Implementing Zero Trust Network Access with Cloudflare#

Cloudflare Zero Trust provides a comprehensive suite of tools to implement modern security architecture that eliminates implicit trust and continuously validates every transaction. This guide covers implementing Zero Trust Network Access (ZTNA) using Cloudflare’s Access, Tunnel, Gateway, and WARP products.

Table of Contents#

Introduction to Zero Trust#

Zero Trust is a security model that requires all users, whether inside or outside the organization’s network, to be authenticated, authorized, and continuously validated before being granted access to applications and data.

Core Principles#

Never trust, always verify - No implicit trust based on network location
Least privilege access - Users get minimal required permissions
Assume breach - Design security as if the network is already compromised
Verify explicitly - Authenticate and authorize based on all available data points
Inspect and log all traffic - Complete visibility into network activity

Cloudflare Zero Trust Components#

Cloudflare Access - Identity-aware proxy for applications
Cloudflare Tunnel - Secure connection to internal resources
Cloudflare Gateway - Secure web gateway and DNS filtering
WARP - VPN replacement for device connectivity
Browser Isolation - Remote browser execution
Data Loss Prevention - Protect sensitive data

Architecture Overview#

1
┌──────────────────────────────────────────────────────────┐
2
│                   Internet / Public Network               │
3
└────────────────┬─────────────────────────────────────────┘
4
                 │
5
       ┌─────────▼─────────┐
6
       │  Cloudflare Edge  │
7
       │   (150+ POPs)     │
8
       └─────────┬─────────┘
9
                 │
10
    ┌────────────┼────────────┐
11
    │            │            │
12
┌───▼───┐  ┌────▼────┐  ┌────▼────┐
13
│Access │  │Gateway  │  │  WARP   │
14
│Proxy  │  │Filtering│  │ Client  │
15
└───┬───┘  └────┬────┘  └────┬────┘
16
    │           │             │
17
┌───▼───────────▼─────────────▼───┐
18
│      Cloudflare Tunnel          │
19
│    (Outbound-only Connection)   │
20
└─────────────┬───────────────────┘
21
              │
22
    ┌─────────▼─────────┐
23
    │  Private Network  │
24
    │   Applications    │
25
    └───────────────────┘

Setting Up Cloudflare Access#

1. Initial Configuration#

1
# Install cloudflared
2
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
3
sudo dpkg -i cloudflared-linux-amd64.deb
4

5
# Authenticate
6
cloudflared tunnel login
7

8
# This will open a browser to authenticate with your Cloudflare account

2. Create Access Application#

1
// Using Cloudflare API to create Access application
2
const createAccessApp = async () => {
3
  const response = await fetch(
4
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/access/apps`,
5
    {
6
      method: 'POST',
7
      headers: {
8
        'Authorization': `Bearer ${API_TOKEN}`,
9
        'Content-Type': 'application/json',
10
      },
11
      body: JSON.stringify({
12
        name: 'Internal Dashboard',
13
        domain: 'dashboard.internal.company.com',
14
        type: 'self_hosted',
15
        session_duration: '24h',
16
        auto_redirect_to_identity: false,
17
        allowed_idps: ['google', 'azure'],
18
        custom_pages: {
19
          forbidden: 'https://company.com/access-denied',
20
        },
21
        cors_headers: {
22
          allowed_methods: ['GET', 'POST', 'PUT', 'DELETE'],
23
          allowed_origins: ['https://app.company.com'],
24
          allow_credentials: true,
25
        },
26
      }),
27
    }
28
  );
29

30
  return response.json();
31
};

3. Configure Access Policies#

1
// Create access policy with multiple rules
2
const createAccessPolicy = async (appId) => {
3
  const policy = {
4
    name: 'Engineering Team Access',
5
    precedence: 1,
6
    decision: 'allow',
7
    include: [
8
      {
9
        email_domain: {
10
          domain: 'company.com'
11
        }
12
      },
13
      {
14
        group: {
15
          id: 'engineering-group-id'
16
        }
17
      }
18
    ],
19
    exclude: [
20
      {
21
        email: {
22
          email: 'contractor@external.com'
23
        }
24
      }
25
    ],
26
    require: [
27
      {
28
        geo: {
29
          country_code: ['US', 'CA', 'GB']
30
        }
31
      },
32
      {
33
        device_posture: {
34
          integration_uid: 'device-trust-check'
35
        }
36
      }
37
    ],
38
    isolation_required: false,
39
    purpose_justification_required: true,
40
    purpose_justification_prompt: 'Please provide reason for access',
41
    approval_required: true,
42
    approval_groups: [
43
      {
44
        email_list: ['manager@company.com', 'security@company.com']
45
      }
46
    ]
47
  };
48

49
  const response = await fetch(
50
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/access/apps/${appId}/policies`,
51
    {
52
      method: 'POST',
53
      headers: {
54
        'Authorization': `Bearer ${API_TOKEN}`,
55
        'Content-Type': 'application/json',
56
      },
57
      body: JSON.stringify(policy),
58
    }
59
  );
60

61
  return response.json();
62
};

4. Identity Provider Integration#

1
// Configure SAML identity provider
2
const configureSAML = async () => {
3
  const samlConfig = {
4
    name: 'Company SAML',
5
    type: 'saml',
6
    config: {
7
      issuer_url: 'https://idp.company.com',
8
      sso_target_url: 'https://idp.company.com/sso/saml',
9
      idp_public_cert: `-----BEGIN CERTIFICATE-----
10
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
11
...
12
-----END CERTIFICATE-----`,
13
      attributes: [
14
        'email',
15
        'name',
16
        'groups'
17
      ],
18
      email_attribute_name: 'EmailAddress',
19
      sign_request: true,
20
      redirect_url: 'https://team.cloudflareaccess.com/cdn-cgi/access/callback'
21
    }
22
  };
23

24
  const response = await fetch(
25
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/access/identity_providers`,
26
    {
27
      method: 'POST',
28
      headers: {
29
        'Authorization': `Bearer ${API_TOKEN}`,
30
        'Content-Type': 'application/json',
31
      },
32
      body: JSON.stringify(samlConfig),
33
    }
34
  );
35

36
  return response.json();
37
};
38

39
// Configure OAuth 2.0 provider
40
const configureOAuth = async () => {
41
  const oauthConfig = {
42
    name: 'Google Workspace',
43
    type: 'google',
44
    config: {
45
      client_id: process.env.GOOGLE_CLIENT_ID,
46
      client_secret: process.env.GOOGLE_CLIENT_SECRET,
47
      apps_domain: 'company.com'
48
    }
49
  };
50

51
  const response = await fetch(
52
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/access/identity_providers`,
53
    {
54
      method: 'POST',
55
      headers: {
56
        'Authorization': `Bearer ${API_TOKEN}`,
57
        'Content-Type': 'application/json',
58
      },
59
      body: JSON.stringify(oauthConfig),
60
    }
61
  );
62

63
  return response.json();
64
};

Cloudflare Tunnel Configuration#

1. Create and Configure Tunnel#

1
# Create a new tunnel
2
cloudflared tunnel create production-tunnel
3

4
# This creates:
5
# - ~/.cloudflared/<TUNNEL_ID>.json (credentials file)
6
# - Tunnel UUID
7

8
# List tunnels
9
cloudflared tunnel list

2. Tunnel Configuration File#

~/.cloudflared/config.yml:

1
tunnel: YOUR_TUNNEL_ID
2
credentials-file: /home/user/.cloudflared/YOUR_TUNNEL_ID.json
3

4
# Ingress rules - routing traffic to your services
5
ingress:
6
  # Public hostname routing to internal service
7
  - hostname: app.company.com
8
    service: http://localhost:3000
9
    originRequest:
10
      noTLSVerify: false
11
      originServerName: app.internal.local
12
      connectTimeout: 30s
13
      tcpKeepAlive: 30s
14
      keepAliveConnections: 100
15
      keepAliveTimeout: 90s
16
      httpHostHeader: app.internal.local
17

18
  # API endpoint with different configuration
19
  - hostname: api.company.com
20
    service: http://localhost:8080
21
    originRequest:
22
      noTLSVerify: true
23
      disableChunkedEncoding: true
24
      bastionMode: false
25
      proxyAddress: 127.0.0.1
26
      proxyPort: 8080
27
      proxyType: socks
28

29
  # WebSocket support
30
  - hostname: ws.company.com
31
    service: ws://localhost:8081
32
    originRequest:
33
      noTLSVerify: true
34

35
  # TCP service (SSH, RDP, etc.)
36
  - hostname: ssh.company.com
37
    service: tcp://localhost:22
38

39
  # Load balancing across multiple origins
40
  - hostname: balanced.company.com
41
    service: http://localhost:3001
42
    originRequest:
43
      noTLSVerify: false
44
    loadBalancer:
45
      - http://server1:3001
46
      - http://server2:3001
47
      - http://server3:3001
48

49
  # Catch-all rule (must be last)
50
  - service: http_status:404

3. Run Tunnel as a Service#

1
# Install as systemd service (Linux)
2
sudo cloudflared service install
3

4
# Start the service
5
sudo systemctl start cloudflared
6
sudo systemctl enable cloudflared
7

8
# Check status
9
sudo systemctl status cloudflared
10

11
# View logs
12
sudo journalctl -u cloudflared -f

4. High Availability Setup#

1
tunnel: YOUR_TUNNEL_ID
2
credentials-file: /path/to/credentials.json
3
protocol: quic
4

5
ingress:
6
  - hostname: app.company.com
7
    service: http://localhost:3000
8
    originRequest:
9
      noTLSVerify: false
10
  - service: http_status:404
11

12
# Run multiple instances for HA
13
# Instance 1
14
cloudflared tunnel --config config-replica-1.yml run
15

16
# Instance 2 (on different server)
17
cloudflared tunnel --config config-replica-2.yml run

Gateway and DNS Filtering#

1. Configure Gateway Policies#

1
// Create DNS filtering policy
2
const createGatewayPolicy = async () => {
3
  const policy = {
4
    name: 'Block Malicious Domains',
5
    description: 'Blocks known malicious domains and categories',
6
    action: 'block',
7
    enabled: true,
8
    precedence: 1,
9
    filters: [
10
      'dns'
11
    ],
12
    traffic: {
13
      dns: {
14
        domains: [
15
          'malicious-site.com',
16
          '*.phishing-domain.net'
17
        ],
18
        categories: [
19
          'malware',
20
          'phishing',
21
          'crypto_mining'
22
        ]
23
      }
24
    },
25
    rule: {
26
      operator: 'or',
27
      conditions: [
28
        {
29
          type: 'domain',
30
          operator: 'in',
31
          value: ['malware', 'phishing']
32
        },
33
        {
34
          type: 'dns_category',
35
          operator: 'in',
36
          value: [117, 118, 131] // Category IDs
37
        }
38
      ]
39
    },
40
    schedule: {
41
      time_zone: 'America/New_York',
42
      monday: { start: '00:00', end: '24:00' },
43
      tuesday: { start: '00:00', end: '24:00' },
44
      wednesday: { start: '00:00', end: '24:00' },
45
      thursday: { start: '00:00', end: '24:00' },
46
      friday: { start: '00:00', end: '24:00' },
47
      saturday: { start: '00:00', end: '24:00' },
48
      sunday: { start: '00:00', end: '24:00' }
49
    }
50
  };
51

52
  const response = await fetch(
53
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/gateway/rules`,
54
    {
55
      method: 'POST',
56
      headers: {
57
        'Authorization': `Bearer ${API_TOKEN}`,
58
        'Content-Type': 'application/json',
59
      },
60
      body: JSON.stringify(policy),
61
    }
62
  );
63

64
  return response.json();
65
};

2. HTTP Inspection Policies#

1
// Configure HTTP inspection rules
2
const createHTTPPolicy = async () => {
3
  const policy = {
4
    name: 'Data Loss Prevention',
5
    action: 'block',
6
    enabled: true,
7
    filters: ['http'],
8
    precedence: 2,
9
    traffic: {
10
      http: {
11
        methods: ['POST', 'PUT'],
12
        mime_types: ['application/json', 'text/plain']
13
      }
14
    },
15
    rule: {
16
      operator: 'and',
17
      conditions: [
18
        {
19
          type: 'http_method',
20
          operator: 'in',
21
          value: ['POST', 'PUT']
22
        },
23
        {
24
          type: 'payload_content',
25
          operator: 'matches',
26
          value: '\\b(?:\\d{3}-\\d{2}-\\d{4}|\\d{9})\\b' // SSN pattern
27
        }
28
      ]
29
    },
30
    dlp_profile: {
31
      entries: [
32
        {
33
          name: 'Credit Card Numbers',
34
          pattern: '\\b(?:\\d{4}[\\s-]?){3}\\d{4}\\b',
35
          enabled: true
36
        },
37
        {
38
          name: 'Social Security Numbers',
39
          pattern: '\\b\\d{3}-\\d{2}-\\d{4}\\b',
40
          enabled: true
41
        }
42
      ]
43
    },
44
    notification_settings: {
45
      enabled: true,
46
      message: 'Sensitive data transmission blocked',
47
      support_url: 'https://company.com/security-policy'
48
    }
49
  };
50

51
  return await createGatewayRule(policy);
52
};

3. Custom Block Pages#

1
<!-- Custom block page template -->
2
<!DOCTYPE html>
3
<html>
4
<head>
5
  <title>Access Blocked</title>
6
  <style>
7
    body {
8
      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
9
      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
10
      color: white;
11
      display: flex;
12
      justify-content: center;
13
      align-items: center;
14
      height: 100vh;
15
      margin: 0;
16
    }
17
    .container {
18
      text-align: center;
19
      padding: 40px;
20
      background: rgba(255, 255, 255, 0.1);
21
      border-radius: 10px;
22
      backdrop-filter: blur(10px);
23
    }
24
    h1 { font-size: 48px; margin-bottom: 20px; }
25
    p { font-size: 18px; margin-bottom: 30px; }
26
    .details {
27
      background: rgba(0, 0, 0, 0.2);
28
      padding: 20px;
29
      border-radius: 5px;
30
      margin-top: 20px;
31
    }
32
    .code { font-family: monospace; color: #ffd700; }
33
  </style>
34
</head>
35
<body>
36
  <div class="container">
37
    <h1>🛡️ Access Blocked</h1>
38
    <p>This website has been blocked by your organization's security policy.</p>
39
    <div class="details">
40
      <p><strong>Category:</strong> <span class="code">{{CATEGORY}}</span></p>
41
      <p><strong>Policy:</strong> <span class="code">{{POLICY_NAME}}</span></p>
42
      <p><strong>Request ID:</strong> <span class="code">{{REQUEST_ID}}</span></p>
43
      <p><strong>Timestamp:</strong> <span class="code">{{TIMESTAMP}}</span></p>
44
    </div>
45
    <p>If you believe this is a mistake, please contact IT support.</p>
46
  </div>
47
</body>
48
</html>

WARP Client Deployment#

1. MDM Deployment Configuration#

1
<!-- Windows MDM Configuration -->
2
<MDMConfiguration>
3
  <WARPClient>
4
    <Organization>YOUR_ORGANIZATION</Organization>
5
    <AuthToken>YOUR_AUTH_TOKEN</AuthToken>
6
    <ServiceMode>warp</ServiceMode>
7
    <AutoConnect>true</AutoConnect>
8
    <SwitchLocked>true</SwitchLocked>
9
    <ExcludedRoutes>
10
      <Route>192.168.0.0/16</Route>
11
      <Route>10.0.0.0/8</Route>
12
    </ExcludedRoutes>
13
    <IncludedRoutes>
14
      <Route>172.16.0.0/12</Route>
15
    </IncludedRoutes>
16
    <FallbackDomains>
17
      <Domain>internal.company.com</Domain>
18
      <Domain>corp.company.local</Domain>
19
    </FallbackDomains>
20
    <DNSServerOverride>
21
      <Primary>162.159.36.1</Primary>
22
      <Secondary>162.159.46.1</Secondary>
23
    </DNSServerOverride>
24
  </WARPClient>
25
</MDMConfiguration>

2. Deployment Script#

1
# PowerShell deployment script for Windows
2
param(
3
    [string]$OrganizationName = "company",
4
    [string]$AuthToken = "YOUR_AUTH_TOKEN"
5
)
6

7
# Download WARP client
8
$warpUrl = "https://www.cloudflare.com/Cloudflare_WARP_Release-x64.msi"
9
$installerPath = "$env:TEMP\cloudflare-warp.msi"
10

11
Invoke-WebRequest -Uri $warpUrl -OutFile $installerPath
12

13
# Install WARP silently
14
$arguments = @(
15
    "/i"
16
    "`"$installerPath`""
17
    "/quiet"
18
    "/norestart"
19
    "ORGANIZATION=`"$OrganizationName`""
20
    "AUTH_CLIENT_ID=`"$AuthToken`""
21
    "ENABLE=`"true`""
22
    "GATEWAY_UNIQUE_ID=`"$OrganizationName`""
23
    "SERVICE_MODE=`"warp`""
24
    "SUPPORT_URL=`"https://support.company.com`""
25
)
26

27
Start-Process msiexec.exe -ArgumentList $arguments -Wait -NoNewWindow
28

29
# Configure WARP settings
30
$warpConfig = @{
31
    auto_connect = $true
32
    switch_locked = $true
33
    service_mode = "warp"
34
    organization = $OrganizationName
35
    exclude = @(
36
        "*.local"
37
        "192.168.*"
38
        "10.*"
39
    )
40
    fallback_domains = @(
41
        "internal.company.com"
42
        "corp.local"
43
    )
44
}
45

46
$warpConfig | ConvertTo-Json | Set-Content -Path "C:\ProgramData\Cloudflare\warp-config.json"
47

48
# Start WARP service
49
Start-Service "CloudflareWARP"
50
Set-Service "CloudflareWARP" -StartupType Automatic
51

52
Write-Host "WARP client installed and configured successfully"

3. macOS Deployment#

1
#!/bin/bash
2
# macOS deployment script
3

4
# Download WARP client
5
curl -o /tmp/Cloudflare_WARP.pkg https://www.cloudflare.com/Cloudflare_WARP.pkg
6

7
# Install WARP
8
sudo installer -pkg /tmp/Cloudflare_WARP.pkg -target /
9

10
# Configure WARP
11
cat > /Library/Managed\ Preferences/com.cloudflare.warp.plist << EOF
12
<?xml version="1.0" encoding="UTF-8"?>
13
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
14
<plist version="1.0">
15
<dict>
16
    <key>organization</key>
17
    <string>company</string>
18
    <key>auto_connect</key>
19
    <true/>
20
    <key>switch_locked</key>
21
    <true/>
22
    <key>service_mode</key>
23
    <string>warp</string>
24
    <key>gateway_unique_id</key>
25
    <string>company</string>
26
    <key>exclude_routes</key>
27
    <array>
28
        <string>192.168.0.0/16</string>
29
        <string>10.0.0.0/8</string>
30
    </array>
31
    <key>fallback_domains</key>
32
    <array>
33
        <string>internal.company.com</string>
34
        <string>corp.local</string>
35
    </array>
36
</dict>
37
</plist>
38
EOF
39

40
# Start WARP
41
sudo launchctl load /Library/LaunchDaemons/com.cloudflare.warp.plist

Device Posture Checks#

1. Configure Device Trust#

1
// Create device posture rule
2
const createDevicePosture = async () => {
3
  const postureRule = {
4
    name: 'Corporate Device Check',
5
    type: 'serial_number',
6
    schedule: '0 */4 * * *', // Check every 4 hours
7
    expiration: '30d',
8
    description: 'Verify device is corporate-managed',
9
    match: [
10
      {
11
        platform: 'windows',
12
        serial_numbers: [
13
          'ABC123456',
14
          'DEF789012'
15
        ]
16
      },
17
      {
18
        platform: 'mac',
19
        serial_numbers: [
20
          'C02ABC1234'
21
        ]
22
      }
23
    ],
24
    input: {
25
      operating_system: {
26
        windows: {
27
          version: '10.0.19041',
28
          operator: '>='
29
        },
30
        mac: {
31
          version: '11.0',
32
          operator: '>='
33
        }
34
      },
35
      firewall: {
36
        enabled: true
37
      },
38
      disk_encryption: {
39
        enabled: true,
40
        encrypted_locations: ['C:\\', '/']
41
      },
42
      antivirus: {
43
        installed: true,
44
        running: true,
45
        definitions_up_to_date: true
46
      }
47
    }
48
  };
49

50
  const response = await fetch(
51
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/devices/posture`,
52
    {
53
      method: 'POST',
54
      headers: {
55
        'Authorization': `Bearer ${API_TOKEN}`,
56
        'Content-Type': 'application/json',
57
      },
58
      body: JSON.stringify(postureRule),
59
    }
60
  );
61

62
  return response.json();
63
};

2. Advanced Posture Checks#

1
// Compliance check implementation
2
const complianceCheck = {
3
  name: 'Security Compliance',
4
  type: 'file',
5
  schedule: '0 0 * * *', // Daily
6
  checks: [
7
    {
8
      name: 'Certificate Present',
9
      platform: 'windows',
10
      path: 'C:\\ProgramData\\Company\\cert.pem',
11
      exists: true,
12
      sha256: 'abc123def456...'
13
    },
14
    {
15
      name: 'Security Agent Running',
16
      platform: 'all',
17
      process: 'SecurityAgent',
18
      running: true
19
    },
20
    {
21
      name: 'Registry Key Check',
22
      platform: 'windows',
23
      registry: {
24
        path: 'HKLM\\Software\\Company\\Security',
25
        key: 'ComplianceLevel',
26
        value: 'High'
27
      }
28
    },
29
    {
30
      name: 'Script Output Check',
31
      platform: 'mac',
32
      script: {
33
        path: '/usr/local/bin/compliance-check.sh',
34
        expected_output: 'COMPLIANT',
35
        timeout: 30
36
      }
37
    }
38
  ]
39
};

Service Auth and API Security#

1. Service Token Implementation#

1
// Create service token for automation
2
const createServiceToken = async () => {
3
  const token = {
4
    name: 'CI/CD Pipeline',
5
    duration: '365d',
6
    policies: [
7
      {
8
        effect: 'allow',
9
        resources: ['com.cloudflare.api.account.*'],
10
        permission_groups: [
11
          {
12
            id: 'read_only_permissions'
13
          }
14
        ]
15
      }
16
    ]
17
  };
18

19
  const response = await fetch(
20
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/access/service_tokens`,
21
    {
22
      method: 'POST',
23
      headers: {
24
        'Authorization': `Bearer ${API_TOKEN}`,
25
        'Content-Type': 'application/json',
26
      },
27
      body: JSON.stringify(token),
28
    }
29
  );
30

31
  const result = await response.json();
32
  // Returns client_id and client_secret
33
  return result;
34
};
35

36
// Use service token for authentication
37
const authenticateService = async (clientId, clientSecret) => {
38
  const response = await fetch('https://api.internal.company.com/data', {
39
    headers: {
40
      'CF-Access-Client-Id': clientId,
41
      'CF-Access-Client-Secret': clientSecret,
42
    }
43
  });
44

45
  return response.json();
46
};

2. mTLS Configuration#

1
// Configure mutual TLS
2
const configureMTLS = async () => {
3
  const mtlsConfig = {
4
    name: 'API mTLS',
5
    hostname: 'api.company.com',
6
    certificate_authorities: [
7
      {
8
        name: 'Company Root CA',
9
        certificate: `-----BEGIN CERTIFICATE-----
10
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
11
...
12
-----END CERTIFICATE-----`
13
      }
14
    ],
15
    client_certificate_forwarding: {
16
      enabled: true,
17
      header_name: 'X-Client-Cert'
18
    },
19
    validation: {
20
      require_client_certificate: true,
21
      check_revocation: true
22
    }
23
  };
24

25
  return await createMTLSRule(mtlsConfig);
26
};

Monitoring and Analytics#

1. Access Logs Integration#

1
// Stream Access logs to SIEM
2
const configureLogPush = async () => {
3
  const logPushConfig = {
4
    name: 'Access Logs to SIEM',
5
    destination_conf: 's3://security-logs/cloudflare/access/',
6
    dataset: 'access_logs',
7
    frequency: 'every_5_minutes',
8
    enabled: true,
9
    logpull_options: 'fields=RayID,EdgeStartTimestamp,ClientIP,ClientCountry,ClientDeviceType,EdgePathingSrc,EdgePathingOp,EdgePathingStatus,OriginResponseStatus,ClientRequestHost,ClientRequestMethod,ClientRequestPath,ClientRequestProtocol,ClientRequestUserAgent,EdgeResponseBytes,EdgeResponseStatus,EdgeServerIP,SecurityLevel',
10
    ownership_challenge: 'challenge-token-here',
11
    filter: {
12
      where: {
13
        key: 'ApplicationID',
14
        operator: 'eq',
15
        value: 'app-id-here'
16
      }
17
    }
18
  };
19

20
  const response = await fetch(
21
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/logpush/jobs`,
22
    {
23
      method: 'POST',
24
      headers: {
25
        'Authorization': `Bearer ${API_TOKEN}`,
26
        'Content-Type': 'application/json',
27
      },
28
      body: JSON.stringify(logPushConfig),
29
    }
30
  );
31

32
  return response.json();
33
};

2. Real-time Analytics Dashboard#

1
// Analytics API integration
2
const getAccessAnalytics = async () => {
3
  const query = `
4
    query GetAccessMetrics($accountId: String!, $datetimeStart: String!, $datetimeEnd: String!) {
5
      viewer {
6
        accounts(filter: {accountTag: $accountId}) {
7
          accessRequests: accessRequestsAdaptiveGroups(
8
            filter: {
9
              datetime_geq: $datetimeStart,
10
              datetime_leq: $datetimeEnd
11
            }
12
          ) {
13
            sum {
14
              requests
15
              allowedRequests
16
              deniedRequests
17
            }
18
            dimensions {
19
              datetimeHour
20
              applicationName
21
              action
22
              userEmail
23
              country
24
            }
25
          }
26
        }
27
      }
28
    }
29
  `;
30

31
  const variables = {
32
    accountId: ACCOUNT_ID,
33
    datetimeStart: new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(),
34
    datetimeEnd: new Date().toISOString()
35
  };
36

37
  const response = await fetch('https://api.cloudflare.com/client/v4/graphql', {
38
    method: 'POST',
39
    headers: {
40
      'Authorization': `Bearer ${API_TOKEN}`,
41
      'Content-Type': 'application/json',
42
    },
43
    body: JSON.stringify({ query, variables }),
44
  });
45

46
  return response.json();
47
};

3. Alert Configuration#

1
// Configure security alerts
2
const createSecurityAlert = async () => {
3
  const alert = {
4
    name: 'Suspicious Access Activity',
5
    description: 'Alert on unusual access patterns',
6
    enabled: true,
7
    alert_type: 'access_anomaly',
8
    filters: {
9
      zones: ['all'],
10
      services: ['access'],
11
      where: {
12
        or: [
13
          {
14
            key: 'failed_login_count',
15
            operator: 'gt',
16
            value: '5'
17
          },
18
          {
19
            key: 'new_location',
20
            operator: 'eq',
21
            value: 'true'
22
          },
23
          {
24
            key: 'impossible_travel',
25
            operator: 'eq',
26
            value: 'true'
27
          }
28
        ]
29
      }
30
    },
31
    mechanisms: {
32
      email: {
33
        enabled: true,
34
        addresses: ['security@company.com']
35
      },
36
      webhook: {
37
        enabled: true,
38
        url: 'https://siem.company.com/webhook',
39
        secret: process.env.WEBHOOK_SECRET
40
      },
41
      pagerduty: {
42
        enabled: true,
43
        integration_key: process.env.PAGERDUTY_KEY
44
      }
45
    }
46
  };
47

48
  return await createAlert(alert);
49
};

Best Practices and Security Hardening#

1. Least Privilege Access#

1
// Implement time-based access
2
const createTemporaryAccess = async () => {
3
  const temporaryPolicy = {
4
    name: 'Contractor Temporary Access',
5
    decision: 'allow',
6
    include: [
7
      {
8
        email: {
9
          email: 'contractor@external.com'
10
        }
11
      }
12
    ],
13
    require: [
14
      {
15
        purpose_justification: {
16
          required: true,
17
          prompt: 'Provide ticket number and reason'
18
        }
19
      }
20
    ],
21
    session_duration: '4h',
22
    valid_from: new Date().toISOString(),
23
    valid_until: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
24
    approval_required: true,
25
    approval_groups: [
26
      {
27
        email_list: ['manager@company.com']
28
      }
29
    ]
30
  };
31

32
  return await createPolicy(temporaryPolicy);
33
};

2. Network Segmentation#

1
# Tunnel configuration for network segmentation
2
tunnel: production-tunnel
3
credentials-file: /path/to/credentials.json
4

5
ingress:
6
  # Production environment
7
  - hostname: prod-*.company.com
8
    service: http://prod-lb:8080
9
    originRequest:
10
      noTLSVerify: false
11
      access:
12
        required: true
13
        teamName: production-team
14

15
  # Staging environment
16
  - hostname: staging-*.company.com
17
    service: http://staging-lb:8080
18
    originRequest:
19
      noTLSVerify: true
20
      access:
21
        required: true
22
        teamName: dev-team
23

24
  # Development environment
25
  - hostname: dev-*.company.com
26
    service: http://dev-lb:8080
27
    originRequest:
28
      noTLSVerify: true
29
      access:
30
        required: false
31

32
  - service: http_status:404

3. Incident Response Automation#

1
// Automated incident response
2
const respondToIncident = async (incident) => {
3
  // 1. Isolate affected user
4
  await revokeUserSessions(incident.userId);
5

6
  // 2. Block source IP
7
  await createIPBlock(incident.sourceIP);
8

9
  // 3. Force password reset
10
  await forcePasswordReset(incident.userId);
11

12
  // 4. Notify security team
13
  await notifySecurityTeam(incident);
14

15
  // 5. Create forensic snapshot
16
  await captureForensicData(incident);
17

18
  // 6. Update access policies
19
  await tightenAccessPolicies(incident.affectedResources);
20

21
  return {
22
    incidentId: incident.id,
23
    actions: [
24
      'sessions_revoked',
25
      'ip_blocked',
26
      'password_reset_forced',
27
      'team_notified',
28
      'forensics_captured',
29
      'policies_updated'
30
    ],
31
    timestamp: new Date().toISOString()
32
  };
33
};
34

35
const revokeUserSessions = async (userId) => {
36
  const response = await fetch(
37
    `https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/access/users/${userId}/active_sessions`,
38
    {
39
      method: 'DELETE',
40
      headers: {
41
        'Authorization': `Bearer ${API_TOKEN}`,
42
      },
43
    }
44
  );
45

46
  return response.json();
47
};

Troubleshooting Guide#

1. Common Issues and Solutions#

1
// Diagnostic script
2
const runDiagnostics = async () => {
3
  const diagnostics = {
4
    timestamp: new Date().toISOString(),
5
    checks: []
6
  };
7

8
  // Check tunnel connectivity
9
  try {
10
    const tunnelStatus = await checkTunnelStatus();
11
    diagnostics.checks.push({
12
      name: 'Tunnel Connectivity',
13
      status: tunnelStatus.connected ? 'OK' : 'FAILED',
14
      details: tunnelStatus
15
    });
16
  } catch (error) {
17
    diagnostics.checks.push({
18
      name: 'Tunnel Connectivity',
19
      status: 'ERROR',
20
      error: error.message
21
    });
22
  }
23

24
  // Check DNS resolution
25
  try {
26
    const dnsCheck = await checkDNSResolution();
27
    diagnostics.checks.push({
28
      name: 'DNS Resolution',
29
      status: dnsCheck.success ? 'OK' : 'FAILED',
30
      details: dnsCheck
31
    });
32
  } catch (error) {
33
    diagnostics.checks.push({
34
      name: 'DNS Resolution',
35
      status: 'ERROR',
36
      error: error.message
37
    });
38
  }
39

40
  // Check Access policies
41
  try {
42
    const policyCheck = await validatePolicies();
43
    diagnostics.checks.push({
44
      name: 'Access Policies',
45
      status: policyCheck.valid ? 'OK' : 'MISCONFIGURED',
46
      details: policyCheck
47
    });
48
  } catch (error) {
49
    diagnostics.checks.push({
50
      name: 'Access Policies',
51
      status: 'ERROR',
52
      error: error.message
53
    });
54
  }
55

56
  // Check certificate validity
57
  try {
58
    const certCheck = await checkCertificates();
59
    diagnostics.checks.push({
60
      name: 'Certificate Validity',
61
      status: certCheck.valid ? 'OK' : 'EXPIRED',
62
      details: certCheck
63
    });
64
  } catch (error) {
65
    diagnostics.checks.push({
66
      name: 'Certificate Validity',
67
      status: 'ERROR',
68
      error: error.message
69
    });
70
  }
71

72
  return diagnostics;
73
};

2. Debug Logging#

1
# Enable debug logging for cloudflared
2
cloudflared tunnel run --loglevel debug --logfile /var/log/cloudflared.log
3

4
# Enable WARP debug logs (Windows)
5
reg add "HKLM\Software\Cloudflare\WARP" /v "LogLevel" /t REG_SZ /d "debug" /f
6

7
# Enable WARP debug logs (macOS)
8
sudo defaults write /Library/Preferences/com.cloudflare.warp LogLevel -string "debug"

3. Performance Optimization#

1
// Optimize tunnel performance
2
const optimizeTunnelConfig = {
3
  protocol: 'quic', // Use QUIC for better performance
4
  retries: 5,
5
  grace_period: '30s',
6
  originRequest: {
7
    connectTimeout: '30s',
8
    tlsTimeout: '10s',
9
    tcpKeepAlive: '30s',
10
    noHappyEyeballs: false,
11
    keepAliveConnections: 100,
12
    keepAliveTimeout: '90s',
13
    httpHostHeader: '',
14
    originServerName: '',
15
    caPool: '',
16
    noTLSVerify: false,
17
    disableChunkedEncoding: false,
18
    bastionMode: false,
19
    proxyAddress: '127.0.0.1',
20
    proxyPort: 0,
21
    proxyType: '',
22
    ipRules: []
23
  }
24
};

Conclusion#

Cloudflare Zero Trust provides a comprehensive platform for implementing modern security architecture:

Identity-based access control replacing network perimeter security
Secure connectivity without traditional VPNs
Comprehensive threat protection at the edge
Detailed visibility into all network activity
Simplified management through centralized policies

Key Benefits#

Reduced attack surface - No exposed inbound ports
Improved user experience - Fast, seamless access
Cost reduction - Eliminate VPN infrastructure
Enhanced security - Continuous verification
Scalability - Cloud-native architecture