Considering implementing Cloudflare’s Zero Trust solution to safeguard certain endpoints currently accessible to the public. Our aim is to restrict access to these operational endpoints solely behind our VPN, leveraging Cloudflare’s Zero Trust solution. Wondering if anyone has experience with this setup?
I’ve experimented with using Nginx Ingress’s white list range annotation, which works well but seems dependent on opting for Cloudflare’s enterprise plan with a dedicated egress IP. Alternatively, granting blanket access to the entire Cloudflare IP CIDR range feels insecure.
We do exactly this with EKS and Cloudflare. We have authenticated origin pulls configured along with External DNS and Nginx ingress to all work in sync when an ingress is deployed. The external DNs plugin will create the record in Cloudflare, enable proxying and then we use annotations on the ingress to setup mTLS with a root cert from Cloudflare bootstrapped in our clusters. This also allows us to use access policies to setup SSO for self hosted publicly accessible applications.
i would configure a reverse proxy as ingress as your point to go when you want to access from LAN. The Cloudflare stuff i would also direct on the reverse proxy. Kind of like a gateway.
I have a similar setup at home. I’m running cloudflared within the cluster and and it only has access to nginx pods via network policies. I’m using zero trusts 2FA auth so i don’t have to deal with it.
I achieved it using two ingress controllers , one for public and another one for private (internal load balancer) and then using zero trust to reach out to the private ingress. Thanks for pointers.