While waiting for Cloudflare Tunnel
While waiting for Cloudflare Tunnel support for Hyperdrive, are there any resources available about connecting to AWS RDS (via RDS Proxy) directly through a Cloudflare Tunnel from a worker?
25 Replies
@berkinovish this is an area we're actively working for tunnel support for Hyperdrive. Would love to connect and talk it through. The best resource I've found to date is this GitHub readme https://github.com/brettscott/cloudflare-worker-tunnel-mysql-example and it might help
I've tried the method in the repo you linked, but I couldn't figure out how to pass along the
CF-Access-Client-Id
and CF-Access-Client-Secret
to postgres.js.
Definitely available to connect and chat about itYep, this is what we're working on to complete within Hyperdrive, since you need to add those headers within an Http tunnel and make it work with postgres/db drivers
How will you solve adding the headers with Hyperdrive and postgres.js? Anything you can share already?
We'll be adding those as additional fields in our API when creating/updating a Hyperdrive config. You'll use command-line flags or UI inputs, depending on whether you use wrangler or the GUI. We'll be handling the plumbing for passing them around and using them under the hood.
You'll just use a config ID/binding in your Worker same as you would for any other Hyperdrive today
I see.
In the same way Hyperdrive will use the
Access-Client-Id
and CF-Access-Client-Secret
to open up the tunnel for the Postgres connection, would it be possible to do this without Hyperdrive, directly from the Worker to RDS Proxy for example (but through the tunnel)?I'm not expert enough on the variety of things you can do with Workers to say definitively that it isn't possible, but I can say that nobody I work with directly has made a setup like that work that I know of.
I see. How does Hyperdrive connect under the hood to the tunnel? You can take a shortcut since it's Cloudflare internals?
Thanks for the insights btw, very interesting
Basically, yes. We configure a websocket and talk directly to the tunnel endpoint from within a cloudflare edge server.
No problem, happy to help.
Alright, thanks. I'll play around a bit more with it this weekend, see if I can figure something out. We're using RDS Data API now to connect from workers, but it's becoming a bit too limiting.
Looking forward to official tunnel support for Hyperdrive!
Can we subscribe somewhere to know when it's ready to use self-hosted pgsql using cloudflare tunnel for HyperDrive?
Since multiple people have asked, I'll ping here when it's ready to roll out. I'm sure there'll be a more formal announcement in the Hyperdrive changelog too.
cc @thomasgauvin
I was just wondering, is it only the lack of authentication that we cannot use HyperDrive with?
As in, is there something preventing me from setting a hard password on my postgress and exposing using tunnel to the web with no Cloudflare Access in between and connecting that way?
I'm not sure I understand. You're talking to Hyperdrive via a Cloudflare worker. How would you expose the tunnel to a worker? That's basically what we're implementing on our end, similar to what cloudflared does for you on your own machine.
I mean, to answer your question, cloudflare tunnels can speak arbitrary TCP already today, which includes the postgres protocol. So yes, postgres traffic across a tunnel already works today. I'm not sure how you'd arrange that, but if you could it'd work.
Is there an approximate date when this feature is expected to be released? I am about to release a product and if the feature release is close I will wait.
Going to DM
So sorry, Discord is really a challenging platform for me and I just saw your reply, @AJR
What I mean is that HyperDrive only accepts publicly resolving URLs. But my database is sitting on my server without any public URL. I can create one using cloudflare tunnel in the Zero Trust and allow access using service token. But how should those be provided to the Hyperdrive is beyond my understanding.
-> It is right here where I am stuck.
I imagine if I was able to setup the hyperdrive with tunnel uri + access token, I could then query from the worker.
I am just as interested in this too!
Yes, this is the feature we're working on. The ability to to pass Access Client ID and Access Client Secret to Hyperdrive , along with the hostname created for the Zero Trust Tunnel, and then the ability for Hyperdrive to speak TCP-over-websockets to the internal ingress end of the tunnel. I do not believe this is possible before our upcoming feature release, though folks can sometimes get pretty creative with Workers so I try not to be too overconfident about what "isn't possible".
DMing
I see. Have you got any links to the creative examples from the community?
No, not in this area, I'm afraid.
Or maybe there's a way to protect the tunnel without Zero Auth?
I'd guess one could set long password on DB and hope that is safe enough with no other access control.
Or maybe we can always predict Cloudflare IPs and only allow them to connect
Currently we sit on the shared IP pool Warp uses, which is not stable and should not be relied on.
We also expect to move over to a stable IP pool, and will communicate when we do so, so that folks can use allowlisting in that way.
I see. Maybe you could write a message to the colleague at Zero Trust to see if they have any ideas. It's not that urgent for me but it's something that would be extremely nice to have, in regards to drop bunch of alternative solutions 🙂
Well, there's a reason it's been our top feature priority for the summer. We definitely agree!
@AJR Also really interested! We're relying on RDS Data API but can't wait to ditch it in favour of Hyperdrive