Skip to content
Cloudflare Docs

SSH with Access for Infrastructure (recommended)

Access for Infrastructure provides granular control over how users can connect to your SSH servers. This feature uses the same deployment model as WARP-to-Tunnel but unlocks more policy options and command logging functionality.

Furthermore, Access for Infrastructure replaces traditional SSH keys with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate an SSH keypair and administrators grant access to individual SSH servers by deploying their users' public keys to those servers. These SSH keys can remain unchanged on these servers for months or years. Cloudflare Access removes the burden of managing SSH keys, while also improving security by replacing long-lived SSH keys with ephemeral SSH certificates.

1. Connect the server to Cloudflare

  1. Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.
  1. In the Private Networks tab for the tunnel, enter the IP or CIDR address of your server. Typically this would be a private IP, but public IPs are also allowed.

2. Set up the client

To connect your devices to Cloudflare:

  1. Deploy the WARP client on your devices in Gateway with WARP mode.
  2. Enable the Gateway proxy for TCP.
  3. Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.

3. Route server IPs through WARP

By default, WARP excludes traffic bound for RFC 1918 space, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your SSH server, you must configure Split Tunnels so that the IP/CIDR of your SSH server routes through WARP.

  1. First, check whether your Split Tunnels mode is set to Exclude or Include mode.

  2. If you are using Include mode, add your SSH server's IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.

  3. If you are using Exclude mode:

    a. Delete your SSH server's IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.

    b. Re-add IP/CIDR ranges that are not explicitly used by your SSH server. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

    You can use the following calculator to determine which IP addresses to re-add:

    In Base CIDR, enter the RFC 1918 range that you deleted from Split Tunnels. In Excluded CIDRs, enter the IP/CIDR range used by your SSH server. Re-add the calculator results to your Split Tunnel Exclude mode list.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user's access to local resources.

4. Add a target

A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare.

Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. To create a new target: