How Cloudflare Zero Trust Works
π
May 23, 2026
π·οΈInfrastructure Security
β±οΈ12 min
Understanding how Cloudflare Zero Trust works is essential before implementing it. This page explains the architecture, traffic flows, and how each component integrates with your infrastructure.
Architecture Overview
Cloudflare Zero Trust consists of four main components working together:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Internet Users β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Cloudflare Global Network β
β (200+ data centers worldwide) β
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Cloudflare β β Cloudflare β β Cloudflare β β
β β Tunnel β β Access β β Gateway β β
β ββββββββ¬ββββββββ ββββββββ¬ββββββββ ββββββββ¬ββββββββ β
β β β β β
βββββββββββΌββββββββββββββββββΌβββββββββββββββββββΌβββββββββββ
β β β
β β β
βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Your Infrastructure β
β β
β ββββββββββββββββββ ββββββββββββββββ ββββββββββββ β
β β Public Apps β β Private Apps β β SSH β β
β β example.com β β ArgoCD β β kubectl β β
β β app.goalixa β β Harbor β β (WARP) β β
β ββββββββββββββββββ β Grafana β ββββββββββββ β
β ββββββββββββββββ β
β β
β Kubernetes Cluster (4 nodes) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββComponent 1: Cloudflare Tunnel
What It Does
Cloudflare Tunnel creates an outbound-only connection from your infrastructure to Cloudflareβs edge network. This means:
- No inbound firewall rules needed - your server initiates the connection
- No open ports - all traffic comes through the tunnel
- High availability - multiple concurrent connections for redundancy
How It Works
Step 1: cloudflared starts on your server
βββ Reads /etc/cloudflared/config.yml
βββ Loads tunnel credentials
βββ Establishes outbound connections to Cloudflare
Step 2: Creates multiple HA connections
βββ Connection 1 β fra-a.cloudflare.com
βββ Connection 2 β fra-b.cloudflare.com
βββ Connection 3 β fra-c.cloudflare.com
βββ Connection 4 β fra-d.cloudflare.com
Step 3: Cloudflare Edge receives connections
βββ Registers tunnel ID
βββ Maps domains to tunnel
βββ Ready to proxy trafficTraffic Flow (HTTP/HTTPS)
User requests internal1.example.com
β
DNS query: internal1.example.com
β
Returns: Cloudflare IP (188.114.96.3)
β
User connects to Cloudflare Edge (nearest datacenter)
β
Cloudflare looks up tunnel mapping
β
Routes request through tunnel to your server
β
cloudflared receives request
β
Forwards to: http://192.0.2.10:80
β
nginx-ingress routes to ArgoCD service
β
Response flows back through tunnel
β
Cloudflare Edge sends response to userWhy Port 80? Even though users connect via HTTPS, Cloudflare handles TLS termination at the edge. The tunnel itself carries HTTP traffic internally, which is secure because itβs encrypted end-to-end by Cloudflareβs protocol.
My Configuration
# /etc/cloudflared/config.yml on master node (192.0.2.10)
tunnel: example-cluster
credentials-file: /root/.cloudflared/aaaabbbb-cccc-dddd-eeee-ffff00001111.json
ingress:
# Public services
- hostname: example.com
service: http://192.0.2.10:80
originRequest:
noTLSVerify: true
connectTimeout: 30s
httpHostHeader: example.com
- hostname: app.example.com
service: http://192.0.2.10:80
originRequest:
noTLSVerify: true
connectTimeout: 30s
httpHostHeader: app.example.com
# Private services (protected by Access)
- hostname: internal1.example.com
service: http://192.0.2.10:80
originRequest:
noTLSVerify: true
connectTimeout: 30s
httpHostHeader: internal1.example.com
- hostname: internal2.example.com
service: http://192.0.2.10:80
originRequest:
noTLSVerify: true
connectTimeout: 30s
httpHostHeader: internal2.example.com
- hostname: internal3.example.com
service: http://192.0.2.10:80
originRequest:
noTLSVerify: true
connectTimeout: 30s
httpHostHeader: internal3.example.com
# Catch-all
- service: http_status:404
loglevel: info
logfile: /var/log/cloudflared.log
metrics: 0.0.0.0:2000Key Points:
service: http://192.0.2.10:80- Points to nginx-ingress LoadBalancer IPnoTLSVerify: true- Because nginx-ingress uses self-signed certshttpHostHeader- Ensures nginx-ingress knows which Ingress to route tometrics: 0.0.0.0:2000- Exposes Prometheus metrics for monitoring
Component 2: Cloudflare Access
What It Does
Cloudflare Access adds identity-based authentication before traffic reaches your services. It acts as a reverse proxy that checks authentication first.
Authentication Flow
User visits https://internal1.example.com
β
Request hits Cloudflare Edge
β
Cloudflare checks: Is this domain protected by Access?
β
YES β Check for valid session cookie
β
No session or expired?
β
Redirect to: goalixa.cloudflareaccess.com/auth
β
Show Cloudflare Access login page
β
User enters email β Send OTP code
β
User enters OTP β Verify code
β
Valid? Create session cookie (24h TTL)
β
Redirect back to internal1.example.com
β
Forward request through tunnel to ArgoCD
β
User sees ArgoCD dashboardSession Management
- Duration: 24 hours
- Cookie:
CF_Authorization(HttpOnly, Secure, SameSite=Lax) - Renewal: Automatic on each request
- Revocation: Instant (logout or admin action)
Access Policies
Each private service has an Access Application with policies:
Example: ArgoCD Access Policy
Application: argocd
Domain: internal1.example.com
Session Duration: 24 hours
Policy: Admin Access
Include:
- Email: your@email.com
Action: Allow
Authentication Method: One-time PIN
- Send OTP to email
- Code expires in 5 minutes
- 3 attempts maximumAudit Logs
Every access attempt is logged:
Logged Data:
- User email
- Timestamp
- IP address
- User agent
- Access decision (Allow/Deny)
- Session duration
Component 3: Cloudflare WARP
What It Does
WARP is a device client that creates a secure tunnel from your laptop/desktop to Cloudflareβs network. For network-level protocols (SSH, kubectl), WARP routes traffic through Cloudflare Gateway for inspection and policy enforcement.
How It Works
Your laptop (WARP installed)
β
WARP client enrolls with your Zero Trust organization
β
Creates WireGuard tunnel to nearest Cloudflare datacenter
β
Split tunnel configured: Only cluster IPs route through WARP
β
When you run: kubectl get pods
β
Request to: 192.0.2.10:6443
β
WARP intercepts (because 192.0.2.10 in split tunnel list)
β
Routes through WARP tunnel β Cloudflare Gateway
β
Gateway checks firewall policies
β
Policy: Allow kubectl (port 6443) to 192.0.2.10
β
Forward to master node
β
kubectl API responds
β
Response flows back through WARP
β
kubectl displays pod listSplit Tunnel Configuration
My WARP is configured to only route cluster traffic through Cloudflare:
Include Mode:
192.0.2.10/32 # Master node
5.75.198.10/32 # Worker1
91.107.250.5/32 # Worker2
65.109.212.122/32 # Worker3What this means:
- β SSH to 192.0.2.10 β Through WARP
- β kubectl (192.0.2.10:6443) β Through WARP
- β google.com β Direct (not through WARP)
- β Other websites β Direct (not through WARP)
Component 4: Cloudflare Gateway
What It Does
Gateway is the firewall and policy engine for WARP traffic. It inspects network traffic and enforces policies based on:
- Destination IP and port
- Protocol (TCP/UDP/ICMP)
- User identity
- Device posture
Gateway Policies
My Policies:
-
Allow kubectl to Kubernetes API
- Destination: 192.0.2.10
- Port: 6443
- Protocol: TCP
- Action: Allow
- Logging: Enabled
-
Allow SSH to Kubernetes Cluster
- Destination IPs: All 4 cluster nodes
- Port: 22
- Protocol: TCP
- Action: Allow
- Logging: Enabled
-
Default Deny (implicit)
- All other traffic: Block
Gateway Network Logs
Every network request is logged:
- Source IP (your laptop)
- Destination IP and port
- Action (Allow/Block)
- Timestamp
- Protocol
- User identity (if authenticated)
How Components Work Together
Public Service Access (example.com)
User β Cloudflare Edge β Tunnel β nginx-ingress β goalixa-landingNo authentication required - Cloudflare just acts as CDN and DDoS protection.
Private Service Access (internal1.example.com)
User β Cloudflare Edge
β Access (Email OTP required) β
β Tunnel
β nginx-ingress
β ArgoCDAuthentication required - Access checks session before forwarding.
Infrastructure Access (kubectl)
Admin laptop (WARP connected)
β WARP client
β Cloudflare Gateway (Check policy) β
β Direct to 192.0.2.10:6443
β Kubernetes APIDevice verification required - Must have WARP connected and enrolled.
Infrastructure Access (SSH)
Admin laptop (WARP connected)
β WARP client
β Cloudflare Gateway (Check policy) β
β Direct to 192.0.2.10:22
β SSH daemonDevice verification required - Same as kubectl.
Note: SSH and kubectl traffic goes through WARP but not through the Cloudflare Tunnel. Theyβre different paths:
- Tunnel: HTTP/HTTPS traffic (bidirectional)
- WARP: Network traffic inspection (client to infrastructure)
Security Model
Before Cloudflare Zero Trust
Internet β Direct connection to 192.0.2.10
βββ Port 80/443 β Anyone can reach services
βββ Port 22 β SSH brute force attacks (15,000/day)
βββ Port 6443 β Kubernetes API exposed globallySecurity: Based on passwords and SSH keys only
After Cloudflare Zero Trust
Internet
βββ Public services β Cloudflare β Tunnel β nginx-ingress
β (No auth, just CDN and DDoS protection)
β
βββ Private services β Cloudflare Access (Email OTP) β Tunnel β nginx-ingress
β (Identity verified BEFORE reaching service)
β
βββ Infrastructure β WARP (Device enrolled) β Gateway (Policy check) β Direct
(Device and identity verified)Security: Defense in depth
- Network layer: WARP enrollment + Gateway policies
- Application layer: Access authentication
- Service layer: Original service auth (ArgoCD login, SSH keys)
Next: Complete Setup Guide
Now that you understand how it works, letβs implement it: