Setting CloudFlare + EKS + CloudFront

Current Setup

Route53 , Amazon EKS , WPEngine, CloudFront

I am currently running Kubernetes through Amazon EKS. I have services exposed to the internet through a LoadBalancer.

evilcorp.com -> Front facing website

  • resides on WPEngine

clientname.frontend.evilcorp.io -> Client instance app

  • Provided by Cloudfront

*.api.evilcorp.io -> Client instance backend (e.g. worlddestroyer.api.evilcorp.io)
There’s an SOA entry for api.evilcorp.io and A record for *.api.evilcorp.io. These point to the LB and whatever.api.evilcorp.io is resolved internally through traefik Ingress.

All SSL Certs are provided by Amazon.

Challenge: I’d like to setup CloudFlare WAF to protect my cluster, and the entry-points to my cluster are the api.evilcorp.io & *.api.evilcorp.io.

I tried to add a site api.evilcorp.io and was prompted to use the root domain name evilcorp.io. Using the root domain name, it brought out a number of A, CNAME, TXT, MX records and asked me to change my nameservers.

I’d like to point only *api.evilcorp.io to CloudFlare. From the docs it states that

  1. Add a CNAME record to Cloudflare for the hostname; for example: elb
  2. In the Cloudflare DNS app, replace Domain name with the ELB target:
    "<AWS hostname>.<region>. elb.amazonaws.com is the proper CNAME target format
    (for example: my-cool-cachepp-1344276401.eu-west-1. elb.amazonaws.com).
  3. Reach out to AWS support to determine AWS hostname or region .

How do I do the above without having to change my nameservers. While I know it’s possible to setup CloudFront to point to CloudFlare, I’d rather prefer to keep things as they are and only change things related to my cluster for now.

Also apart from on protecting the root domain name are there any other drawbacks to this approach? Will this introduce significant latency ?

Thank you

Personally I’d just change the name servers to Cloudflare. You can choose to only proxy the one subdomain if that’s what you want and just have any and all other records simply returned just as they would be from any other DNS host.

1 Like

Thank you Saul, the part I still don’t understand about the CNAME setup is I intent to route api.evil.io and *.API.evil.io will the CNAME setup accept wildcards or do I have to manually add all the entries.

Currently on R53 all I have to do is to specify the wildcard.

Also you suggested changing the nameservers, when I compared the values I had in R53 and those CloudFlare auto-detected, there were discrepancies. So if am to change my nameservers, would I just copy over the values in R53 ?

Also this wouldn’t in anyway affect the validity and renewal of my certificates right ?

Thank you Saul, the part I still don’t understand about the CNAME setup is I intent to route api.evil.io and *.API.evil.io will the CNAME setup accept wildcards or do I have to manually add all the entries.
Currently on R53 all I have to do is to specify the wildcard.

Seeing as you’d need a business plan, you should be able to use wildcards with no issue (cf can’t get Cloudflare-SSL protected wildcards on the free tier).

Also you suggested changing the nameservers, when I compared the values I had in R53 and those CloudFlare auto-detected, there were discrepancies. So if am to change my nameservers, would I just copy over the values in R53 ?

Yes, just copy anything in that the scan missed. All CLoudflare has done to populate that initial list is query some of the more common record names.

Also this wouldn’t in anyway affect the validity and renewal of my certificates right ?

For unproxied records, no impact. For records proxied by Cloudflare you’d need to make sure you upload certs as they get renewed. Cloudflare’s own certs only cover example.com and *.example.com so wouldn’t cover client.api.example.com as it is a level too deep.

This topic was automatically closed after 31 days. New replies are no longer allowed.