Replacing VPN - Connecting Securely to EC2


I am looking to change our current systems and trying to see if Cloudflare will replace this.

Current: Developers have VPN desktop clients, that connects to AWS NAT they then SSH in to EC2 that are in the priv subnet with a private IP. The VPN allows them to connect to all the the EC2 we have.

Objective: Remove the existing VPN, remove the NAT, put the EC2 in a pub subnet, restrict access based on IP/network and have SSH access.

We have put test EC2 into a pub subnet and restricted access to a one of the users personal IP address and that security model works for us. But this is not scalable, as people move around and we want to control traffic a little better.

If we can use Cloudflare this would be great. However, at the moment WarpClient seems to only give a national level IP address, i.e anyone with a warpclient in that country would be able to see our EC2 - so it doesnt provide the security I required. Is there a way to secure access to an EC2, so only our team can see it?


I wouldn’t do it in the way you’re thinking.

Instead, you can use WARP’s private network routing. You’d install cloudflared in an EC2 instance that has access to the rest of your instances and then configure cloudflared to advertise the internal range that your EC2 instances are on.

That way, people need WARP and to enroll into your organisation. You can then apply policies, based on groups and a bunch of other selectors like destination IP or port, to manage which users have access to which instances.

Basically, a traditional P2S VPN with some Cloudflare magic sprinkled in.

Thanks for this, really appreciated - its probably what I need…but not what I wanted :slightly_smiling_face: I was hoping there was some other magic I could use!

I will look into this.


Thanks again - I have just been reading into this.
One part that confused me was this

“use a website that you have added into your account. This will authenticate your instance of cloudflared to your Cloudflare account”;

We have websites and we use Cloudflare to protect them, but they are entirely unconnected to our AWS environment - so I just want to make sure I am going in the right direction with this.

I had though this was using dedicated EC2 as some sort of bastion , and tunnelling to get to that - but I may have misunderstood.

Thanks again.

cloudflared can be used to make public hostname tunnels (like Ngrok) so that functionality still wants to be bound to a zone.

The private network ‘bastion’ you’ll be after won’t use the domain you bind it to at all and is linked to your Zero Trust account.

Edit: if you wanted a purely SSH bastion, there’s also

The one I’ve been talking about will do any TCP/UDP traffic (no ICMP) - like a P2S VPN.

Thanks again

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.