Skip to content

Commit

Permalink
[ZT] Infrastructure access (#16763)
Browse files Browse the repository at this point in the history
* move browser-rendered terminal to new page

* account limits

* new infrastructure access how-to

* Update src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>

* non-http overview

* move ssh note

* define target

* add SSH logging partial

* use SSH logging partial

* start reworking ssh page

* Apply suggestions from code review

Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>

* Update src/content/glossary/cloudflare-one.yaml

* clean up warp to tunnel

* ssh instructions

* example warp-cli output

* edit overviews

* edit sidebar text

* target ip requirements

* create cloudflare authentication folder

* redirect users from old SSH workflows

* logpush is enterprise only

* add "New" badge to sidebar

* sharon's feedback

* ann ming's feedback part 1

* fix broken link

* fix broken link

* rework IA

* fix links

* add api examples

* edit cloudflared auth note

* add step to install the Cloudflare cert

* Update src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx

Co-authored-by: Kody Jackson <kody@cloudflare.com>

* remove warp-cli target list

* remove ssh key in dash

* add API example

* edit code block format

* link to API docs

* apply sharon's feedback

* clarify disable ssh command logging

* clarify legacy label

---------

Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
Co-authored-by: Kody Jackson <kody@cloudflare.com>
  • Loading branch information
3 people authored and maheshwarip committed Dec 2, 2024
1 parent 3426d69 commit 54ffd03
Show file tree
Hide file tree
Showing 35 changed files with 721 additions and 261 deletions.
6 changes: 4 additions & 2 deletions public/_redirects
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@
/access/ssh/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301
/cloudflare-one/tutorials/ssh/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301
/cloudflare-one/tutorials/ssh-browser/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301
/access/ssh/short-live-cert-server/ /cloudflare-one/identity/users/short-lived-certificates/ 301
/access/ssh/short-live-cert-server/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301
/access/ssh/ssh-guide/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ 301

# ai
Expand Down Expand Up @@ -1522,6 +1522,7 @@
/cloudflare-one/analytics/access/ /cloudflare-one/insights/analytics/access/ 301
/cloudflare-one/analytics/gateway/ /cloudflare-one/insights/analytics/gateway/ 301
/cloudflare-one/analytics/users/ /cloudflare-one/insights/logs/users/ 301
/cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301
/cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301
/cloudflare-one/connections/connect-apps/install-and-setup/setup/ /cloudflare-one/connections/connect-networks/get-started/ 301
/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas/ /cloudflare-one/connections/connect-networks/deploy-tunnels/deploy-cloudflared-replicas/ 301
Expand Down Expand Up @@ -1608,6 +1609,7 @@
/cloudflare-one/insights/logs/logpush/rdata/ /cloudflare-one/insights/logs/logpush/#parse-logpush-logs 301
/cloudflare-one/applications/custom-pages/ /cloudflare-one/applications/ 301
/cloudflare-one/identity/service-auth/service-tokens/ /cloudflare-one/identity/service-tokens/ 301
/cloudflare-one/identity/users/short-lived-certificates/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301
/cloudflare-one/identity/users/validating-json/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301
/cloudflare-one/policies/lists/ /cloudflare-one/policies/gateway/lists 301
/cloudflare-one/policies/zero-trust/ /cloudflare-one/policies/access/ 301
Expand Down Expand Up @@ -1654,7 +1656,7 @@
/cloudflare-one/tutorials/secure-dns-network/ /cloudflare-one/connections/connect-devices/agentless/dns/locations/ 301
/cloudflare-one/tutorials/share-new-site/ /cloudflare-one/connections/connect-networks/get-started/ 301
/cloudflare-one/tutorials/single-command/ /cloudflare-one/connections/connect-networks/get-started/ 301
/cloudflare-one/tutorials/ssh-cert-bastion/ /cloudflare-one/identity/users/short-lived-certificates/ 301
/cloudflare-one/tutorials/ssh-cert-bastion/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301
/cloudflare-one/tutorials/ssh-service-token/ /cloudflare-one/identity/service-tokens/ 301
/cloudflare-one/tutorials/smb/ /cloudflare-one/connections/connect-networks/use-cases/smb/ 301
/cloudflare-one/tutorials/split-tunnel/ /cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/ 301
Expand Down
2 changes: 2 additions & 0 deletions src/content/docs/cloudflare-one/account-limits.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ This page lists the default account limits for rules, applications, fields, and
| Rules count per application | 1,000 |
| Rules count per group | 1,000 |
| Domains per application | 5 |
| Infrastructure targets | 300 |

## Gateway

Expand Down Expand Up @@ -75,5 +76,6 @@ This page lists the default account limits for rules, applications, fields, and
| mTLS certificates name | 350 |
| Service token name | 350 |
| IdP name | 350 |
| Target name | 255 |
| Application URL | 63 |
| Team domain | 63 |
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
pcx_content_type: how-to
title: Browser-rendered terminal
sidebar:
order: 3

---

Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser.

:::note
You can only enable browser rendering on domains and subdomains, not for specific paths.
:::

## Enable browser rendering

To enable browser rendering:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
4. In the **Settings** tab, scroll down to **Additional settings**.
5. For **Browser rendering**, choose *SSH* or *VNC*.
6. Select **Save application**.

When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
pcx_content_type: how-to
title: Enable automatic cloudflared authentication
sidebar:
order: 2

---

When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page:

![Access request prompt page displayed after logging in with cloudflared.](~/assets/images/cloudflare-one/applications/non-http/access-screen.png)

Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session.

To enable automatic `cloudflared` authentication:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
2. Locate your application and select **Configure**.
3. In the **Settings** tab, scroll down to **Additional settings**.
4. Turn on **Enable automatic cloudflared authentication**.
5. Select **Save application**.

This option will still prompt a browser window in the background, but authentication will now happen automatically.
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
pcx_content_type: how-to
title: Connect using cloudflared
title: Client-side cloudflared
sidebar:
order: 11

order: 4
tableOfContents: false
---

With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the WARP client. This method requires you to onboard a domain to Cloudflare and install `cloudflared` on both the server and the user's device.
Expand All @@ -12,33 +12,14 @@ Users log in to the application by running a `cloudflared access` command in the

:::note

Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/policies/access/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances.
Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/policies/access/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances.
:::

## Setup

For examples of how to connect to Access applications with `cloudflared`, refer to these tutorials:
For examples of how to connect to Access applications with client-side `cloudflared`, refer to these tutorials:

* [Connect through Access using a CLI](/cloudflare-one/tutorials/cli/)
* [Connect through Access using kubectl](/cloudflare-one/tutorials/kubectl/)
* [Connect over SSH with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-cloudflared-access)
* [Connect over SSH with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-cloudflared-authentication/) (legacy) -- SSH connections are now managed through [Access for Infrastructure](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/).
* [Connect over RDP with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/rdp/#connect-to-rdp-server-with-cloudflared-access)
* [Connect over SMB with cloudflared](/cloudflare-one/connections/connect-networks/use-cases/smb/)

## Automatic `cloudflared` authentication

When users connect to an Access application through `cloudflared`, the browser prompts them to allow access by displaying this page:

![Access request prompt page displayed after logging in with cloudflared.](~/assets/images/cloudflare-one/applications/non-http/access-screen.png)

Automatic `cloudflared` authentication allows users to skip this login page if they already have an active IdP session.

To enable automatic `cloudflared` authentication:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
2. Locate your application and select **Configure**.
3. In the **Settings** tab, scroll down to **Additional settings**.
4. Turn on **Enable automatic cloudflared authentication**.
5. Select **Save application**.

This option will still prompt a browser window in the background, but authentication will now happen automatically.
* [Connect over arbitrary TCP with cloudflared](/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/)
52 changes: 27 additions & 25 deletions src/content/docs/cloudflare-one/applications/non-http/index.mdx
Original file line number Diff line number Diff line change
@@ -1,44 +1,46 @@
---
pcx_content_type: how-to
title: Add non-HTTP applications
pcx_content_type: concept
title: Non-HTTP applications
sidebar:
order: 2
order: 1

---

You can secure non-HTTP applications by [connecting your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare. Users reach the application by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.
Cloudflare offers both client-based and clientless ways to grant secure access to non-HTTP applications.

## Setup
:::note
Non-HTTP applications require [connecting your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare. For more details, refer to our [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide.
:::

For a comprehensive overview of how to connect a private network, refer to our implementation guide:
## WARP client

* [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/)
Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.

To connect to an application over a specific protocol, refer to these tutorials:
If you would like to define how users access specific infrastructure servers within your network, create an infrastructure application in [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/). Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
- Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server.
- Eliminate SSH keys by using short-lived certificates to authenticate users.
- Export SSH command logs to a storage service or SIEM solution using [Logpush](/logs/about/).

* [Connect over SSH with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-warp-to-tunnel)
* [Connect over SMB with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/smb/#connect-to-smb-server-with-warp-to-tunnel)
* [Connect over RDP with WARP to Tunnel](/cloudflare-one/connections/connect-networks/use-cases/rdp/#connect-to-rdp-server-with-warp-to-tunnel)
## Clientless access

## Enable browser rendering
Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported, and user email prefixes must match their username on the server.

Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser.

:::note
### Browser-rendered terminal

Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser.

You can only enable browser rendering on domains and subdomains, not for specific paths.

### Client-side cloudflared (legacy)

:::note
Not recommended for new deployments.
:::

To enable browser rendering:
Users can log in to the application by installing `cloudflared` on their device and running a hostname-specific command in their terminal. For more information, refer to [cloudflared authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/).

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
4. In the **Settings** tab, scroll down to **Additional settings**.
5. For **Browser rendering**, choose *SSH* or *VNC*.
6. Select **Save application**.
## Related resources

To connect to an application over a specific protocol, refer to these tutorials:

When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.
* [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/)
* [SMB](/cloudflare-one/connections/connect-networks/use-cases/smb/)
* [RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/)
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
---
pcx_content_type: how-to
title: Add an infrastructure application
sidebar:
order: 2
badge:
variant: tip
text: New
---

import { Badge, Details, Tabs, TabItem, Render } from "~/components"

Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.

:::note
Access for Infrastructure currently only supports [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/).
:::

## Prerequisites

- [Connect your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare using `cloudflared` or WARP Connector.
- [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on user devices in Gateway with WARP mode.
- Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on user devices.

## 1. Add a target

<Render file="access/add-target" />

## 2. Add an infrastructure application

<Render file="access/add-infrastructure-app" />

## 3. Add a policy

<Render file="access/add-infrastructure-policy" />

### Selectors

The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:
- Email
- Emails ending in
- SAML group
- Country
- Authentication method
- Device posture
- Azure group, GitHub organization, Google Workspace group, Okta group

## 4. Configure the server

Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:

- [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server)

## Connect as a user

Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.

### Connect to different VNET

To connect to targets that are in different VNETS, users will need to [switch their connected virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) in the WARP client.

:::note
If a user is connected to a target in VNET-A and needs to connect to a target in VNET-B, switching their VNET will not break any existing connections to targets within VNET-A. At present, connections are maintained between VNETs.
:::


## Revoke a user's session

To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.

Loading

0 comments on commit 54ffd03

Please sign in to comment.