Skip to content

Securing Applications with Cloudflare Zero Trust and Google Cloud Platform

Picture of Brandon Williams

 

As organizations continue shifting workloads into the cloud, securing access to applications becomes more important than ever. Traditional VPNs and perimeter-based security models often introduce unnecessary complexity, performance bottlenecks, and expanded attack surfaces.

At Sudo-Sec, we advocate for modern security architectures built around Zero Trust principles: never trust, always verify.

In this guide, we’ll walk through how to securely publish an application hosted in Google Cloud Platform (GCP) using Cloudflare Zero Trust. This setup allows you to expose internal applications securely without directly exposing your infrastructure to the public internet.

What is Zero Trust?

Zero Trust is a security model that assumes no user, device, or network should be inherently trusted — even if they are already inside the network perimeter.

Instead of granting broad network access like a traditional VPN, Zero Trust solutions:

  • Authenticate every request
  • Verify user identity continuously
  • Restrict access based on policy
  • Hide internal infrastructure from direct exposure
  • Reduce attack surface significantly

With Cloudflare Zero Trust, you can securely publish internal applications behind identity-aware access controls without opening inbound firewall ports to your infrastructure.

Architecture Overview

In this deployment model:

  1. Your application runs privately inside GCP
  2. A Cloudflare Tunnel securely connects the server to Cloudflare
  3. Cloudflare Access enforces authentication policies
  4. Authorized users gain secure access through Cloudflare’s edge network

This removes the need for:

  • Public IP exposure
  • Port forwarding
  • Traditional VPN infrastructure

Prerequisites

Before starting, you should have:

  • A GCP project
  • A Linux VM hosted in GCP
  • A domain managed by Cloudflare
  • A Cloudflare Zero Trust account
  • SSH access to your server
  • A web application running locally on the server

Example:

  • Ubuntu VM in GCP
  • NGINX application listening on port 8080

Step 1 — Deploy Your Application in GCP

First, create a VM instance in GCP.

Inside the VM:

sudo apt update && sudo apt install nginx -y

Modify the default NGINX page:


echo "Sudo-Sec Zero Trust Demo" | sudo tee /var/www/html/index.html

Verify locally:

curl localhost

You should see:

Sudo-Sec Zero Trust Demo

At this stage, your application should remain private and only accessible internally.

Step 2 — Install Cloudflared

Cloudflare Tunnel uses the cloudflared daemon to create an outbound encrypted tunnel to Cloudflare’s network.

Install it:

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb  sudo dpkg -i cloudflared-linux-amd64.deb

Verify installation:

cloudflared --version

Step 3 — Authenticate Cloudflared

Login to Cloudflare:

cloudflared tunnel login

This command opens a browser window asking you to:

  • Authenticate to Cloudflare
  • Select your domain

After authentication, Cloudflare stores a certificate locally.

Step 4 — Create a Tunnel

Create a named tunnel:

cloudflared tunnel create sudo-sec-demo

Example output:

Tunnel credentials written to: /root/.cloudflared/<UUID>.json

Cloudflare will generate:

  • Tunnel UUID
  • Credentials file

Step 5 — Configure the Tunnel

Create the configuration file:

sudo mkdir -p /etc/cloudflared sudo nano /etc/cloudflared/config.yml

Example configuration:

tunnel: YOUR-TUNNEL-ID credentials-file: /root/.cloudflared/YOUR-TUNNEL-ID.json  ingress:   - hostname: app.yourdomain.com     service: http://localhost:80   - service: http_status:404

Replace:

  • YOUR-TUNNEL-ID
  • app.yourdomain.com

Step 6 — Route DNS Through Cloudflare

Create the DNS route automatically:

cloudflared tunnel route dns sudo-sec-demo app.yourdomain.com

Cloudflare will automatically create the required CNAME record pointing traffic through the tunnel.

Step 7 — Start the Tunnel

Run the tunnel:

cloudflared tunnel run sudo-sec-demo

Your application is now reachable through Cloudflare — but we still need to secure access.

Step 8 — Configure Cloudflare Access Policies

Navigate to:

Zero Trust Dashboard → Access → Applications

Create a new application:

  • Type: Self-hosted
  • Domain: app.yourdomain.com

Next, define access policies.

Example policies:

  • Allow only company email domains
  • Require MFA
  • Restrict by country
  • Restrict by device posture
  • Require identity provider login

Supported identity providers include:

  • Google Workspace
  • Microsoft Entra ID
  • GitHub
  • Okta
  • One-time PIN authentication

This means users must authenticate before ever reaching your application.

Step 9 — Disable Public Exposure in GCP

One of the biggest advantages of this architecture is eliminating direct public access.

Recommended hardening:

  • Remove external IPs where possible
  • Restrict firewall rules
  • Allow outbound-only traffic
  • Disable unused ports
  • Use private VPC networking

Because Cloudflare Tunnel is outbound initiated, no inbound ports need to remain open.

Step 10 — Enable Additional Security Features

Cloudflare Zero Trust provides several additional protections:

Multi-Factor Authentication (MFA)

Require MFA for all users.

Device Posture Checks

Allow access only from:

  • Managed devices
  • Updated operating systems
  • Devices with endpoint protection enabled

Logging and Monitoring

Enable:

  • Access logs
  • Tunnel logs
  • Security analytics

These logs are useful for:

  • Threat detection
  • Incident response
  • Compliance requirements

Benefits of This Architecture

Reduced Attack Surface

Your infrastructure is no longer directly exposed to the internet.

Simplified Remote Access

Users authenticate through Cloudflare instead of connecting through VPNs.

Better Scalability

Cloudflare’s global edge network improves performance and availability.

Identity-Aware Security

Access is tied to verified user identity instead of network location.

Easier Compliance

Detailed logging and policy enforcement help support security audits and compliance initiatives.

Common Mistakes to Avoid

Leaving Public Firewall Rules Enabled

If using Cloudflare Tunnel, you typically do not need inbound public access.

Using Weak Access Policies

Always require MFA for sensitive applications.

Forgetting Least Privilege

Only grant access to users who actually need the application.

Exposing Administrative Interfaces

Never expose SSH, RDP, or admin panels publicly without strict access controls.

Final Thoughts

Zero Trust architectures are quickly becoming the modern standard for securing cloud-hosted applications. Combining Cloudflare Zero Trust with GCP creates a highly secure, scalable, and cost-effective way to publish internal services without relying on legacy VPN solutions.

For small businesses and startups, this model provides enterprise-grade security without requiring expensive infrastructure investments.

At Sudo-Sec, we help organizations secure cloud environments, reduce attack surface exposure, and modernize security architecture using practical, scalable solutions.

If your organization is evaluating Zero Trust implementations, external attack surface monitoring, or cloud security hardening, now is the time to start building toward a more resilient infrastructure model.