What I Built
The system uses a Cloudflare Tunnel running on a single EC2 instance to replace traditional VPN infrastructure. It provides zero-trust VPC access via WARP for engineers and identity-aware frontend application delivery through a private ALB, exposing services on public subdomains without opening inbound firewall ports.
System Architecture
The runtime infrastructure groups components strictly around a single egress-only tunnel instance that services two access models:
EC2 instance — A t4g.micro instance running RHEL 9 in a private subnet with no public IP, no SSH access, and no inbound ports.
Cloudflare Tunnel — A daemon running as a systemd service on the EC2 instance that opens outbound QUIC connections to Cloudflare's edge network.
Cloudflare Access Applications — Edge configurations mapping public subdomains to the internal load balancer while enforcing identity provider SSO.
Private ALB — An AWS Application Load Balancer with no internet-facing listener, fronting frontend services inside EKS.
AWS Secrets Manager — Secure persistent storage holding the tunnel token retrieved by the instance at boot.
Security group — An AWS network firewall configured with restrictive egress-only rules for the tunnel instance.
IAM role — An execution role scoped strictly to read permissions for AWS Secrets Manager and AWS Systems Manager.
EKS cluster security group rule — A network policy rule allowing internal ingress traffic from the tunnel instance.
All system management occurs via AWS Systems Manager Session Manager.
Core Technical Behavior
At runtime, the EC2 instance retrieves the authentication token from AWS Secrets Manager and starts the cloudflared daemon. The process initiates outbound QUIC connections to Cloudflare's edge network over ports 7844 and 7845.
For engineer network routing, users connect via the local Cloudflare WARP client. Traffic destined for the VPC CIDR routes through the tunnel, giving direct network access to the EKS API server, internal RDS databases, and private cluster services.
For web traffic, Cloudflare Access serves as an identity-aware reverse proxy. External web requests to public domains hit the Cloudflare edge, which evaluates user sessions against an identity provider. Authenticated requests pass through the QUIC tunnel to the private ALB, which forwards traffic directly to frontend pods running inside EKS.
Frontend Request Flow
User → app.jakops.cloud (Cloudflare Edge, TLS + SSO)
→ Cloudflare Tunnel (encrypted QUIC)
→ EC2 cloudflared instance (private subnet)
→ Private ALB (VPC)
→ EKS frontend pods
Instance Egress Security Group Rule
egress {
from_port = 7844
to_port = 7845
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow outbound QUIC for Cloudflare Tunnel"
}
VPC Internal Ingress Security Group Rule
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.vpc_cidr_block]
description = "Allow all traffic from VPC for WARP routing"
}
Key Engineering Decisions
Dual-purpose tunnel consolidates L3/L4 network proxying via WARP and L7 application routing via Cloudflare Access onto a single EC2 footprint.
Public domains with private infrastructure keeps public DNS records pointed to Cloudflare's edge while leaving the AWS footprint completely invisible without public endpoints.
SSO at the edge forces authentication before traffic ever enters the AWS network, removing the requirement for application-level authentication gates on internal frontends.
Private ALB configuration removes internet-facing listeners, eliminating public DDoS surface area, public security group tracking, and AWS-side certificate rotation.
ARM architecture selection leverages t4g.micro instances to save approximately 20% on compute cost compared to t3 variants while running the lightweight cloudflared Go binary.
Hardcoded AMI pinning prevents unintended infrastructure tearing and instance recreation during terraform apply actions when upstream OS images change.
Single instance deployment without an Auto Scaling Group trades automated sub-minute failover for simplified configuration on staging and developer environments.
IMDSv2 requirement mitigates SSRF-based IAM credential theft from the EC2 instance metadata service endpoint.
Dedicated system user constraints execute the cloudflared binary as a non-login user with no system shell to restrict localized blast radius.
KMS-encrypted EBS enforces protection of the root volume data at rest via a customer-managed key.
Trade-offs
Optimized for: cost, simplicity, zero-trust posture, unified access control, operational minimalism, elimination of public attack surface.
Sacrificed: high availability (single instance), self-healing (no ASG), automated AMI rotation, independent scaling of frontend proxy vs. WARP routing, centralized logging (logs stay on-instance via journald).
Results / Cost Impact
The implementation reduced ongoing infrastructure spend to an explicit total of approximately $7.33 per month.
t4g.micro (on-demand) — ~$6.13
8GB GP3 EBS — ~$0.80
Secrets Manager secret — ~$0.40
This architecture replaced a managed VPN product and a public ALB setup including WAF, certificate validation, and public DNS operations that had cost over $75 per month. Operational overhead for certificate rotation, WAF rule maintenance, and network auditing was removed.
Conclusion
A single Cloudflare Tunnel instance provides concurrent infrastructure routing for developers and SSO-gated public domain ingress for external stakeholders. By keeping the target AWS load balancer private, the entire internal network remains closed to inbound public traffic while supporting edge-authenticated web delivery.
Combining WARP routing with Cloudflare Access applications on a single tunnel gives you both L3 infrastructure access and L7 application delivery with SSO on real domains with zero public infrastructure for under $8/month.
Further Reading
For the full implementation details, see the complete article at jakops.cloud.
Need Help?
If you want to deploy a zero-trust setup including Cloudflare Tunnel on EC2, WARP routing, private ALB ingress for EKS, and Terraform modules with IMDSv2 and KMS encryption, you can find assistance directly at https://jakops.cloud.
Top comments (0)