Deploy cloudflared
in GCP
The purpose of this guide is to walk through some best practices for accessing private resources on Google Cloud Platform (GCP) by deploying Cloudflare’s lightweight connector, cloudflared
.
Prerequisites
- In Zero Trust, create a Cloudflare Zero Trust account.
- Enroll an end-user device into your Cloudflare Zero Trust account.
Create your environment
To start, you will need to go to the Google Cloud Console and create a project. This project will contain all of your future Google Cloud resources, including the VM instances you will create in this process.
-
From the Cloud Console, go to Compute Engine.
-
Under Compute Engine, select VM Instances.
-
In the main window, select Create Instance.
-
Name your VM Instance. In this example, we will name it GCP-01.
-
Configure your VM Instance. The following settings are recommended to get started:
- Machine Family: General Purpose
- Series: E2
- Machine Type: e2-micro
- Boot Disk: Debian GNU/Linux 10
- Firewall: Allow HTTP/HTTPS traffic (if necessary)
- Networking, Disks, Security, Management, Sole-Tenancy: Management
-
In the Management section, add a startup script for testing access. Here is an example:
#!/bin/bashapt updateapt -y install apache2cat <<EOF > /var/www/html/index.html<html><body><h1>Hello Cloudflare!</h1><p>This page was created from a startup script for a Cloudflare demo.</p></body></html>EOF -
Spin up your VM Instance by selecting Create.
Deploying cloudflared
Now that you have your Virtual Machine up and running in GCP, you can login into your VM instance by selecting SSH in the Connect column of our VM Instance table.
-
Run
sudo su
to gain full admin rights to the Virtual Machine. -
Run
apt install wget
to install any relevant dependencies for our fresh Virtual Machine. -
Next, install
cloudflared
on your Virtual Machine. In this example, we are running a Debian-based VM Instance, so you will first download the debian build ofcloudflared
.$ wget <https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64>$ mv ./cloudflared-linux-amd64 /usr/local/bin/cloudflared$ chmod a+x /usr/local/bin/cloudflared -
Run the following command to ensure you have the most updated
cloudflared
version. The command should auto-run after pasting.$ cloudflared update -
Run the following command to authenticate
cloudflared
with your Cloudflare account. The command will launch a browser window where you will be prompted to log in with your Cloudflare account and pick any zone you have added to Cloudflare.$ cloudflared tunnel login -
Create a tunnel.
$ cloudflared tunnel create GCP-01 -
Route your tunnel. In this example, we will expose the smallest range available. We can add more IP routes later if necessary.
$ cloudflared tunnel route ip add 10.128.0.4/32 GCP-01
Complete tunnel configuration
-
Make a directory for your configuration file.
$ mkdir /etc/cloudflared$ cd /etc/cloudflared -
Build a configuration file. Before moving forward and entering vim, copy your Tunnel ID and credentials path to a notepad.
$ vim config.yml -
Type
i
to begin editing the file and copy-paste the following settings in it.tunnel: <Tunnel ID/name>credentials-file: /root/.cloudflared/<Tunnel ID>.jsonprotocol: quicwarp-routing:enabled: truelogfile: /var/log/cloudflared.log#cloudflared to the origin debugloglevel: debug#cloudflared to cloudflare debugtransport-loglevel: info -
Press
esc
and then type:x
to save and exit. -
Run
cloudflared
as a service.
$ cloudflared service install
$ systemctl start cloudflared
$ systemctl status cloudflared
Next, visit Zero Trust and ensure your new tunnel shows as active. Optionally, begin creating Access policies to secure your private resources.