Exposing applications running on Microsoft Azure with Cloudflare Argo Tunnel

With Cloudflare Argo Tunnel, you can expose your Microsoft Azure applications securely to the Internet without having to open up firewalls.  


Overview

Cloudflare Argo Tunnel can expose applications running on the Microsoft Azure platform.  See Cloudflare's install & configure Argo Tunnel guide. Also, a prebuilt Cloudflare Linux image exists on the Azure Marketplace.  To simplify the process of connecting Azure applications to Cloudflare’s network, deploy the prebuilt image to an Azure resource group.

Prerequisites include:

  • a Cloudflare account enabled with Argo Tunnel
  • at least one domain connected to the Cloudflare account 

Installing the prebuilt Linux image

The prebuilt Cloudflare Linux image resides on the Azure Marketplace or can be opened in the Azure Portal.

The Cloudflare virtual machine (VM) is customizable.  However, we recommend the following:

  • Do not alter the disk image for the VM.
  • Switch authentication type to password and create a username and password.
  • Enable SSH in the inbound port rules.
  • Add the Cloudflare VM to the same virtual network as the exposed Azure applications.

Configuring the VM

SSH into the Cloudflare VM.  A simple application called example.py is included in the VM for testing.  The test application launches a Python Flask service that listens on localhost port 5000.  To start the test application, type the screen command at the command prompt. Then, start the application in the screen session by running:

python /usr/cloudflare/example.py

Exit the screen session with a keyboard shortcut Ctrl + a + d.  To reattach the screen session, enter the following command:

screen -r

Also, to permanently end the screen session and related processes, type the following command within the screen session:

exit

The Azure Cloudflare image is preinstalled with the cloudflared client for Argo Tunnel.  However, configuration is required to connect an application to the Cloudflare network. The first step is to run the following command within the Cloudflare VM: 

cloudflared login

The command outputs a link that allows a domain to be authorized for use with Argo Tunnel. After the Cloudflare account is authorized, run the following command to configure Argo Tunnel with the information necessary to expose the Azure application:

cloudsetup
Set the origin IP to 127.0.0.1 if the application is running on the Cloudflare VM instance.

When using the Cloudflare VM to expose an Azure resource on a different instance, the origin IP is the private virtual network IP of the resource running the exposed application. The cloudsetup utility automatically starts cloudflared as a service within the instance.

Check the status of the cloudflared service:

service cloudflared status

At this point, the application should be live at the authorized Cloudflare domain and using the hostname supplied within the cloudsetup utility.  


Changing the Cloudflared configuration

1. Stop the cloudflared tunnel service before changing the configuration of the Cloudflare Argo Tunnel VM:

service cloudflared stop 
If switching domains, first delete the certificate stored in ~/.cloudflared/ or to authorize a different domain, run: cloudflared login 

2. Delete the cloudflared config:

sudo rm /etc/cloudflared/config.yml

3. Run cloudsetup again to reconfigure subdomain info, origin IP, and port settings. The cloudsetup utility automatically restarts the tunnel service.


Relevant resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk