Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications, configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versiondeploying-cloudflare-access-for-zero-trustExecute the skills CLI command in your project's root directory to begin installation:
Fetches deploying-cloudflare-access-for-zero-trust from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate deploying-cloudflare-access-for-zero-trust. Access via /deploying-cloudflare-access-for-zero-trust in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | deploying-cloudflare-access-for-zero-trust |
| description | 'Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications, configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement. ' |
| domain | cybersecurity |
| subdomain | zero-trust-architecture |
| tags | - cloudflare - cloudflare-access - zero-trust - cloudflare-tunnel - warp - ztna - cloudflare-one |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| atlas_techniques | - AML.T0051 - AML.T0054 - AML.T0056 |
| nist_ai_rmf | - MEASURE-2.7 - MEASURE-2.5 - GOVERN-6.1 - MAP-5.1 |
| nist_csf | - PR.AA-01 - PR.AA-05 - PR.IR-01 - GV.PO-01 |
Do not use for applications requiring persistent UDP connections not supported by Cloudflare Tunnel, for environments requiring air-gapped or fully on-premises access control, or when regulatory requirements prohibit routing traffic through third-party cloud infrastructure.
cloudflared tunnel daemonInstall cloudflared and create a persistent tunnel to expose internal services.
# Install cloudflared on Ubuntu/Debian
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb \
-o cloudflared.deb
sudo dpkg -i cloudflared.deb
# Authenticate cloudflared with your Cloudflare account
cloudflared tunnel login
# Create a named tunnel
cloudflared tunnel create internal-apps
# Output: Created tunnel internal-apps with id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Configure tunnel routes to internal applications
cat > ~/.cloudflared/config.yml << 'EOF'
tunnel: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
credentials-file: /home/admin/.cloudflared/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json
ingress:
- hostname: wiki.company.com
service: http://localhost:8080
- hostname: git.company.com
service: http://10.1.1.50:3000
- hostname: grafana.company.com
service: http://10.1.1.60:3000
- hostname: ssh.company.com
service: ssh://localhost:22
- hostname: rdp.company.com
service: rdp://10.1.1.100:3389
# Catch-all rule (required)
- service: http_status:404
EOF
# Route DNS to the tunnel
cloudflared tunnel route dns internal-apps wiki.company.com
cloudflared tunnel route dns internal-apps git.company.com
cloudflared tunnel route dns internal-apps grafana.company.com
# Run tunnel as a systemd service
sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
# Verify tunnel status
cloudflared tunnel info internal-apps
Set up authentication with your organization's identity provider.
# Using Cloudflare API to configure Okta as IdP
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Corporate Okta",
"type": "okta",
"config": {
"client_id": "OKTA_CLIENT_ID",
"client_secret": "OKTA_CLIENT_SECRET",
"okta_account": "company.okta.com",
"api_token": "OKTA_API_TOKEN",
"claims": ["email", "groups", "name"],
"email_claim_name": "email"
}
}'
# Configure Microsoft Entra ID as additional IdP
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Microsoft Entra ID",
"type": "azureAD",
"config": {
"client_id": "AZURE_APP_CLIENT_ID",
"client_secret": "AZURE_APP_CLIENT_SECRET",
"directory_id": "AZURE_TENANT_ID",
"support_groups": true,
"claims": ["email", "groups", "name"]
}
}'
Define Access applications with identity-aware policies for each internal service.
# Create Access application for internal wiki
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Internal Wiki",
"domain": "wiki.company.com",
"type": "self_hosted",
"session_duration": "8h",
"auto_redirect_to_identity": true,
"http_only_cookie_attribute": true,
"same_site_cookie_attribute": "lax",
"logo_url": "https://company.com/wiki-logo.png",
"allowed_idps": ["OKTA_IDP_ID", "AZURE_IDP_ID"]
}'
# Create Allow policy for the wiki application
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_id}/policies" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Allow Engineering Team",
"decision": "allow",
"precedence": 1,
"include": [
{"group": {"id": "ENGINEERING_GROUP_ID"}},
{"okta": {"name": "Engineering", "identity_provider_id": "OKTA_IDP_ID"}}
],
"require": [
{"device_posture": {"integration_uid": "CROWDSTRIKE_INTEGRATION_ID"}}
]
}'
# Create Access application for SSH access
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "SSH Access",
"domain": "ssh.company.com",
"type": "ssh",
"session_duration": "4h",
"auto_redirect_to_identity": true
}'
Enroll corporate devices using Cloudflare WARP for private network access and device posture.
# Create device enrollment rule
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Corporate Device Enrollment",
"match": "identity.email matches \".*@company\\.com$\"",
"precedence": 100,
"enabled": true,
"gateway_unique_id": "GATEWAY_ID",
"support_url": "https://helpdesk.company.com/warp-help"
}'
# Install WARP on macOS via MDM (Jamf/Intune)
# Download: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/
# Deploy with MDM configuration profile:
cat > warp_mdm_config.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>organization</key>
<string>company</string>
<key>auto_connect</key>
<integer>1</integer>
<key>switch_locked</key>
<true/>
<key>onboarding</key>
<false/>
</dict>
</plist>
EOF
# Install Cloudflare root certificate for TLS inspection
# Download from: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/
sudo cp cloudflare-root-ca.pem /usr/local/share/ca-certificates/cloudflare-root-ca.crt
sudo update-ca-certificates
# Configure split tunnel to route private network through WARP
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '[
{"suffix": "internal.corp", "description": "Internal corporate domain"},
{"suffix": "10.0.0.0/8", "description": "Private network range"}
]'
Integrate endpoint security signals into Access policies.
# Add CrowdStrike device posture integration
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/posture/integration" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "CrowdStrike Falcon",
"type": "crowdstrike_s2s",
"config": {
"api_url": "https://api.crowdstrike.com",
"client_id": "CS_API_CLIENT_ID",
"client_secret": "CS_API_CLIENT_SECRET",
"customer_id": "CS_CUSTOMER_ID"
},
"interval": "10m"
}'
# Create device posture rule for disk encryption
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/posture" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Disk Encryption Required",
"type": "disk_encryption",
"match": [{"platform": "windows"}, {"platform": "mac"}],
"input": {"requireAll": true}
}'
# Create device posture rule for OS version
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/posture" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Minimum OS Version",
"type": "os_version",
"match": [{"platform": "windows"}],
"input": {"version": "10.0.19045", "operator": ">="}
}'
Configure logging for access decisions and tunnel health monitoring.
# Enable Logpush for Access audit logs to S3
curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/logpush/jobs" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "access-audit-logs",
"output_options": {
"field_names": ["RayID","Action","Allowed","AppDomain","AppUUID","Connection","Country","CreatedAt","Email","IPAddress","PurposeJustificationPrompt","PurposeJustificationResponse","TemporaryAccessDuration","UserUID"],
"timestamp_format": "rfc3339"
},
"destination_conf": "s3://security-logs-bucket/cloudflare-access/?region=us-east-1&access-key-id=AKID&secret-access-key=SECRET",
"dataset": "access_requests",
"enabled": true
}'
# Query access logs via GraphQL Analytics API
curl -X POST "https://api.cloudflare.com/client/v4/graphql" \
-H "Authorization: Bearer ${CF_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"query": "{ viewer { accounts(filter: {accountTag: \"ACCOUNT_ID\"}) { accessLoginRequestsAdaptiveGroups(filter: {datetime_gt: \"2026-02-22T00:00:00Z\"}, limit: 100, orderBy: [count_DESC]) { dimensions { action appName userEmail country } count } } } }"
}'
| Term | Definition |
|---|---|
| Cloudflare Tunnel | Encrypted outbound-only connection from your infrastructure to Cloudflare's network, exposing internal services without opening inbound firewall ports |
| Cloudflare Access | Identity-aware reverse proxy evaluating every request against access policies before granting access to protected applications |
| WARP Client | Cloudflare's endpoint agent that routes device traffic through Cloudflare's network for policy enforcement and private network access |
| Access Application | Configuration object defining a protected resource (self-hosted, SaaS, or infrastructure) with associated access policies |
| Device Posture | Endpoint health signals (OS version, disk encryption, EDR status) evaluated as conditions in Access policies |
| Cloudflare One | Unified SASE platform combining ZTNA (Access), SWG (Gateway), CASB, DLP, and RBI |
Context: A SaaS startup with 200 employees and no existing VPN wants to provide secure access to internal tools (Grafana, internal APIs, staging environments) running on AWS. Budget is limited, and the team has no dedicated security staff.
Approach:
cloudflared tunnel on an EC2 instance in the production VPCPitfalls: Cloudflare root certificate must be installed on all devices for TLS inspection to work; some applications may break with TLS interception. Tunnel failover requires running multiple cloudflared instances or using Cloudflare's replicas feature. Access policies should always include a default deny rule. WebSocket applications may require specific tunnel configuration.
Cloudflare Zero Trust Deployment Report
==================================================
Organization: StartupCorp
Team Name: startupcorp
Deployment Date: 2026-02-23
TUNNEL INFRASTRUCTURE:
Active Tunnels: 2 (primary + failover)
Tunnel Status: Healthy
Connected Edge: Washington DC, Ashburn
Ingress Routes: 8
ACCESS APPLICATIONS:
Self-Hosted Apps: 6
SaaS Apps: 3
SSH/Infrastructure: 2
Total Policies: 15
DEVICE ENROLLMENT:
Enrolled Devices: 187 / 200
WARP Connected: 182 / 187 (97.3%)
Posture Compliant: 175 / 187 (93.6%)
ACCESS METRICS (last 30 days):
Total Requests: 89,432
Allowed: 88,756 (99.2%)
Blocked: 676 (0.8%)
Unique Users: 195
Countries: 12
Avg Session Duration: 6.2 hours
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Registry listing for deploying-cloudflare-access-for-zero-trust matched our evaluation — installs cleanly and behaves as described in the markdown.
deploying-cloudflare-access-for-zero-trust is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
deploying-cloudflare-access-for-zero-trust fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
We added deploying-cloudflare-access-for-zero-trust from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: deploying-cloudflare-access-for-zero-trust is focused, and the summary matches what you get after install.
We added deploying-cloudflare-access-for-zero-trust from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: deploying-cloudflare-access-for-zero-trust is focused, and the summary matches what you get after install.
Useful defaults in deploying-cloudflare-access-for-zero-trust — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
deploying-cloudflare-access-for-zero-trust reduced setup friction for our internal harness; good balance of opinion and flexibility.
I recommend deploying-cloudflare-access-for-zero-trust for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
showing 1-10 of 32