Skip to Content
InfrastructureCloudflare Tunnels

Cloudflare Tunnels

We use Cloudflare ‘Zero Trust’ services to connect into our AWS VPCs from local machines. (You don’t need to read this article unless your role involves infrastructure / SRE / on-call.)

Getting Started

Download the Cloudflare WARP client 

Once installed, login to WARP with Pivot’s ‘team name’ which is hellopivot.

You can now enable WARP on your local machine and select a virtual network. This will redirect 10.0.0.0/16 and rds.amazonaws.com traffic through the tunnel. That same route also enables access to internal services (like the self-hosted NATS cluster) over their private IPs and DNS names.

How It Works

We run cloudflared as an ECS service in each ECS cluster. This service tunnels out to using a Cloudflare virtual network dedicated to that environment. Cloudflare then supports our authorized users to connect using WARP.

Considerations

Note that ICMP (ping) functionality is currently limited when running cloudflared in AWS Fargate. This is because ICMP packets require special socket capabilities that are restricted in the Fargate environment. While this doesn’t affect core functionality like database connectivity, you’ll need to use alternative tools like nc (netcat) for connectivity testing. For example, to test database connectivity, you can use nc -v hostname 5432 which will attempt to establish a TCP connection to the PostgreSQL port.

Last updated on
Infrastructure and Platform EngineeringDomains and DNS