Protect Microsoft SQL Server with a Cloudflare Tunnel and Cloudflare Access
Microsoft SQL Server is a database server engine used in a wide variety of organisations for storing their data. Sometimes, it can be necessary to provide access to this data from remote locations (such as to remote workers, or to services running in remote locations).
A Cloudflare Tunnel when combined with Cloudflare Access can provide secure access to a Microsoft SQL Server instance without requiring any ports to be opened or a VPNs to be configured.
Introduction
In this post, I am going to provide details on how to configure a Cloudflare Tunnel with Cloudflare Access rules to provide a secure connection to a Microsoft SQL Server instance. I will use the hostname mssql.jflower.co.uk
as the public hostname for the instance.
Creating the Cloudflare Access Application
The first step is to create an application in Cloudflare Access. This will ensure that the access control measures have already been defined before we create the tunnel.
This can be done through the following steps:
- Go to the Cloudflare for Teams Dashboard
- Open the Access menu and select Applications
- Click the Add an application button
- Select self-hosted
- Enter an application name and application domain and click the Next button
- Setup the application policies to suit your requirements and click the Next button
- Click the Add application button
In my configuration, I am using mssql
as the subdomain, which I will be using later on.
Now that the Cloudflare Access application has been created, we need to create a tunnel and install cloudflared on the server hosting the Microsoft SQL Server instance.
Creating a Cloudflare Tunnel
A Cloudflare Tunnel can be created through the Cloudflare for Teams Dashboard. This will allow us to manage the tunnel through the web interface, and download cloudflared preconfigured to connect to the tunnel.
- Go to the Cloudflare for Teams Dashboard
- Open the Access menu and select Tunnels
- Click the Create a tunnel button
- Enter a name for the tunnel. This is a descriptive name for future reference. Click the Save tunnel button
- Choose your tunnel environment and follow the instructions to setup cloudflared. Click the Next button
- Click the Next button
- On the Public Hostnames tab, enter the domain details to match the Cloudflare Access application created earlier. In my example this is
mssql.jflower.co.uk
- In the Service area, select
TCP
from the dropdown and enter127.0.0.1:1433
. If your Microsoft SQL Server instance is available on a different port, you will need to amend1433
to match yours - Click the Save tunnel button
After following those steps, a Cloudflare tunnel connector should be connected, and the tunnel status should be Active. The next step is to connect a client to the tunnel to allow access to the SQL Server instance.
Connecting to Microsoft SQL Server
We now need to establish a connection from the client to the Cloudflare tunnel. The SQL client will then be able to connect to the local proxy which will establish a connection to the SQL Server instance through the tunnel.
You will need to download cloudflared for the client platform you are using. After it is installed, a connection to the tunnel can be established with the following command.
cloudflared access tcp –-hostname mssql.jflower.co.uk --url 127.0.0.1:9210
The hostname is the public hostname defined when the application was created, and the URL is the local machine specifying an available port. This will be the address the client will use for any SQL Server connections.
You can test your connection by opening Microsoft SQL Server Management Studio (or other management software) and trying to connect to 127.0.0.1,9210
. Depending on the access rules provided when the application was created, a browser window may appear prompting you to authenticate the connection. After the connection has been authenticated, a connection to the SQL Server instance will be established.
Summary
In the steps outlined above, a new application has been created in Cloudflare Access with access control rules defined, and a new Cloudflare Tunnel has been setup to proxy connections between the client and the SQL Server instance.
From this point onwards, the tunnel can be managed through the Cloudflare dashboard, and the access control rules can be modified in Cloudflare Access as required.
If you would like to provide an improved experience for your client users, the cloudflared command required for a client connection could be wrapped in a shortcut.