VPC equivalent on cloudflare
Hi all,
I am exploring using cloudflare as an alternative to AWS API gateway and lambda. The proposed architecture is something like this:
We would create a VPC - at the edge of the net there would be an API gateway. This checked authorisation and if permitted passes it on to the specific handler. In cloudflare, I am thinking that we would have a worker that acts as the gateway. This checks access and if permitted calls the associated sub-worker.
This is where I have come a little unstuck - there does not seem to be concept, that I can see, of VPC in cloud flare - so I am wondering how to approach this. Adding the gateway seems trivial , however, I am not sure how I go about a) addressing the sub-workers; b) making those sub workers accessible only to the gateway.
It feels like a common pattern and one that would have been repeated many times, but so far after many hours of googlling I am drawing blank.
I am wondering if zero trust is the key here - but I am not sure quite how i would use it in this context.
Any advise / pointers to guides would be much appreciate
2 Replies
The use-case is the question I would ask but with the architecture you defined I see an easy option.
Since you're on Cloudflare you have 2 levels of accounts so to speak, you have a domain mybiz.com, mybiz.net, mybiz.org and then you have the overall cloudflare account that houses those three domains.
If you set a worker to exist in mybiz.com/worker1 you can treat it like a standard API and require a JWT auth to use the worker. Then you can set a WAF policy to require a JWT as well. Pretty handy and you don't need to have a proxy worker to do the work there.
For zero trust you can protext specific routes, so again mybiz.com/worker1 can be an "application" in zero trust. then users who are in your zero trust tenant can access the application, and you can also set service account credentials that act as a bypass to zero trust. this would mean whatever service is reaching that endpoint would need a token or a cloudflare deny html page would be the response
personally i would just go the JWT route with WAF because it seems easier imo but I am not sure of the security requirements you have.
if you use zero trust you basically nuke it from being publicly accessible so if it is a standard public API you basically cut it off from the world
Many thanks for your help. Yes I see the two approaches - I will give them some thought and figure which best fits our requirements. Thanks again - have a great day!