Cloudflare setup
Aucert uses Cloudflare for DNS, secure access (Zero Trust), and edge routing. No public IPs are exposed on Azure.
The Cloudflare Tunnel runs as a pod inside AKS, establishing an outbound-only connection to Cloudflare's edge. No inbound ports are opened on the Azure VNet — this eliminates an entire class of network security concerns.
DNS (aucert.dev)
| Hostname | Target | Protection | Status |
|---|---|---|---|
plane.aucert.dev | ns:internal-platform, svc:plane | Cloudflare Access | Active |
astra.aucert.dev | ns:internal-platform, svc:astra | Cloudflare Access | Active |
docs.aucert.dev | Cloudflare Pages (internal docs) | Cloudflare Access | Planned |
docs-preview.aucert.dev | Cloudflare Pages (public docs) | Public | Planned |
grafana.aucert.dev | ns:internal-platform, svc:grafana | Cloudflare Access | Planned |
Cloudflare Access (Zero Trust)
All *.aucert.dev hostnames are behind Cloudflare Access:
| Setting | Value |
|---|---|
| Auth method | Google OAuth |
| Allowed domain | @aucert.ai only |
| Session duration | 24 hours |
| Policy type | Allow |
How authentication works
- User navigates to
plane.aucert.dev - Cloudflare Access intercepts the request
- User authenticates via Google OAuth
- Cloudflare verifies the email ends with
@aucert.ai - Cloudflare sets an access token cookie (24h TTL)
- Subsequent requests pass through without re-authentication
Tunnel architecture
The Cloudflare Tunnel pod (cloudflared) maintains a persistent outbound connection to Cloudflare's edge network. Key properties:
| Property | Detail |
|---|---|
| Direction | Outbound only — AKS connects to Cloudflare, not the other way around |
| Protocol | HTTP/2 with QUIC fallback |
| No public IP | AKS nodes have no public IPs, no inbound NSG rules |
| Redundancy | Multiple tunnel replicas for availability |
| Configuration | Managed via Cloudflare dashboard or cloudflared config file |
Why no public IP?
Traditional approaches expose a load balancer with a public IP. This requires:
- NSG rules to restrict inbound traffic
- DDoS protection
- SSL termination management
- Public IP cost
The tunnel approach eliminates all of these. Cloudflare handles SSL, DDoS protection, and WAF at the edge. The only network traffic to AKS is through the tunnel — and only for authenticated requests.
Cloudflare Pages (documentation)
| Site | Repository path | Deploy trigger |
|---|---|---|
| Public docs | docs/public/ | Push to main via GitHub Action |
| Internal docs | docs/internal/ | Push to main via GitHub Action |
Both sites deploy to Cloudflare Pages via wrangler pages deploy in GitHub Actions. Internal docs are additionally protected by Cloudflare Access.
Troubleshooting
Tunnel pod not connecting
Check the cloudflared pod logs:
kubectl logs -n ingress -l app=cloudflared --tail=50
Common causes:
- Tunnel credentials expired — regenerate in Cloudflare dashboard
- DNS resolution failure — check CoreDNS logs in AKS
Access returns "You do not have access"
Verify:
- Your email domain is
@aucert.ai - Your Google account is not in a restricted OU
- The Cloudflare Access application policy includes your email domain
What's next
- Azure topology — Full Azure resource inventory
- Secrets management — How credentials are stored
- Terraform tiers — Infrastructure organization