Add an infrastructure application

New

Feature availability

WARP modes	Zero Trust plans ↗
Gateway with WARP Secure Web Gateway without DNS filtering	All plans

System	Availability
Windows	✅
macOS	✅
Linux	✅
iOS	✅
Android	✅
ChromeOS	✅

Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.

Prerequisites

Connect your private network to Cloudflare using cloudflared or WARP Connector.
Deploy the WARP client on user devices in Gateway with WARP mode.

1. Add a target

A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server.

To create a new target:

In Zero Trust ↗, go to Networks > Targets.
Select Add a target.
In Target hostname, enter a user-friendly name for the target resource. We recommend using the server hostname, for example production-server. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.
Format restrictions
- Case insensitive
- Contain no more than 253 characters
- Contain only alphanumeric characters, -, or . (no spaces allowed)
- Start and end with an alphanumeric character
In IP addresses, enter the private IPv4 and/or IPv6 address of the target resource. If the IP address overlaps across multiple private networks, select the virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.

Select Add target.

Create an API token with the following permissions:

Type Item Permission
Account Zero Trust Edit

Type	Item	Permission
Account	Zero Trust	Edit

Make a POST request to the Infrastructure Access Targets endpoint:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "hostname": "infra-access-target",
  "ip": {
    "ipv4": {
      "ip_addr": "187.26.29.249",
      "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
    },
    "ipv6": {
      "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
      "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
    }
  }
}'

Configure the cloudflare_infrastructure_access_target ↗ resource:

resource "cloudflare_infrastructure_access_target" "infra-ssh-target" {
  account_id = "f037e56e89293a057740de681ac9abbe"
    hostname   = "infra-access-target"
    ip = {
      ipv4 = {
         ip_addr = "187.26.29.249"
         virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
       }
      ipv6 = {
        ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
        virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
      }
    }
}

Next, create an infrastructure application to secure the target.

2. Add an infrastructure application

In Zero Trust ↗, go to Access > Applications.
Select Add an application.
Select Infrastructure.
Enter any name for the application.
In Target criteria, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
Enter the Protocol and Port that will be used to connect to the server.
(Optional) If a protocol runs on more than one port, select Add new target criteria and reconfigure the same target hostname and protocol with a different port number.
Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
Select Next.
To secure your targets, configure a policy that defines who can connect and how they can connect:
1. Enter any name for your policy.
2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to Access policies and review the list of infrastructure policy selectors.
3. In Connection context, enter the UNIX usernames that users can log in as (for example, root or ec2-user).
Select Add application.

Create an API token with the following permissions:

Type Item Permission
Account Access: Apps & Policies Edit

Type	Item	Permission
Account	Access: Apps & Policies	Edit

Make a POST request to the Access applications endpoint:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "name": "Example infrastructure app",
  "type": "infrastructure",
  "target_criteria": [
    {
      "target_attributes": {
        "hostname": [
          "infra-access-target"
        ]
      },
      "port": 22,
      "protocol": "SSH"
    }
  ],
  "policies": [
    {
      "name": "Allow a specific email",
      "decision": "allow",
      "include": [
        {
          "email": {
            "email": "jdoe@company.com"
          }
        }
      ],
      "connection_rules": {
        "ssh": {
          "usernames": [
            "root",
            "ec2-user"
          ]
        }
      }
    }
  ]
}'

Use the cloudflare_zero_trust_access_application ↗ resource to create an infrastructure application:

resource "cloudflare_zero_trust_access_application" "infra-app" {
  account_id = "f037e56e89293a057740de681ac9abbe"
  name       = "Example infrastructure app"
  type       = "infrastructure"

  target_criteria {
    port     = 22
    protocol = "SSH"
    target_attributes {
      name = "hostname"
      values = ["infra-access-target"]
    }
  }
}

Use the cloudflare_zero_trust_access_policy ↗ resource to add an infrastructure policy to the application:

resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {
  application_id = cloudflare_zero_trust_access_application.infra-app.id
  account_id = "f037e56e89293a057740de681ac9abbe"
  name       = "Allow a specific email"
  decision   = "allow"
  precedence = 1

  include {
    email = ["jdoe@company.com"]
  }

  connection_rules {
    ssh {
      usernames = ["root", "ec2-user"]
    }
  }
}

The targets in this application are now secured by your infrastructure policies.

3. Configure the server

Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:

4. Connect as a user

Users connect to the target’s IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a private DNS resolver to allow connections to the target’s private hostname.

Connect to different VNET

To connect to targets that are in different VNETS, users will need to switch their connected virtual network in the WARP client.

Display available targets

Feature availability

System	Availability	Minimum WARP version
Windows	✅	2024.9.346.0
macOS	✅	2024.9.346.0
Linux	✅	2024.9.346.0
iOS	❌
Android	❌
ChromeOS	❌

Users can use warp-cli to display a list of targets they can access. On the WARP device, open a terminal and run the following command:

warp-cli target list

╭──────────────────────────────────────┬──────────┬──────┬────────────────────────────────┬───────────────────────────────────────────────────┬───────────╮
│ Target ID                            │ Protocol │ Port │ Attributes                     │ IP (Virtual Network)                              │ Usernames │
├──────────────────────────────────────┼──────────┼──────┼────────────────────────────────┼───────────────────────────────────────────────────┼───────────┤
│ 0192027a-ef8a-7966-aff6-4576475db365 │ SSH      │ 22   │ hostname: digital-ocean-target │ 10.116.0.3 (a663a21c-76e5-4e3c-8296-d856682269f9) │ root      │
├──────────────────────────────────────┼──────────┼──────┼────────────────────────────────┼───────────────────────────────────────────────────┼───────────┤
│ 0192027a-ef8a-7966-aff6-4576475db365 │ SSH      │ 23   │ hostname: digital-ocean-target │ 10.116.0.3 (a663a21c-76e5-4e3c-8296-d856682269f9) │ root      │
╰──────────────────────────────────────┴──────────┴──────┴────────────────────────────────┴───────────────────────────────────────────────────┴───────────╯

Revoke a user’s session

To revoke a user’s access to all infrastructure targets, you can either revoke the user from Zero Trust or revoke their device. Cloudflare does not currently support revoking a user’s session for a specific target.

Infrastructure policy selectors

The following Access policy selectors are available for securing infrastructure applications:

Email
Emails ending in
SAML group
Country
Authentication method
Device posture
Entra group, GitHub organization, Google Workspace group, Okta group

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings