Add an infrastructure application
NewFeature availability
WARP modes | Zero Trust plans ↗ |
---|---|
| All plans |
System | Availability |
---|---|
Windows | ✅ |
macOS | ✅ |
Linux | ✅ |
iOS | ✅ |
Android | ✅ |
ChromeOS | ✅ |
Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.
- Connect your private network to Cloudflare using
cloudflared
or WARP Connector. - Deploy the WARP client on user devices in Gateway with WARP mode.
A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server.
To create a new target:
- In Zero Trust ↗, go to Networks > Targets.
- Select Add a target.
- In Target hostname, enter a user-friendly name for the target resource. We recommend using the server hostname, for example
production-server
. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.Format restrictions
- Case insensitive
- Contain no more than 253 characters
- Contain only alphanumeric characters,
-
, or.
(no spaces allowed) - Start and end with an alphanumeric character
- In IP addresses, enter the private IPv4 and/or IPv6 address of the target resource. If the IP address overlaps across multiple private networks, select the virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.
- Select Add target.
-
Create an API token with the following permissions:
Type Item Permission Account Zero Trust Edit -
Make a
POST
request to the Infrastructure Access Targets endpoint:
-
Add the following permission to your
cloudflare_api_token
↗:Teams Write
-
Configure the
cloudflare_zero_trust_infrastructure_access_target
↗ resource:
Next, create an infrastructure application to secure the target.
- In Zero Trust ↗, go to Access > Applications.
- Select Add an application.
- Select Infrastructure.
- Enter any name for the application.
- In Target criteria, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
- Enter the Protocol and Port that will be used to connect to the server.
- (Optional) If a protocol runs on more than one port, select Add new target criteria and reconfigure the same target hostname and protocol with a different port number.
- Select Next.
- To secure your targets, configure a policy that defines who can connect and how they can connect:
-
Enter any name for your policy.
-
Create a rule that matches the users who are allowed to reach the targets. For more information, refer to Access policies and review the list of infrastructure policy selectors.
-
In Connection context, configure the following settings:
- SSH user: Enter the UNIX usernames that users can log in as (for example,
root
orec2-user
). - Allow users to log in as their email alias: (Optional) When selected, users who match your policy definition will be able to access the target using their email address prefix. For example,
jdoe@company.com
could log in asjdoe
.
- SSH user: Enter the UNIX usernames that users can log in as (for example,
-
- Select Add application.
-
Create an API token with the following permissions:
Type Item Permission Account Access: Apps & Policies Edit -
Make a
POST
request to the Access applications endpoint:
-
Add the following permission to your
cloudflare_api_token
↗:Access: Apps and Policies Write
-
Use the
cloudflare_zero_trust_access_application
↗ resource to create an infrastructure application: -
Use the
cloudflare_zero_trust_access_policy
↗ resource to add an infrastructure policy to the application:
The targets in this application are now secured by your infrastructure policies.
Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:
Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a private DNS resolver to allow connections to the target's private hostname.
To connect to targets that are in different VNETS, users will need to switch their connected virtual network in the WARP client.
Feature availability
System | Availability | Minimum WARP version |
---|---|---|
Windows | ✅ | 2024.9.346.0 |
macOS | ✅ | 2024.9.346.0 |
Linux | ✅ | 2024.9.346.0 |
iOS | ❌ | |
Android | ❌ | |
ChromeOS | ❌ |
Users can use warp-cli
to display a list of targets they can access. On the WARP device, open a terminal and run the following command:
To revoke a user's access to all infrastructure targets, you can either revoke the user from Zero Trust or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
The following Access policy selectors are available for securing infrastructure applications:
- Emails ending in
- SAML group
- Country
- Authentication method
- Device posture
- Entra group, GitHub organization, Google Workspace group, Okta group