DEV Community

Cover image for Deploy a Private Website with Cloudflare Zero Trust and Terraform
Gergo Vadasz
Gergo Vadasz

Posted on • Originally published at gergovadasz.hu

Deploy a Private Website with Cloudflare Zero Trust and Terraform

#cloudflare #terraform #security #networking

Cloudflare Zero Trust is a security platform that lets you control who can access your internal or private applications — without using a traditional VPN. It authenticates users through methods like email or Google/Microsoft accounts before granting access.

In this post, I'll show you how to deploy a private website behind Cloudflare Zero Trust using Terraform, with a VM hosted on Google Cloud.

 

What You'll Need

  • A free Cloudflare account
  • A domain managed by Cloudflare
  • Cloudflare Zero Trust activated
  • Infrastructure to host the website (VM, PaaS, etc.)
  • For this guide: a Google Cloud project with VPC network access

 

Collect Cloudflare Account Details

Create a terraform.tfvars file with your Cloudflare and GCP details:

cloudflare_zone           = "yourdomain.com"
cloudflare_zone_id        = "ce...."
cloudflare_account_id     = "7a...."
cloudflare_email          = "[email protected]"
cloudflare_token          = "b6...."
gcp_project_id            = "your-gcp-project"
zone                      = "europe-west4-a"
machine_type              = "e2-small"
Enter fullscreen mode Exit fullscreen mode

API Token Requirements:

  • Cloudflare Tunnel: Edit
  • Access: Apps and Policies: Edit
  • DNS: Edit
  • Zero Trust: Edit

 

Deploy with Terraform

The Terraform code is available in my public repository: github.com/vadaszgergo/terraform-public/tree/main/cloudflare-zero-trust-web-application

Deployment involves:

  1. Cloudflare Zero Trust resource creation (takes seconds)
  2. VM provisioning in Google Cloud
  3. Auto-installation via cloud-init script (5-6 minutes):
    • OS updates and package installation
    • Static website creation
    • Cloudflared tunnel configuration and startup

Once complete, your website is accessible at http_app.yourdomain.com — but only after email authentication through Cloudflare's access policy.

 

What Makes This Powerful

This setup can serve as a secure entry point for both private and public websites. The flexibility is what makes it interesting:

  • Private applications: Internal dashboards, admin panels, staging environments — accessible only to authenticated users
  • Public with protection: Your production site behind DDoS protection and WAF
  • Any hosting backend: Works with VMs, containers, home labs, or any environment that can run cloudflared

You get all of this without opening any inbound ports on your server, without configuring a VPN, and without managing certificates manually.

 

Conclusion

It's surprisingly simple to protect your applications using Cloudflare's powerful policies and authentication features, without relying on a traditional VPN. The Terraform code handles everything — from the Cloudflare tunnel and access policies to the GCP VM and website setup.

You can extend this further with multi-user policies, device posture checks, and Cloudflare's analytics dashboard.

Check out the full guide and Terraform code at gergovadasz.hu.

Originally published on gergovadasz.hu. I write hands-on cloud networking guides with production-ready Terraform code for AWS, Azure, and GCP. Subscribe for more.

Top comments (0)