Cloudflare Access — Secure access to internal applications without a VPN

Cloudflare Access is a new innovative products to secure access to internal applications without a VPN. It build a fence around your internal applications no longer works for your global team. Cloudflare Access replaces corporate VPN clients by putting Cloudflare’s global edge network in front of your internal applications.

How’s the Cloudflare Access work is it act as your VPN server at all the Cloudflare EDGE location, the client who try to access your private apps/website will be access to the nearest Cloudflare EDGE server, than the authentication page will be pop up to authenticate your user.

Cloudflare Access integrated with multiple identity provider to authenticate the user, the identity provider include Google, Facebook, Github, Linkedin, AzureAD and more.

To start the demo for Cloudflare access, first I create a Nginx web server using EC2, than add all the Cloudflare IP List to the security group and allow port 80 (to get the IP List go to https://www.cloudflare.com/ips/).

SSH into the Nginx server and add the domain name to the server block to let’s the Nginx server listen to the domain name demo.david-cheong.com

Go to Cloudflare port, add a new DNS record for the domain name where we want to point to domain to nginx server.

To use access is very simple, just go to Cloudflare dashboard at https://dash.cloudflare.com/, than select the domain that you wish to add the access to, select access menu from the top menu bar.

Select the login method and identity provider to use for the authentication. For my case, i’m using One-Time Pin just for easy.

Up to here, we already successfully setup the Cloudflare Access to authenticate the domain demo.david-cheong.com. Now we can do the testing by entering the domain demo.david-cheong.com in the browser. You should get the following page pop up instead of the Nginx page.

Enter the email that we whitelist in the access policy and click on Send me a code.

Go to the mailbox and check for the email send from Cloudflare, you may just click on the link attach or copy the code and paste it at the Cloudflare Access login page.

Paste the code in the text box and click on sign in

Than you will get the actual page from the Nginx server. Because we only whitelist and listen to the Cloudflare IP list, so any other way try to access the page will be rejected.

Cloudflare Access not only come with better performance, it’s also come with a lot of security features including the detail logs

Currently the Cloudflare Access still provide the free trial until 1 September 2020. After the free trial, Cloudflare Access provide 2 difference package, which is Access Basic and Access Premium, for basic package, it’s cost USD 3 per user per month and you can only use 5 identity provider, but for Access Premium which cost USD 5 per user per month, it’s support for more identity provider.

To know more about the Cloudflare Access, visit their official page at https://teams.cloudflare.com/access/

Originally published at https://tech.david-cheong.com on June 24, 2020.