Protect/Access AWS resources under a VPC using cloudflare zero trust

Hi,

I’m not sure whether this is possible of not but I’m trying to setup the following:

  • Created a team on cf zero trust dashboard, added sso provider as github
  • Created an ec2 instance and installed and configured cloudflared under the default vpc as per this https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/deployment-guides/aws/

Now, the things working:

  • I’ve setup the warp client on my android and pc, via logging in using github sso, I can connect to zero trust network

What’s not working - or more specifically → I can’t understand how should I setup:

  • Only let me connect (ssh) to that ec2 instance^ when I’m connected to cf warp client (authenticated via github’s sso)

Not sure whether this is possible or not^, if it is possible, it would be super helpful if anyone can help me with this.

Basically, I want to route traffic to all the available resources in default vpc (or any other in future - if this setup works) whenever and only when I’m connected to warp network (authenticated via github sso - this works fyi).

If anyone can help, would be appreciated.

Thanks in advance.

Yes, it is possible to allow access to an EC2 instance only when connected to the Cloudflare Warp client authenticated via GitHub SSO. Here are the high-level steps to achieve this:

  1. Create an AWS Security Group for your EC2 instance that only allows incoming SSH traffic from the IP range used by the Cloudflare Warp client. You can find the IP range in the Warp client’s configuration file or by running the following command:

jdig +short whoami.Cloudflare. com TXT

I put a space after the dot cos can’t share link.
This command will return a DNS TXT record containing the IP range used by the Warp client.

  1. Modify the EC2 instance’s Security Group to allow incoming SSH traffic only from the Security Group created in step 1.
  2. Install and configure Cloudflared on the EC2 instance as per the guide you linked.
  3. Create a Cloudflare Access policy that allows access to the EC2 instance’s SSH port only for authenticated users of your GitHub SSO provider.
  4. Install and configure the Cloudflare Access agent on the EC2 instance. This agent will authenticate SSH connections to the EC2 instance using Cloudflare Access.
  5. Test the setup by connecting to the EC2 instance’s SSH port while authenticated via the Cloudflare Warp client.

Note that this setup requires the Cloudflare Warp client to be connected to the Cloudflare network for SSH access to be allowed. If the Warp client is disconnected, SSH access to the EC2 instance will be denied.

I did a setup again as follows (but I still can’t understand why it is not working):

  • Created an ec2 instance with default vpc on aws
  • Blocked all inbound traffic
  • Created a cloudflared service using:
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && 

sudo dpkg -i cloudflared.deb && 

sudo cloudflared service install <token>
  • Created a Private Network == 172.31.0.0/16 route to tunnel ← this is default vpc’s cidr range
  • Tunnel shows connected and healthy
  • Connected to warp client which is authenticated and authorized by the email rule for my email id only (checked this, only allowed to connect to my org/team for cf’s zero trust only from my specified email id)

Now I’m assuming I did everything right as per the official guides and other resources I checked online.

But it is not working.

So, then I tried your approach of find the cidr using:
dig +short whoami.Cloudflare.com TXT and I got 162.159.0.0

  • so I added a inbound rule to allow all traffic from this^ cidr, still it is not working.

I don’t know what I’m doing wrong, people online are claiming that this should work or this is working for them but not for me.

I you can provide more help would be really appreciated, I’m kind of stuck here as there aren’t any more online guides even the official ones to follow (I’ve already checked almost all of those).

I was able to solve this :yay:

Solution → My vpc’s cidr block comes under a cidr range which was the part of Split Tunnels (under settings of 0 trust dash) and was added under Exclude IPs and domains, so to fix this, I removed that, and I can directly access all the private ip/services running inside that vpc routed via cloudflared daemon running on a single ec2 instance under that vpc.

Note: No inbound rules at all :smiley:

If someone else wants to mimic the same in near future, hope it helps them^.

My other post for relevant details:

  • https://community.cloudflare.com/t/unable-to-ssh-into-ec2-instance-via-cloudflared-installed-on-it/479321

Hi @ashishjullia19, I have did the following and still not working for me. could you please help?:
Installed cloudflared services in my EC2 instance as per the guide.
Created tunnel and started it as per the guide.
I routed the tunnel to 172.31.0.0/16.
I can see the tunnel is Healthy.
My WARP installed and configured.
Still cant connect.

If you can provide more details, I might be able to help you.

Thanks for your reply @ashishjullia19
Yeah, sure.
I’m using zero trust (Access) for other resources (Web applications) without any problems.
I have configured the access policy to include WARP and email authentication.
Now when I came to add one of the EC2 instances (SSH only) to be included.
I have followed this guide here https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/deployment-guides/aws/.
I have created a security group to accept all traffic from (172.31.0.0/16) and incoming ssh from (162.159.0.0/16) assuming this is the WARP IP Range.
I try to ssh to the instance, but I cant get any connection.

Please, let me know if you need any further details.

@hamza_abutaleb if you can share more details, I’ll be happy to help.

Can you share the config details of your cf tunnels for this setup?