Cloudflare SE Lab
Lab 8

Zero Trust Access and Cloudflare Tunnel

Lab 8 demonstrates how Cloudflare Tunnel and Cloudflare Access can protect a private application without exposing it directly to the public Internet.

Scenario

A customer has an internal application that should not be publicly exposed. They want users to reach it through a secure Cloudflare-controlled path, with identity verification required before the application is accessible.

Objective

Publish the private application through Cloudflare Tunnel and protect the public hostname with Cloudflare Access. The goal is to demonstrate private application access without relying on a traditional VPN or exposing the application directly to the Internet.

Outcomes

  • Created a Cloudflare Tunnel to provide private connectivity from the application environment to Cloudflare.
  • Mapped the protected hostname internal.ybarra-cflab.com to the tunnel.
  • Created a Zero Trust Access self-hosted application.
  • Configured the Access application for internal.ybarra-cflab.com.
  • Applied an Access policy so only authorized identity-based users can reach the application.
  • Validated that users see a Cloudflare Access authentication flow before reaching the private application.
  • Validated the One-time PIN flow: enter email, receive a PIN, submit the PIN, and gain access to the protected admin application.
  • Confirmed that the application is protected by identity-aware access instead of relying on a hidden URL or open public exposure.

Environment / Build

  • Protected hostname: internal.ybarra-cflab.com
  • Connectivity method: Cloudflare Tunnel
  • Access control layer: Cloudflare Zero Trust Access
  • Application type: Self-hosted
  • Access policy: identity-based allow policy
  • Authentication method: One-time PIN
  • Validation method: browser login flow and HTTP header checks
  • Primary user experience: Access authentication appears before the private application is reachable

Demonstrable Content

Validate DNS for the protected hostname:

dig internal.ybarra-cflab.com CNAME

Validate that Cloudflare is handling the protected hostname:

curl -I https://internal.ybarra-cflab.com

Browser validation:

https://internal.ybarra-cflab.com

Authentication flow validation:

  1. Open https://internal.ybarra-cflab.com in a browser.
  2. Enter the authorized email address at the Cloudflare Access prompt.
  3. Receive the One-time PIN by email.
  4. Enter the PIN into the Access login page.
  5. After successful verification, access is granted to the protected admin application.

Expected behavior:

  • The hostname resolves through Cloudflare-managed tunnel routing.
  • The browser is presented with a Cloudflare Access login or identity verification step.
  • The protected application is not reachable until the Access policy is satisfied.
  • The private application is accessed through Cloudflare rather than being directly exposed.

What Was Completed

  • Configured Cloudflare Tunnel for private application connectivity.
  • Associated internal.ybarra-cflab.com with the tunnel.
  • Created a Cloudflare Zero Trust Access self-hosted application.
  • Configured the application hostname under Access.
  • Created an allow policy for the authorized user identity.
  • Configured One-time PIN authentication so the authorized user receives a PIN by email before access is granted.
  • Validated that Access gates the application before users can reach it.
  • Confirmed that the setup demonstrates identity-aware private application access.

Lab 8 Technical Summary

Lab 8 implemented a Zero Trust private application access pattern using Cloudflare Tunnel and Cloudflare Access. Cloudflare Tunnel provides the private connectivity path between the application environment and Cloudflare, while internal.ybarra-cflab.com acts as the protected public hostname. Cloudflare Access sits in front of the self-hosted application and enforces an identity-based policy before traffic is allowed through. For this lab, authentication was validated with One-time PIN: the user entered an authorized email address, received a PIN by email, submitted that PIN to Cloudflare Access, and was then granted access to the protected admin application. This demonstrates how Cloudflare can provide secure private application access without exposing the application directly to the Internet or relying on broad network-level VPN access.

Lab 8 Customer-Facing Summary

We protected an internal admin application by placing Cloudflare in front of it with Tunnel and Access. Instead of exposing the application publicly or requiring a traditional VPN, users go to a protected hostname and authenticate through Cloudflare Access first. In this lab, the user entered their email address, received a One-time PIN by email, entered the PIN into the Access page, and was then allowed into the admin app. This gives the customer a simple, identity-aware access experience while keeping the application itself shielded from direct Internet exposure.