While waiting for Cloudflare Tunnel

While waiting for Cloudflare Tunnel support for Hyperdrive, are there any resources available about connecting to AWS RDS (via RDS Proxy) directly through a Cloudflare Tunnel from a worker?
25 Replies
thomasgauvin
thomasgauvin•6mo ago
@berkinovish this is an area we're actively working for tunnel support for Hyperdrive. Would love to connect and talk it through. The best resource I've found to date is this GitHub readme https://github.com/brettscott/cloudflare-worker-tunnel-mysql-example and it might help
berkinovish
berkinovishOP•6mo ago
I've tried the method in the repo you linked, but I couldn't figure out how to pass along the CF-Access-Client-Id and CF-Access-Client-Secret to postgres.js. Definitely available to connect and chat about it
thomasgauvin
thomasgauvin•6mo ago
Yep, this is what we're working on to complete within Hyperdrive, since you need to add those headers within an Http tunnel and make it work with postgres/db drivers
berkinovish
berkinovishOP•6mo ago
How will you solve adding the headers with Hyperdrive and postgres.js? Anything you can share already?
AJR
AJR•6mo ago
We'll be adding those as additional fields in our API when creating/updating a Hyperdrive config. You'll use command-line flags or UI inputs, depending on whether you use wrangler or the GUI. We'll be handling the plumbing for passing them around and using them under the hood. You'll just use a config ID/binding in your Worker same as you would for any other Hyperdrive today
berkinovish
berkinovishOP•6mo ago
I see. In the same way Hyperdrive will use the Access-Client-Id and CF-Access-Client-Secret to open up the tunnel for the Postgres connection, would it be possible to do this without Hyperdrive, directly from the Worker to RDS Proxy for example (but through the tunnel)?
AJR
AJR•6mo ago
I'm not expert enough on the variety of things you can do with Workers to say definitively that it isn't possible, but I can say that nobody I work with directly has made a setup like that work that I know of.
berkinovish
berkinovishOP•6mo ago
I see. How does Hyperdrive connect under the hood to the tunnel? You can take a shortcut since it's Cloudflare internals? Thanks for the insights btw, very interesting
AJR
AJR•6mo ago
Basically, yes. We configure a websocket and talk directly to the tunnel endpoint from within a cloudflare edge server. No problem, happy to help.
berkinovish
berkinovishOP•6mo ago
Alright, thanks. I'll play around a bit more with it this weekend, see if I can figure something out. We're using RDS Data API now to connect from workers, but it's becoming a bit too limiting. Looking forward to official tunnel support for Hyperdrive!
Luka
Luka•5mo ago
Can we subscribe somewhere to know when it's ready to use self-hosted pgsql using cloudflare tunnel for HyperDrive?
AJR
AJR•5mo ago
Since multiple people have asked, I'll ping here when it's ready to roll out. I'm sure there'll be a more formal announcement in the Hyperdrive changelog too. cc @thomasgauvin
Luka
Luka•5mo ago
I was just wondering, is it only the lack of authentication that we cannot use HyperDrive with? As in, is there something preventing me from setting a hard password on my postgress and exposing using tunnel to the web with no Cloudflare Access in between and connecting that way?
AJR
AJR•5mo ago
I'm not sure I understand. You're talking to Hyperdrive via a Cloudflare worker. How would you expose the tunnel to a worker? That's basically what we're implementing on our end, similar to what cloudflared does for you on your own machine. I mean, to answer your question, cloudflare tunnels can speak arbitrary TCP already today, which includes the postgres protocol. So yes, postgres traffic across a tunnel already works today. I'm not sure how you'd arrange that, but if you could it'd work.
marcbejar
marcbejar•3mo ago
Is there an approximate date when this feature is expected to be released? I am about to release a product and if the feature release is close I will wait.
AJR
AJR•3mo ago
Going to DM
Luka
Luka•3mo ago
So sorry, Discord is really a challenging platform for me and I just saw your reply, @AJR What I mean is that HyperDrive only accepts publicly resolving URLs. But my database is sitting on my server without any public URL. I can create one using cloudflare tunnel in the Zero Trust and allow access using service token. But how should those be provided to the Hyperdrive is beyond my understanding. -> It is right here where I am stuck. I imagine if I was able to setup the hyperdrive with tunnel uri + access token, I could then query from the worker. I am just as interested in this too!
AJR
AJR•3mo ago
Yes, this is the feature we're working on. The ability to to pass Access Client ID and Access Client Secret to Hyperdrive , along with the hostname created for the Zero Trust Tunnel, and then the ability for Hyperdrive to speak TCP-over-websockets to the internal ingress end of the tunnel. I do not believe this is possible before our upcoming feature release, though folks can sometimes get pretty creative with Workers so I try not to be too overconfident about what "isn't possible". DMing
Luka
Luka•3mo ago
I see. Have you got any links to the creative examples from the community?
AJR
AJR•3mo ago
No, not in this area, I'm afraid.
Luka
Luka•3mo ago
Or maybe there's a way to protect the tunnel without Zero Auth? I'd guess one could set long password on DB and hope that is safe enough with no other access control. Or maybe we can always predict Cloudflare IPs and only allow them to connect
AJR
AJR•3mo ago
Currently we sit on the shared IP pool Warp uses, which is not stable and should not be relied on. We also expect to move over to a stable IP pool, and will communicate when we do so, so that folks can use allowlisting in that way.
Luka
Luka•3mo ago
I see. Maybe you could write a message to the colleague at Zero Trust to see if they have any ideas. It's not that urgent for me but it's something that would be extremely nice to have, in regards to drop bunch of alternative solutions 🙂
AJR
AJR•3mo ago
Well, there's a reason it's been our top feature priority for the summer. We definitely agree!
berkinovish
berkinovishOP•3mo ago
@AJR Also really interested! We're relying on RDS Data API but can't wait to ditch it in favour of Hyperdrive
Want results from more Discord servers?
Add your server