Exposing a postgres service through Traefik IngressRouteTCP and Cloudflare DNS

I cannot seem to connect to postgres through its domain name.

Let’s say I’ve created an A record postgres for my example.com domain. postgres.example.com points a cloud LoadBalancer’s IP. I have a zone-level WAF which only allows inbound traffic from a VPN server I have setup somewhere else.

Additionally, I have a Kubernetes cluster running postgres and traefik. There is a Traefik IngressRouteTCP which is configured as follows:

  - websecure
  - match: HostSNI(`postgres.example.com`)
    kind: Rule
      - name: my-postgres-service
        port: 5432

Which uses a cert I retrieved from cloudflare as the tls cert. (I can provide full manifests if required).

Then, I connect to my VPN and try to connect to my postgres instance using a db client. I get the following error:

Connection terminated due to connection timeout

This same config works fine for HTTP/HTTPS traffic (changing only IngressRouteTCP to IngressRoute and HostSNI() to Host()).

This doesn’t strike me as a limitation of Cloudflare so much as a misconfiguration somewhere on my end, but I wanted to double check in this community about that. I would also welcome any troubleshooting tips.

This is in fact a limitation by Cloudflare, as they only proxy HTTP(S) traffic.

1 Like

I see. Would using Cloudflare Spectrum remove that limitation?

With an Enterprise agreement.

Lower plans do not support TCP traffic, as you can see here: Cloudflare Spectrum · Cloudflare Spectrum docs


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.