I am trying to use bastion and not quite getting something. My goal is to enable access to a cloud hosted server that sees very high loads and that I don’t want any additional overhead on it from running cloudflared locally, so I want client traffic to pivot from a bastion server for just this application in the same subnet. The server presents six different TCP ports to a thick client that runs on user end points, and I have a Cloudflare DNS entry for its non-routable address. Currently end users start up the thick client, the thick client resolves the server hostname to its non-routable address, and traffic for that non-routable subnet is tunneled to a VPN point of presence that carries traffic for this subnet, and the thick client makes the connection with no issues.
So I spun up another VM with a NIC in the same subnet and I used hello world mode to ensure that the argo tunnel is up and that my AAD group ACL for access is behaving as intended (works for group members and prompts for authentication for non-members). From this bastion server, I can resolve and ping the non-routable address for the server I want clients to reach. But… I cannot figure out the correct syntax for cloudflared on the client side.
This is what I have tried as a start point to get access to one port to start with:
cloudflared.exe access tcp --hostname bastion.ZZZ.com --url cloudserver.ZZZ.com:8080 --destination cloudserver.ZZZ.com:8080
Cloudflared responds with “failed to start forwarding server: listen tcp 10.x.x.x:8080: bind: The requested address is not valid in its context.”
The 10.x.x.x:8080 address is the non-routable address resolved when querying cloudserver.ZZZ.com. I figure there is something I am misunderstanding with the --url and --destination switches but I’ve tried a few permutations with no luck. he address is valid in context of the bastion, as it resolves and can be pinged. I figure there is something obvious I’m doing wrong and I just need an outside perspective for it to click.