This is a very easy way to get cheap access to all resources in your VPC.
The exact costs depend on if you use Fargate Spot (default option) and the number of instances (and their size).
- For 1 spot instance of the smallest type: 2.66 USD per month
- For 3 spot instances of the smallest type: 8.00 USD per month
You can use spot instances just fine if the desired_count > 1.
The steps you need to take:
- Create a Cloudflare account (a free account will do)
- Setup a cloudflare domain and connect the nameservers and wait until it is verified. After deploying you can click on the domain and find the Account ID.
- Create a Zero Trust team account (the free account will do)
- Create a custom API token, with these permissions:
- Account/Cloudflare Tunnel/Edit
- Account/Zero Trust/Edit
- Zone/Zone/Read
- Deploy this module
These are one time steps and only need to be executed one time in a Zero Trust account:
- Go to Zero Trust settings > WARP client > Device enrollment permissions and add a rule, for instance you can auth to Warp if your email ends at elasticscale.com
- Go to Zero Trust settings > WARP Client > Edit the default profile, go the Split Tunnels section and click Manage, remove the CIDR block 10.0.0.0/8 (or if your VPC has another CIDR block that overlaps with one here, remove that one)
- Install the WARP client, then go to preferences, Account and click Login to Cloudflare Zero trust
After you connect to the WARP agent and whitelist the security group of this module to the instances you want to connect to, you should be able to connect to the instances via their private IPs.
You can also use this module to give Zero Trust access to internal load balancers or other services. You need to then set the ingress rules and add a CNAME to the Cloudflare domain.
For more debugging steps check out the elasticscale blog.
Discover ES Foundation, the smart digital infrastructure for SaaS companies that want to grow and thrive.
Check out our website for more information.
Name | Version |
---|---|
aws | >=5.0.0 |
cloudflare | >=4.0.0 |
Name | Version |
---|---|
aws | >=5.0.0 |
cloudflare | >=4.0.0 |
random | n/a |
No modules.
Name | Type |
---|---|
aws_cloudwatch_log_group.logs | resource |
aws_ecs_cluster.main | resource |
aws_ecs_cluster_capacity_providers.main | resource |
aws_ecs_service.main | resource |
aws_ecs_task_definition.main | resource |
aws_iam_role.executionrole | resource |
aws_iam_role_policy_attachment.ecs_task_execution_role | resource |
aws_security_group.tunnel | resource |
aws_ssm_parameter.tunneltoken | resource |
cloudflare_tunnel.tunnel | resource |
cloudflare_tunnel_config.config | resource |
cloudflare_tunnel_route.route | resource |
random_password.tunnel_secret | resource |
random_string.suffix | resource |
aws_caller_identity.current | data source |
aws_region.current | data source |
aws_vpc.vpc | data source |
cloudflare_zone.zone | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloudflare_account_id | Cloudflare account ID | string |
n/a | yes |
cloudflare_version | Cloudflare version to use, defaults to latest but best to pick a docker tag version to prevent issues | string |
"latest" |
no |
cloudflare_zone | Domain name (NS must be connected and verified in Cloudflare) | string |
n/a | yes |
cpu | CPU units to allocate to each instance, defaults to 256, needs to be within Fargate configuration limits | number |
256 |
no |
desired_count | Number of instances to run initially, choose 3 or more for high availability across AZs | number |
3 |
no |
fargate_type | Use spot instances or regular instances (FARGATE_SPOT or FARGATE), SPOT is much cheaper and does not really affect availability in this case | string |
"FARGATE_SPOT" |
no |
ingress_rules | List of ingress rules to allow traffic to (see cloudflare_tunnel_config docs, access_block not supported right now) | list(object({ |
[ |
no |
memory | Memory units to allocate to each instance, defaults to 512, needs to be within Fargate configuration limits | number |
512 |
no |
prefix | Prefix to add to all resources | string |
"cf-tunnel" |
no |
private_subnets | List of private subnets to launch the Cloudflare instances in (must be same VPC under VPC ID) | list(string) |
n/a | yes |
vpc_id | VPC ID | string |
n/a | yes |
Name | Description |
---|---|
security_group_id | The ID of the security group |
tunnel_cname | The CNAME of the Cloudflare Tunnel (you can add this as a CNAME in the DNS settings to route traffic to the tunnel, which will be processed by the rules) |
tunnel_id | The ID of the Cloudflare Tunnel |