deploying-cloudflare-access-for-zero-trust
Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications, configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement.
What this skill does
# Deploying Cloudflare Access for Zero Trust
## When to Use
- When replacing VPN infrastructure with identity-aware application access using Cloudflare One
- When exposing self-hosted internal applications through Cloudflare Tunnel without opening inbound ports
- When implementing ZTNA for a distributed workforce accessing web applications, SSH, and RDP services
- When needing a cost-effective zero trust solution with integrated DLP, CASB, and SWG capabilities
- When securing contractor and third-party access to specific applications without full network access
**Do not use** for applications requiring persistent UDP connections not supported by Cloudflare Tunnel, for environments requiring air-gapped or fully on-premises access control, or when regulatory requirements prohibit routing traffic through third-party cloud infrastructure.
## Prerequisites
- Cloudflare account with Zero Trust subscription (Free for up to 50 users, paid plans for larger teams)
- Domain name managed by Cloudflare DNS (or ability to add CNAME records)
- Linux, Windows, or macOS server to run `cloudflared` tunnel daemon
- Identity provider: Okta, Microsoft Entra ID, Google Workspace, GitHub, or any SAML/OIDC provider
- Cloudflare WARP client for device-level enrollment (optional but recommended)
## Workflow
### Step 1: Create a Cloudflare Tunnel to Internal Applications
Install `cloudflared` and create a persistent tunnel to expose internal services.
```bash
# Install cloudflared on Ubuntu/Debian
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb \
-o cloudflared.deb
sudo dpkg -i cloudflared.deb
# Authenticate cloudflared with your Cloudflare account
cloudflared tunnel login
# Create a named tunnel
cloudflared tunnel create internal-apps
# Output: Created tunnel internal-apps with id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Configure tunnel routes to internal applications
cat > ~/.cloudflared/config.yml << 'EOF'
tunnel: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
credentials-file: /home/admin/.cloudflared/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json
ingress:
- hostname: wiki.company.com
service: http://localhost:8080
- hostname: git.company.com
service: http://10.1.1.50:3000
- hostname: grafana.company.com
service: http://10.1.1.60:3000
- hostname: ssh.company.com
service: ssh://localhost:22
- hostname: rdp.company.com
service: rdp://10.1.1.100:3389
# Catch-all rule (required)
- service: http_status:404
EOF
# Route DNS to the tunnel
cloudflared tunnel route dns internal-apps wiki.company.com
cloudflared tunnel route dns internal-apps git.company.com
cloudflared tunnel route dns internal-apps grafana.company.com
# Run tunnel as a systemd service
sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
# Verify tunnel status
cloudflared tunnel info internal-apps
```
### Step 2: Configure Identity Provider Integration
Set up authentication with your organization's identity provider.
```bash
# Using Cloudflare API to configure Okta as IdP
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Corporate Okta",
"type": "okta",
"config": {
"client_id": "OKTA_CLIENT_ID",
"client_secret": "OKTA_CLIENT_SECRET",
"okta_account": "company.okta.com",
"api_token": "OKTA_API_TOKEN",
"claims": ["email", "groups", "name"],
"email_claim_name": "email"
}
}'
# Configure Microsoft Entra ID as additional IdP
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Microsoft Entra ID",
"type": "azureAD",
"config": {
"client_id": "AZURE_APP_CLIENT_ID",
"client_secret": "AZURE_APP_CLIENT_SECRET",
"directory_id": "AZURE_TENANT_ID",
"support_groups": true,
"claims": ["email", "groups", "name"]
}
}'
```
### Step 3: Create Access Applications and Policies
Define Access applications with identity-aware policies for each internal service.
```bash
# Create Access application for internal wiki
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Internal Wiki",
"domain": "wiki.company.com",
"type": "self_hosted",
"session_duration": "8h",
"auto_redirect_to_identity": true,
"http_only_cookie_attribute": true,
"same_site_cookie_attribute": "lax",
"logo_url": "https://company.com/wiki-logo.png",
"allowed_idps": ["OKTA_IDP_ID", "AZURE_IDP_ID"]
}'
# Create Allow policy for the wiki application
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_id}/policies" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Allow Engineering Team",
"decision": "allow",
"precedence": 1,
"include": [
{"group": {"id": "ENGINEERING_GROUP_ID"}},
{"okta": {"name": "Engineering", "identity_provider_id": "OKTA_IDP_ID"}}
],
"require": [
{"device_posture": {"integration_uid": "CROWDSTRIKE_INTEGRATION_ID"}}
]
}'
# Create Access application for SSH access
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "SSH Access",
"domain": "ssh.company.com",
"type": "ssh",
"session_duration": "4h",
"auto_redirect_to_identity": true
}'
```
### Step 4: Deploy WARP Client for Device Enrollment
Enroll corporate devices using Cloudflare WARP for private network access and device posture.
```bash
# Create device enrollment rule
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Corporate Device Enrollment",
"match": "identity.email matches \".*@company\\.com$\"",
"precedence": 100,
"enabled": true,
"gateway_unique_id": "GATEWAY_ID",
"support_url": "https://helpdesk.company.com/warp-help"
}'
# Install WARP on macOS via MDM (Jamf/Intune)
# Download: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/
# Deploy with MDM configuration profile:
cat > warp_mdm_config.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>organization</key>
<string>company</string>
<key>auto_connect</key>
<integer>1</integer>
<key>switch_locked</key>
<true/>
<key>onboarding</key>
<false/>
</dict>
</plist>
EOF
# Install Cloudflare root certificate for TLS inspection
# Download from: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/
sudo cp cloudflare-root-ca.pem /usr/local/share/ca-certificates/cloudflare-root-ca.crt
sudo update-ca-certificates
# Configure split tunnel to route private network through WARP
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '[
{"suffix": "internal.corp", "description": "Internal corporate domain"},
{"suffix": "10.0.0.0/8", "description": "Private network range"}
]'
```
### Step 5: Configure Device Posture Checks
Integrate endpoint security signals into Access policies.
```bash
# Add CrowdStrike device posture Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.