Access PostgreSQL Database via Cloudflare Zero Trust / Cloudflare Access / Cloudflare Tunnel

Access PostgreSQL Database via Cloudflare Zero Trust / Cloudflare Access / Cloudflare Tunnel


Using Cloudflare Zero Trust/Access/Tunnel, we can access self-hosted internal resources securely, through Cloudflare’s network, without exposing the internal resources to the public internet.

While securing internal web apps has been a smooth sailing experience for me (following the Cloudflare Zero Trust guide), I have not found any guide on how to secure access to a PostgreSQL database through Cloudflare Zero Trust/Access/Tunnel.

At the end of this post, you will be able to access your PostgreSQL database using Cloudflare WARP, via Cloudflare Zero Trust/Access/Tunnel.

Links to official documentation:

PostgreSQL database Cloudflare Zero Trust Cloudflare Access Cloudflare Tunnel Cloudflare WARP

Prerequisites

Get the IP address of the PostgreSQL database

We need the IP address of the PostgreSQL database to be able to access it via Cloudflare WARP. Connecting using hostname is not supported.

If you are using Docker, you can get the IP address of the PostgreSQL database by running the following command:

docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' [id of container]

However, the IP address of the container is not stable, and it might change when the container is restarted. Follow this guide to set a static IP address for the container.

Create a private network

Ref: Cloudflare Zero Trust Private Network

Go to Networks > Tunnels, select and configure your tunnel.

Go to Private networks > Add a private network.

Enter the IP address of the PostgreSQL database, and click “Save”.

Cloudflare Zero Trust private network page

Download WARP client

Download WARP client on your device.

Go to Preferences and sign in to your Zero Trust team.

Make sure you have allowed devices to join with WARP client.

Configure WARP profile

If the IP address of the PostgreSQL database is an internal IP address, you need to configure a WARP profile to route traffic through the WARP client.

Go to Settings > WARP Client > Device settings > Profile settings, create or select a profile.

Edit the profile and go to Split Tunnels > Manage.

If the mode is set to Exclude, make sure the IP address of the PostgreSQL database is removed from the list.

Connect to the PostgreSQL database

You can now access the PostgreSQL database via the IP address when WARP client is enabled and connected.