Security using Cloudflare
WAF
Manage firewall rules
Zero trust WARP VPN (Secure access)
Access the application safely with WARP
Argo tunnel for EKS app access
No need to open the Port in the Security group
Mange from Web
🔥 Problems:
~Bot attack on website, causing performance degradation and data scraping
~Frequent SQL injection and path fuzzing attempts on public APIs
~Developers dependent on VPN for accessing internal tools like Grafana/Jenkins
~High risk due to open ports on cloud servers for dashboards and admin panels
~No proper access control or audit trail for internal applications
~Latency and DNS spoofing risks for remote team members working over unsecured networks
~Developer resistance and confusion around tool access outside office/VPN
🛠️ Solutions:
✅ Enabled Cloudflare WAF with managed and custom rulesets; added rate limiting by endpoint
✅ Tuned WAF policies by testing in log-only mode, and applied exception rules for specific paths
✅ Deployed Cloudflare Argo Tunnel to securely expose internal apps without opening public ports
✅ Configured high availability cloudflared setup with multiple instances and
ingress.yamlrouting✅ Integrated Cloudflare Access with Okta SSO for fine-grained app access
✅ Rolled out Cloudflare WARP with Zero Trust and split tunneling, using Gateway DNS filtering
✅ Created Zero Trust policies and device posture checks for internal access
✅ Onboarded developers via sessions, documentation, and offered a fallback bastion during transition
✅ Here’s a summary of what we achieved:
✅ Reduced attack surface — no public ports open, thanks to Argo Tunnel
✅ ~95% drop in malicious requests via WAF and rate limiting
✅ ~60% faster internal access without VPN using WARP
✅ Zero trust adoption for all internal apps — no shared credentials
✅ Developer productivity boost — secure access from any device/location
✅ Improved compliance — activity logs and audit trails via Cloudflare Access
✅ Simplified infra — less network complexity, no VPN gateway maintenance
Last updated