Using Cloudflare Access with CNI

Cloudflare introduces an innovative approach to secure hosted applications using Cloudflare Access without the need for installed software or custom code on application servers. This solution aims to replace Virtual Private Networks (VPNs) and provides Zero Trust policies in hosted applications, verifying users' identities before they can access the application. Previously, Access required installed software or custom code to prevent bypass from an origin server IP address. However, using Cloudflare Tunnel and JSON Web Token (JWT) Validation posed challenges such as cumbersome installation processes and ongoing maintenance requirements. Cloudflare's new approach leverages Cloud Network Interconnect (CNI) and a new product called Aegis. CNI enables secure connections between on-premises or cloud infrastructure and the Cloudflare network, while Aegis provides reliable IP addresses for traffic from Cloudflare to users' infrastructures. By combining Access, CNI, and Aegis, the only configuration required is an allowlist rule based on the inbound IP address. This solution ensures that all requests are verified by Access and other security products like DDoS and Web Application Firewall without requiring software or application code modification. This approach provides enhanced security at both Layer 7 (application) and Layer 3 (network) levels, ensuring private, performant connectivity back to Cloudflare. Access, Cloud CNI, and Aegis are generally available for all Enterprise customers.