In this article you can read about cheap VPN for your AWS VPC and better performance through Cloudflare tunnels.
You can access resources in your VPC in several ways. I already wrote an article about replacing your bastion host. I’d like to share a lesser known and very easy way to securely access all the resources in your VPC, without much configuration (generating and distributing certificates) or high costs.
We can use a Cloudflare split tunnel with the cloudflared Docker container in our network to gain access to the resources we need.
At the same time we can make sure these resources can just be hosted in private subnets so they are never exposed to the internet.
This also strengthens your security posture and worldwide performance as traffic will only be routes through the Cloudflare network. Note that using tunnels for faster routing comes at an additional cost. Namely 5 USD a month excluding transfer fee’s.
In addition this allows us to setup additional layers of verification that are required to implement the Zero Trust model. This means you can protect external and internal applications with additional layers of protection.
For example:
- Your ElasticSearch cluster could be accessed by people from The Netherlands in the Outlook 365 group
- Your Vault cluster can only be reached by a fixed list of IP addresses, people in the developers Outlook 365 group that have a working Github token
- Your pre-production environments can only be accessed by people that have an email ending @corp.com
If you run multiple cloudflared replica containers in all subnets you will also have high availability on that end. I’ve created a terraform module that does the heavy lifting for you, to make getting started even easier.
Here is the infrastructure we will set up:
Preparing Cloudflare
We need to setup Cloudflare so the tunnel works out of the box. The Cloudflare side of things is free.
Setup Cloudflare
To add a tunnel you need to have a domain. So add a domain and change it’s nameservers to point to Cloudflare. This can be any domain, we will not use it but currently this is a requirement from Cloudflare.
To get the Cloudflare Account ID navigate to the domain. You will see the Account ID there.
After the setup completes also setup a Zero Trust account organisation.
Setup device enrolment
You need at least a single device enrolment in your organisation to login with the WARP client:
Setup the split tunnel
By default the WARP agent does not allow traffic to local addresses.
My VPC has a CIDR block of 10.0.0.0/16 so we must delete the CIDR block from the split tunnel setting that overlaps with this, in this case 10.0.0.0/8:
Create an API token
You need an API token to provision the tunnel and resources:
Optionally, setup DNS for local TLDs
You can setup Local Domain Fallback for for instance .local addresses to resolve .local addresses from AWS Cloudmap:
The IP you need for the DNS resolver depends on your subnet but it is 10.0.0.2 in my case.
Setup the module
Now the only step left is deploy the module:
module "tunnel-fargate" {
source = "elasticscale/tunnel-fargate/cloudflare"
version = "1.0.1"
vpc_id = module.vpc.vpc_id
private_subnets = module.vpc.private_subnets
cloudflare_zone = var.cloudflare_zone
cloudflare_account_id = var.cloudflare_account_id
}After the module is deployed you can navigate to Zero Trust tunnels and see that the tunnel is active:
Now you can install the WARP agent. Go to the preferences and make sure to use 1.1.1.1 with WARP. Click the button “Login to Cloudflare Zero Trust”. You will be redirected to Cloudflare to enrol your device. After connecting to WARP you can access all internal resources (provided that they have the security group from the module whitelisted).
Performance improvements
You can also get performance improvements if you expose internal resources through these tunnels. Read more about that here.
More about cheap VPN for your AWS VPC and Cloudflare tunnels.
Do you have any questions after reading this article about cheap VPN for your AWS VPC and better performance through Cloudflare tunnels? Feel free to contact me.