Dogfooding from Home: How Cloudflare Built our Cloud VPN Replacement

It’s never been more crucial to help remote workforces stay fully operational — for the sake of countless individuals, businesses, and the economy at large. In light of this, Cloudflare recently launched a program that offers our Cloudflare for Teams suite for free to any company, of any size, through September 1. Some of these firms have been curious about how Cloudflare itself uses these tools.

Here’s how Cloudflare’s next-generation VPN alternative, Cloudflare Access, came to be.

Rewind to 2015. Back then, as with many other companies, all of Cloudflare’s internally-hosted applications were reached via a hardware-based VPN. When one of our on-call engineers received a notification (usually on their phone), they would fire up a clunky client on their laptop, connect to the VPN, and log on to Grafana.

It felt a bit like solving a combination lock with a fire alarm blaring overhead.

But for three of our engineers enough was enough. Why was a cloud network security company relying on clunky on-premise hardware?

And thus, Cloudflare Access was born.

A Culture of Dogfooding

Many of the products Cloudflare builds are a direct result of the challenges our own team is looking to address, and Access is a Continue reading

Migrating from VPN to Access

With so many people at Cloudflare now working remotely, it's worth stepping back and looking at the systems we use to get work done and how we protect them. Over the years we've migrated from a traditional "put it behind the VPN!" company to a modern zero-trust architecture. Cloudflare hasn’t completed its journey yet, but we're pretty darn close. Our general strategy: protect every internal app we can with Access (our zero-trust access proxy), and simultaneously beef up our VPN’s security with Spectrum (a product allowing the proxying of arbitrary TCP and UDP traffic, protecting it from DDoS).

Before Access, we had many services behind VPN (Cisco ASA running AnyConnect) to enforce strict authentication and authorization. But VPN always felt clunky: it's difficult to set up, maintain (securely), and scale on the server side. Each new employee we onboarded needed to learn how to configure their client. But migration takes time and involves many different teams. While we migrated services one by one, we focused on the high priority services first and worked our way down. Until the last service is moved to Access, we still maintain our VPN, keeping it protected with Spectrum.

Some of our services didn't Continue reading

Daily Roundup: VMware Pulls FY21 Forecast

Amazon, Microsoft Dethroned in China’s Public Cloud Market

Security Experts Battle Hackers, COVID-19 Cyberattacks

Chipmakers Prep for Pandemic Threat on Supply Chain

Member News: Ethiopia Launches Internet Society Chapter

Ready, set, launch: An Internet Society Chapter launched recently in Ethiopia, with a goal of advocating for the development and expansion of open, secure, trustworthy, and affordable Internet access to everyone in the country. The idea of starting an Internet Society Chapter came from a workshop, “where we became conscious of the fact that more than 85% of the Ethiopia population is losing countless opportunities every day because they don’t have access to the Internet,” wrote Adugna Necho, a networking professor at Bahir Dar University. “We believe the Internet is for everyone and we are here to work with all people – from communities to businesses to governments and ordinary people to connect the unconnected and create a bigger and stronger Internet in Ethiopia.”

More Internet, please: The Internet will keep people connected while the world deals with the coronavirus pandemic, the India Chennai Chapter notes. Governments should resist urges to shut down service, the Chapter says. “With factories, offices, public places, transportation, schools are colleges shut down, and no clear picture of whether normal life would resume in 4 weeks or 4 months, it is the Internet that could make life go on,” the Chapter writes. “While it is Continue reading

VMware Pulls 2021 Guidance Citing COVID-19 Risk

The Bane of Backwards Compatibility

I’m a huge fan of video games. I love playing them, especially on my old consoles from my formative years. The original Nintendo consoles were my childhood friends as much as anything else. By the time I graduated from high school, everyone had started moving toward the Sony Playstation. I didn’t end up buying into that ecosystem as I started college. Instead, I just waited for my brother to pick up a new console and give me his old one.

This meant I was always behind the curve on getting to play the latest games. I was fine with that, since the games I wanted to play were on the old console. The new one didn’t have anything that interested me. And by the time the games that I wanted to play did come out it wouldn’t be long until my brother got a new one anyway. But one thing I kept hearing was that the Playstation was backwards compatible with the old generation of games. I could buy a current console and play most of the older games on it. I wondered how they managed to pull that off since Nintendo never did.

When I was older, I did Continue reading

COVID-19 Response – A Letter from Our CEO

As a leading supplier of cloud networking equipment globally, Arista plays a critical role in supporting the cloud communications and computing infrastructure that will keep the world running during these difficult times. The rapid acceleration of Covid-19 developments across the world has been sudden and shocking. It has forced us to take a new perspective on gratitude for what we have, including our families, health and an opportunity to rethink our goals.

COVID-19 Response – A Letter from Our CEO

As a leading supplier of cloud networking equipment globally, Arista plays a critical role in supporting the cloud communications and computing infrastructure that will keep the world running during these difficult times. The rapid acceleration of Covid-19 developments across the world has been sudden and shocking. It has forced us to take a new perspective on gratitude for what we have, including our families, health and an opportunity to rethink our goals.

Using Cloudflare to secure your cardholder data environment

As part of our ongoing compliance efforts Cloudflare’s PCI scope is reviewed quarterly and after any significant changes to ensure all in-scope systems are operating in accordance with the PCI DSS. This review also allows us to periodically review each product we offer as a PCI validated service provider and identify where there might be opportunities to provide greater value to our customers.

With our customers in mind, we completed our latest assessment and have increased our PCI certified product offering!

Building trust in our products is one critical component that allows Cloudflare’s mission of “Building a Better Internet” to succeed. We reaffirm our dedication to building trust in our products by obtaining industry standard security compliance certifications and complying with regulations.

Cloudflare is a Level 1 Merchant, the highest level, and also provides services to organizations to help secure their cardholder data environment. Maintaining PCI DSS compliance is important for Cloudflare because (1) we must ensure that our transmission and processing of cardholder data is secure for our own customers, (2) that our customers know they can trust Cloudflare’s products to transmit cardholder data securely, and (3) that anyone who interacts with Cloudflare’s services know that their information is Continue reading

Barbaric Balancing

Recently I stumbled upon the IETF draft about PIM Designated Router Load Balancing (DRLB) and it reminded me of something absolutely barbaric.

Introduction

In L3 multicast, load balancing is simple. If the RPF route is ECMP, the router can choose …

Video: IPv6 Security Overview

When I’ve seen my good friends Christopher Werny and Enno Rey talk about IPv6 security at RIPE78 meeting, another bit of one of my puzzles fell in place. I was planning to do an update of the IPv6 security webinar I’d done with Eric Vyncke, and always wanted to get it done by a security practitioner focused on enterprise networks, making Christopher a perfect fit.

As it was almost a decade since we did the original webinar, Christopher started with an overview of IPv6 security challenges (TL&DR: not much has changed).

Is 800G Enough to Scare Away the Optical Bogeyman?

Huawei Boosts 2020 R&D to $20B

Microsoft Digs Deeper Into 5G With Affirmed Acquisition

What Social Media Theorists Say About The Impact of the Internet on our Relationships

Social media was completely unheard of two decades ago, but today it is an integral part of most people’s lives. Social media theorists have different opinions on how the internet affects our relationships. Some of these social media theorists claim that the internet has improved relationships while other theorists claim that that the internet has a negative effect on real world relationships.

The truth is that the theorists on both sides of the question are right. Here’s why.

How Social Media and the Internet Can Aid Relationships

Social media and the internet have the ability to aid relationships in the following ways. It helps family members and friends stay in touch, even when there is a huge gap in distance and time between them. Even for those people who live a busy life, staying in touch through emails and texts is a quick way to let those people you care about know that you are thinking of them, while connecting through social media means that you have a means of keeping up on what is going on in their life. While it may not be ideal, it is a way for people to be able to hold onto the bonds Continue reading

Virtual Data Centers, SDN, and Multitenancy

When you aren’t the size of Netflix, you may not be guaranteed dedicated infrastructure within a data center; you have to share. Even in larger organizations, multitenancy may be required to solve regulatory compliance issues. So what is multitenancy, how does it differ from other forms of resource division, and what role do networks play?

Gartner Inc. defines multitenancy as “a reference to the mode of operation of software where multiple independent instances of one or multiple applications operate in a shared environment. The instances (tenants) are logically isolated, but physically integrated.” This is basically a fancy way of saying “cutting up IT infrastructure so that more than one user/department/organization/and so on can share the same physical IT infrastructure, without being able to see one another’s data.”

That “without being able to see one another’s data” is the critical bit. Allowing multiple users to use a single computer has been possible for decades. Multi-user operating systems, for example, can allow multiple users to log in to a single computer at the same time. While this approach does allow multiple users to share a physical piece of IT infrastructure, it isn’t multitenancy.

In a multi-user OS, the multiple users Continue reading

BiB090 – Deploying a 10000 user VPN in a Month