I’m fairly new to the devops security side, and been tasked with setting up the hashistack - terraform deployment of consul, nomad, vault on scaleway servers.
It seems from this, one would setup a jumphost, I guess cloudflare calls this the origin server, which the public can access and forwards its requests onto the local nomad+consul servers in the DMZ, which only local IPs can access.
My concern with this model, is if someone else’s app is running on the same scaleway servers, then it would also have a local ip, and thus the DMZ and jumphost configuration would need to be specific IPs, or where every server has the public key of the other servers with all traffic TLS encrypted with a custom CA provided by vault.
However, that is quite complicated, so I’m wondering if the other solution is to just install Argo Tunnel on all the servers, control access to sensitive services via Cloudflare Access, thus not having to bother with a custom local-only DMZ+TLS setup.
Is this a use case solved well by Argo Tunnel?
(just in case I am using DMZ and jumphost wrong, this is my understanding - a jumphost is a server that the public can access which then forwards requests into a DMZ zone, that is a zone that has no public incoming traffic allowed, only traffic from allowed local ips, thus the need for the jumphost.)