loc_az_hci/docs/deployment/cloudflare-integration.md

Cloudflare Integration Guide

Overview

This document describes the Cloudflare Zero Trust and Tunnel integration for secure external access to the Azure Stack HCI environment without requiring inbound ports.

Architecture

Cloudflare Tunnel Architecture

┌─────────────────────────────────────────────────────────┐
│              Cloudflare Zero Trust Network                │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐ │
│  │ Zero Trust   │  │     WAF      │  │   Tunnel      │ │
│  │ Policies     │  │   Rules      │  │  Endpoints    │ │
│  └──────────────┘  └──────────────┘  └──────────────┘ │
└─────────────────────────────────────────────────────────┘
                              │
                              │ Outbound HTTPS (443)
                              │
┌─────────────────────────────────────────────────────────┐
│              On-Premises Infrastructure                   │
│                                                           │
│  ┌─────────────────────────────────────────────────────┐ │
│  │         Cloudflare Tunnel VM (VLAN 99)              │ │
│  │  ┌──────────────┐                                   │ │
│  │  │ cloudflared │                                   │ │
│  │  │   daemon    │                                   │ │
│  │  └──────────────┘                                   │ │
│  └─────────────────────────────────────────────────────┘ │
│            │              │              │                │
│  ┌─────────▼──────┐ ┌────▼────┐ ┌─────▼─────┐          │
│  │ WAC            │ │ Proxmox  │ │ Dashboards│          │
│  │ (VLAN 60)      │ │ UI       │ │ (VLAN 40) │          │
│  └────────────────┘ └──────────┘ └───────────┘          │
└─────────────────────────────────────────────────────────┘

Components

Cloudflare Tunnel (cloudflared)

• Purpose: Secure outbound connection to Cloudflare network
• Location: Ubuntu VM in VLAN 99 (DMZ)
• Protocol: Outbound HTTPS (443) only
• Benefits: No inbound ports required, encrypted tunnel

Zero Trust Policies

• SSO Integration: Azure AD, Okta, or other identity providers
• MFA Requirements: Multi-factor authentication enforcement
• Device Posture: Device health and compliance checks
• Access Policies: Least privilege access control

WAF (Web Application Firewall)

• Purpose: Protect public ingress from attacks
• Rules: Custom WAF rules for application protection
• Integration: Works with Tunnel endpoints

Installation

Prerequisites

• Cloudflare account with Zero Trust enabled
• Ubuntu VM deployed in VLAN 99
• Network connectivity from Tunnel VM to services
• Azure AD or other SSO provider (optional)

Environment Configuration

Before starting, ensure your .env file is configured with Cloudflare credentials:

# Copy template if not already done
cp .env.example .env

# Edit .env and set:
# - CLOUDFLARE_API_TOKEN (get from https://dash.cloudflare.com/profile/api-tokens)
# - CLOUDFLARE_ACCOUNT_EMAIL
# - CLOUDFLARE_ZONE_ID (optional)

Step 1: Create Cloudflare Zero Trust Organization

1. Log in to Cloudflare Dashboard
2. Navigate to Zero Trust
3. Create or select organization
4. Note your organization name

Note: If using automation scripts, ensure CLOUDFLARE_API_TOKEN is set in your .env file.

Step 2: Install cloudflared

On the Ubuntu Tunnel VM:

# Download and install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared

# Verify installation
cloudflared --version

Step 3: Authenticate cloudflared

# Option 1: Interactive login (recommended for first-time setup)
cloudflared tunnel login

# This will open a browser for authentication
# Follow the prompts to authenticate

# Option 2: Using API token from .env (for automation)
# Load environment variables if using .env
export $(cat .env | grep -v '^#' | xargs)

# Note: Tunnel credentials are stored in /etc/cloudflared/<tunnel-id>.json
# This file should be secured (chmod 600) and not committed to version control

Step 4: Create Tunnel

# Create a new tunnel
cloudflared tunnel create azure-stack-hci

# Note the tunnel ID for configuration

Configuration

Tunnel Configuration File

Create /etc/cloudflared/config.yml:

tunnel: <tunnel-id>
credentials-file: /etc/cloudflared/<tunnel-id>.json

ingress:
  # Windows Admin Center
  - hostname: wac.yourdomain.com
    service: https://10.10.60.20:443
    originRequest:
      noHappyEyeballs: true
      tcpKeepAlive: 30

  # Proxmox UI
  - hostname: proxmox.yourdomain.com
    service: https://10.10.60.10:8006
    originRequest:
      noHappyEyeballs: true
      tcpKeepAlive: 30

  # Grafana Dashboard
  - hostname: grafana.yourdomain.com
    service: http://10.10.40.10:3000
    originRequest:
      noHappyEyeballs: true

  # Git Server
  - hostname: git.yourdomain.com
    service: https://10.10.30.10:443
    originRequest:
      noHappyEyeballs: true

  # CI/CD
  - hostname: ci.yourdomain.com
    service: https://10.10.50.10:443
    originRequest:
      noHappyEyeballs: true

  # Catch-all (must be last)
  - service: http_status:404

DNS Configuration

In Cloudflare Dashboard:

1. Navigate to Zero Trust > Access > Tunnels
2. Select your tunnel
3. Configure public hostnames:
   • wac.yourdomain.com → Tunnel
   • proxmox.yourdomain.com → Tunnel
   • grafana.yourdomain.com → Tunnel
   • git.yourdomain.com → Tunnel
   • ci.yourdomain.com → Tunnel

Systemd Service

Create /etc/systemd/system/cloudflared.service:

[Unit]
Description=Cloudflare Tunnel
After=network.target

[Service]
Type=simple
User=cloudflared
ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Zero Trust Policies

SSO Configuration

1. Navigate to Zero Trust > Access > Authentication
2. Add identity provider:
   • Azure AD: Configure Azure AD app registration
   • Okta: Configure Okta application
   • Other: Follow provider-specific instructions

Access Policies

1. Navigate to Zero Trust > Access > Applications
2. Create application:
   • Application name: WAC Access
   • Application domain: wac.yourdomain.com
   • Session duration: 24 hours
3. Configure policy:
   • Action: Allow
   • Include:
     • Emails: admin@yourdomain.com
     • Groups: IT-Admins
   • Require:
     • MFA: Yes
     • Device posture: Optional

Device Posture Checks

1. Navigate to Zero Trust > Settings > WARP
2. Configure device posture:
   • OS version: Require minimum OS version
   • Disk encryption: Require disk encryption
   • Firewall: Require firewall enabled

WAF Configuration

WAF Rules

1. Navigate to Security > WAF
2. Create custom rules:

Rule 1: Block Common Attacks

• Expression: (http.request.uri.path contains "/wp-admin" or http.request.uri.path contains "/phpmyadmin")
• Action: Block

Rule 2: Rate Limiting

• Expression: (rate(10m) > 100)
• Action: Challenge

Rule 3: Geographic Restrictions

• Expression: (ip.geoip.country ne "US" and ip.geoip.country ne "CA")
• Action: Block (if needed)

Proxmox Tunnel Example

Community Patterns

For exposing Proxmox UI through Cloudflare Tunnel:

# In config.yml
ingress:
  - hostname: proxmox.yourdomain.com
    service: https://10.10.60.10:8006
    originRequest:
      noHappyEyeballs: true
      tcpKeepAlive: 30
      connectTimeout: 10s
      tlsTimeout: 10s
      tcpKeepAliveTimeout: 30s
      httpHostHeader: proxmox.yourdomain.com

Proxmox Certificate Considerations

• Proxmox uses self-signed certificates by default
• Cloudflare Tunnel handles SSL termination
• Consider using Cloudflare's SSL/TLS mode: "Full (strict)" if using valid certificates

Monitoring

Tunnel Status

# Check tunnel status
sudo systemctl status cloudflared

# View tunnel logs
sudo journalctl -u cloudflared -f

# Test tunnel connectivity
cloudflared tunnel info <tunnel-id>

Cloudflare Dashboard

• Navigate to Zero Trust > Access > Tunnels
• View tunnel status and metrics
• Monitor connection health
• Review access logs

Troubleshooting

Tunnel Not Connecting

Problem: Tunnel shows as disconnected

• Solution:
  • Check network connectivity from VM
  • Verify credentials file exists
  • Check cloudflared service status
  • Review logs: journalctl -u cloudflared

Services Not Accessible

Problem: Can't access services through Tunnel

• Solution:
  • Verify ingress rules in config.yml
  • Check service connectivity from Tunnel VM
  • Verify DNS configuration
  • Check Zero Trust policies

Authentication Issues

Problem: SSO not working

• Solution:
  • Verify identity provider configuration
  • Check application policies
  • Verify user email addresses
  • Check MFA configuration

Performance Issues

Problem: Slow performance through Tunnel

• Solution:
  • Check network latency
  • Verify originRequest settings
  • Consider using Cloudflare's Argo Smart Routing
  • Review WAF rules for false positives

Security Best Practices

1. Use Zero Trust Policies:

   • Always require authentication
   • Enforce MFA for sensitive services
   • Use device posture checks

2. WAF Rules:

   • Enable WAF for all public endpoints
   • Configure rate limiting
   • Block known attack patterns

3. Tunnel Security:

   • Run cloudflared as non-root user
   • Secure credentials file (chmod 600)
   • Monitor tunnel logs for anomalies

4. Network Isolation:

   • Keep Tunnel VM in DMZ (VLAN 99)
   • Use firewall rules to restrict access
   • Only allow necessary ports

Related Documentation

• Complete Architecture - Full architecture overview
• Network Topology - VLAN/IP schema
• Bring-Up Checklist - Installation guide