While waiting for Cloudflare Tunnel
While waiting for Cloudflare Tunnel support for Hyperdrive, are there any resources available about connecting to AWS RDS (via RDS Proxy) directly through a Cloudflare Tunnel from a worker?
25 Replies
@berkinovish this is an area we're actively working for tunnel support for Hyperdrive. Would love to connect and talk it through. The best resource I've found to date is this GitHub readme https://github.com/brettscott/cloudflare-worker-tunnel-mysql-example and it might help
I've tried the method in the repo you linked, but I couldn't figure out how to pass along the
CF-Access-Client-Id and CF-Access-Client-Secret to postgres.js.
Definitely available to connect and chat about itYep, this is what we're working on to complete within Hyperdrive, since you need to add those headers within an Http tunnel and make it work with postgres/db drivers
How will you solve adding the headers with Hyperdrive and postgres.js? Anything you can share already?
We'll be adding those as additional fields in our API when creating/updating a Hyperdrive config. You'll use command-line flags or UI inputs, depending on whether you use wrangler or the GUI. We'll be handling the plumbing for passing them around and using them under the hood.
You'll just use a config ID/binding in your Worker same as you would for any other Hyperdrive today
I see.
In the same way Hyperdrive will use the
Access-Client-Id and CF-Access-Client-Secret to open up the tunnel for the Postgres connection, would it be possible to do this without Hyperdrive, directly from the Worker to RDS Proxy for example (but through the tunnel)?I'm not expert enough on the variety of things you can do with Workers to say definitively that it isn't possible, but I can say that nobody I work with directly has made a setup like that work that I know of.
I see. How does Hyperdrive connect under the hood to the tunnel? You can take a shortcut since it's Cloudflare internals?
Thanks for the insights btw, very interesting
Basically, yes. We configure a websocket and talk directly to the tunnel endpoint from within a cloudflare edge server.
No problem, happy to help.
Alright, thanks. I'll play around a bit more with it this weekend, see if I can figure something out. We're using RDS Data API now to connect from workers, but it's becoming a bit too limiting.
Looking forward to official tunnel support for Hyperdrive!
Can we subscribe somewhere to know when it's ready to use self-hosted pgsql using cloudflare tunnel for HyperDrive?
Since multiple people have asked, I'll ping here when it's ready to roll out. I'm sure there'll be a more formal announcement in the Hyperdrive changelog too.
cc @thomasgauvin
I was just wondering, is it only the lack of authentication that we cannot use HyperDrive with?
As in, is there something preventing me from setting a hard password on my postgress and exposing using tunnel to the web with no Cloudflare Access in between and connecting that way?
I'm not sure I understand. You're talking to Hyperdrive via a Cloudflare worker. How would you expose the tunnel to a worker? That's basically what we're implementing on our end, similar to what cloudflared does for you on your own machine.
I mean, to answer your question, cloudflare tunnels can speak arbitrary TCP already today, which includes the postgres protocol. So yes, postgres traffic across a tunnel already works today. I'm not sure how you'd arrange that, but if you could it'd work.
Is there an approximate date when this feature is expected to be released? I am about to release a product and if the feature release is close I will wait.