Private Network application be used for then? Is that only in case I have WARP enabled? In that case, what’s the difference between that and just using a Bookmark if all my network will be accessible?

Thanks!