Zero Trust Warp to AWS resource in private subnet

I have followed the documentation here in setup tunnel with an ec2 instance in AWS that installed with Cloudflared.
I also created access policy (Private Network) to point to that cloudflared ec2 instance to allow me access it and removed the private subnet ip range from the split tunnel exclude ip setting.
But after I connect to WARP and try to ssh into an instance in a private subnet which is in the same VPC as the Cloudflared EC2 is deployed, I still cannot access the host in my private subnet.
I am sure there is something missing, but I can’t figure out what is missing. Anyone has any suggestion here?

Can you ssh from the EC2 instance to the VPC? What errors are generated in the logs?

Probably not what I would have used here. Access is typically for http applications. If you’ve got this private subnet already configured in Warp and tunnels you can use Gateway policies (Network) to control access to the resource(s) on the CIDRs exposed via tunnel.

Hmmm i just tried to ssh from the Cloudflared EC2 to other private instance, also not working.
A bit more details, the cloudflared EC2 is in the same VPC but in a public subnet, where all other resources are in private subnet of that VPC. The error message i see is Connection timed out.

While there still can be an issue with the Cloudflare config it’s impossible to tell/troubleshoot that until you can successfully connect to the resource in the same manner from the machine running the tunnel.

Now that I fixed the connect to go from cloudflared installed ec2 to the private instance, but can not just go directly from my local terminal to the private instance when i am connected on warp @cscharff

Probably can you elaborate “Private Subnet configured in WARP” I tried to use gateway network policies with the CIDRs, but still not working

Hi @cici

Were you able to solve it? I’m also stuck on this even after following the documentation by cf itself.

For more on situation:

I was able to solve this :yay:

Solution → My vpc’s cidr block comes under a cidr range which was the part of Split Tunnels (under settings of 0 trust dash) and was added under Exclude IPs and domains, so to fix this, I removed that, and I can directly access all the private ip/services running inside that vpc routed via cloudflared daemon running on a single ec2 instance under that vpc.

Note: No inbound rules at all :smiley:

If someone else wants to mimic the same in near future, hope it helps them^.

My other post for relevant details: