Add an infrastructure application
Feature availability
 
| WARP modes | Zero Trust plans ↗ | 
|---|---|
| 
 | All plans | 
| System | Availability | 
|---|---|
| Windows | ✅ | 
| macOS | ✅ | 
| Linux | ✅ | 
| iOS | ✅ | 
| Android | ✅ | 
| ChromeOS | ✅ | 
Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.
- Connect your infrastructure to Cloudflare using cloudflaredor WARP Connector.
- Deploy the WARP client on user devices in Gateway with WARP mode.
A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server.
To create a new target:
- In Zero Trust ↗, go to Networks > Targets.
- Select Add a target.
- In Target hostname, enter a user-friendly name for the target resource. We recommend using the server hostname, for example production-server. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.Format restrictions - Case insensitive
- Contain no more than 253 characters
- Contain only alphanumeric characters, -, or.(no spaces allowed)
- Start and end with an alphanumeric character
 
- In IP addresses, enter the IPv4 and/or IPv6 address of the target resource. The dropdown menu will not populate until you type in the full IP address.
- In the dropdown menu, select the IP address and virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.
- Select Add target.
- 
Create an API token with the following permissions: Type Item Permission Account Zero Trust Edit 
- 
Make a POSTrequest to the Infrastructure Access Targets endpoint:Terminal window curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{"hostname": "infra-access-target","ip": {"ipv4": {"ip_addr": "187.26.29.249","virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"},"ipv6": {"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0","virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"}}}'
- 
Add the following permission to your cloudflare_api_token↗:- Teams Write
 
- 
Configure the cloudflare_zero_trust_infrastructure_access_target↗ resource:resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" {account_id = var.cloudflare_account_idhostname = "infra-access-target"ip = {ipv4 = {ip_addr = "187.26.29.249"virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"}ipv6 = {ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"}}}
Next, create an infrastructure application to secure the target.
- In Zero Trust ↗, go to Access > Applications.
- Select Add an application.
- Select Infrastructure.
- Enter any name for the application.
- In Target criteria, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
- Enter the Protocol and Port that will be used to connect to the server.
- (Optional) If a protocol runs on more than one port, select Add new target criteria and reconfigure the same target hostname and protocol with a different port number.
- Select Next.
- To secure your targets, configure a policy that defines who can connect and how they can connect:
- 
Enter any name for your policy. 
- 
Create a rule that matches the users who are allowed to reach the targets. For more information, refer to Access policies and review the list of infrastructure policy selectors. 
- 
In Connection context, configure the following settings: - SSH user: Enter the UNIX usernames that users can log in as (for example, rootorec2-user).
- Allow users to log in as their email alias: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, Jdoe@company.comcould log in asjdoe.
 
- SSH user: Enter the UNIX usernames that users can log in as (for example, 
 
- 
- Select Add application.
- 
Create an API token with the following permissions: Type Item Permission Account Access: Apps & Policies Edit 
- 
Make a POSTrequest to the Access applications endpoint:Terminal window curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--header "Content-Type: application/json" \--data '{"name": "Example infrastructure app","type": "infrastructure","target_criteria": [{"target_attributes": {"hostname": ["infra-access-target"]},"port": 22,"protocol": "SSH"}],"policies": [{"name": "Allow a specific email","decision": "allow","include": [{"email": {"email": "jdoe@company.com"}}],"connection_rules": {"ssh": {"usernames": ["root","ec2-user"]}}}]}'
- 
Add the following permission to your cloudflare_api_token↗:- Access: Apps and Policies Write
 
- 
Use the cloudflare_zero_trust_access_application↗ resource to create an infrastructure application:resource "cloudflare_zero_trust_access_application" "infra-app" {account_id = var.cloudflare_account_idname = "Example infrastructure app"type = "infrastructure"target_criteria {port = 22protocol = "SSH"target_attributes {name = "hostname"values = ["infra-access-target"]}}}
- 
Use the cloudflare_zero_trust_access_policy↗ resource to add an infrastructure policy to the application:resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {application_id = cloudflare_zero_trust_access_application.infra-app.idaccount_id = var.cloudflare_account_idname = "Allow a specific email"decision = "allow"precedence = 1include {email = ["jdoe@company.com"]}connection_rules {ssh {usernames = ["root", "ec2-user"]}}}
The targets in this application are now secured by your infrastructure policies.
Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:
Users connect to the target's IP address using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a private DNS resolver to allow connections to the target's private hostname.
To connect to targets that are in different VNETS, users will need to switch their connected virtual network in the WARP client.
Feature availability
 
| System | Availability | Minimum WARP version | 
|---|---|---|
| Windows | ✅ | 2024.9.346.0 | 
| macOS | ✅ | 2024.9.346.0 | 
| Linux | ✅ | 2024.9.346.0 | 
| iOS | ❌ | |
| Android | ❌ | |
| ChromeOS | ❌ | 
Users can use warp-cli to display a list of targets they can access. On the WARP device, open a terminal and run the following command:
warp-cli target list╭──────────────────────────────────────┬──────────┬───────┬───────────────────────┬──────────────────────┬────────────╮│ Target ID                            │ Protocol │ Port  │ Attributes            │ IP (Virtual Network) │ Usernames  │├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤│ 0193f22a-9df3-78e3-b5bb-7ab631903306 │ SSH      │ 22    │ hostname: do-target   │ 10.116.0.3 (a1net)   │ alice      │├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤│ 0193f22a-9df3-78e3-b5bb-7ab631903306 │ SSH      │ 23    │ hostname: do-target   │ 10.116.0.3 (a1net)   │ root       │├──────────────────────────────────────┼──────────┼───────┼───────────────────────┼──────────────────────┼────────────┤│ 01943cff-6130-7989-8bff-cbc02b59a2b1 │ SSH      │ 80    │ hostname: az-target   │ 172.16.0.0 (b1net)   │ alice, bob │╰──────────────────────────────────────┴──────────┴───────┴───────────────────────┴──────────────────────┴────────────╯You can optionally add flags to filter the output. For example:
warp-cli target list --attribute hostname=do-target --username rootTo view all available filters, type warp-cli target list --help.
To revoke a user's access to all infrastructure targets, you can either revoke the user from Zero Trust or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
The following Access policy selectors are available for securing infrastructure applications:
- Emails ending in
- SAML group
- Country
- Authentication method
- Device posture
- Entra group, GitHub organization, Google Workspace group, Okta group
By default, Cloudflare will evaluate Access infrastructure application policies after evaluating all Gateway network policies. To evaluate Access infrastructure applications before or after specific Gateway policies, create the following Gateway network policy:
| Selector | Operator | Value | Action | 
|---|---|---|---|
| All Access App Targets | is | on | Allow | 
You can move this policy in the Gateway policy builder to change its order of precedence.