Subscribe to receive notifications of new posts:

Cloudflare Agent — Seamless Deployment at Scale

2021-12-10

5 min read
This post is also available in 简体中文, Indonesia, ไทย and 日本語.
Cloudflare Agent — Seamless Deployment at Scale

A year ago we launched WARP for Desktop to give anyone a fast, private on-ramp to the Internet. For our business customers, IT and security administrators can also use that same agent and enroll the devices in their organization into Cloudflare for Teams. Once enrolled, their team members have an accelerated on-ramp to the Internet where Cloudflare can also provide comprehensive security filtering from network firewall functions all the way to remote browser isolation.

When we launched last year, we supported the broadest possible deployment mechanisms with a simple set of configuration options to get your organization protected quickly. We focused on helping organizations keep users and data safe with HTTP and DNS filtering from any location. We started with support for Mac, Windows, iOS, and Android.

Since that launch, thousands of organizations have deployed the agent to secure their team members and endpoints. We’ve heard from customers who are excited to expand their rollout, but need more OS support and great control over the configuration.

Today we are excited to announce our zero trust agent now has feature parity across all major platforms. Beyond that, you can control new options to determine how traffic is routed and your administrators can orchestrate deployment at scale. With today’s releases, we’re ready to help you fully ditch the legacy VPN and network security tools your IT teams hate.

Built to scale

Two of the most important factors in our zero trust agent are reliability across platforms and reliability of the connection. If you have ever shipped software at this scale, you'll know that maintaining a client across all major operating systems is a daunting (and error-prone) task.

To avoid platform pitfalls, we wrote the core of the agent in Rust, which allows for 95% of the code to be shared across all devices. Internally we refer to this common code as the shared daemon (or service, for Windows folks). A common, Rust-based implementation allows our engineers to spend less time duplicating code across multiple platforms while ensuring most quality improvements hit everyone at the same time.

On the reliability of connection front, if you’ve had any experience at all with traditional VPNs, you’ll know that they are error prone and slow. Our network foundation is built on our own WireGuard implementation called BoringTun. Unlike traditional and slow VPNs, we run over UDP and are optimized for the wide variation of Internet infrastructure users connect over today (ex. on a plane, at the coffee shop, a congested network in the city, etc.). Proved year over year at scale with millions of our consumer devices, BoringTun ensures your traffic is encrypted and ready for whatever policies you decide for it.

With the power to reliability scale, we now fully support the following operating systems with our agent

  • Windows 8.1, Windows 10 and Windows 11

  • macOS Mojave, Catalina, Big Sur, Monterey

  • Including M1 support

  • ChromeBooks (Manufactured after 2019) (New)

  • Linux CentOS 8, RHEL, Ubuntu, Debian (New)

  • iOS

  • Android

Built to meet your deployment model

When our agent was first introduced, the focus was on encrypting all device traffic to the Cloudflare network and allowing an admin to build HTTP and DNS policies around that traffic. We also know that customers are on a journey to migrate to a Zero Trust model. Sometimes that transformation needs to happen one step at a time.

We’ve spent that time building features that allow you to not just fully replace your legacy solution, but also run our software alongside those legacy solutions to ensure a smoother migration.

  • Domain-Based Split Tunneling - Sometimes, you don’t need to send all traffic through your security layer. We already support IP-based exclusions, but we now make it easy to create Split Tunnel rules with domain names (e.g., *.example.com or example.com)  instead of forcing you to look up the IP address CIDR for a particular domain.

  • Include-Only Split Tunnels - Our agent was initially built on the premise that all device traffic should be encrypted and sent to our network. This ensured traffic wasn’t being snooped on and allowed admins to maintain visibility. Sometimes, though, you only want to send some traffic to Cloudflare and exclude the rest by default. Include-only split tunneling does just that, allowing you to select individual routes you want going to our network. If you need a quick legacy VPN replacement to connect to a Cloudflare Tunnel resource or only want to ensure traffic to your most sensitive infrastructure is subject to HTTP inspection, use include-only split tunnel rules.

  • Improved Private Domains - Some organizations start their migration by running Cloudflare’s Zero Trust products alongside an existing third party VPN. In the past, our agent supported this configuration by letting administrators set fall back domain name resolution to send DNS queries for certain use cases through the VPN. However, it was global and lacked control over where the queries were sent. We have now added the ability to specify which DNS server should respond to private domains, and as discussed earlier in the week, can be used with our new Zero Trust networking capabilities.

  • Posture-only mode (coming soon) — We’ve talked previously about the importance of device posture and our capabilities. In the first quarter of 2022, we’ll ship the ability for our agent to run in posture-only mode. That is our client will not process any DNS requests or send any other traffic to us. This allows you to onboard Cloudflare Access posture policies without turning on HTTP inspection for your users.

Built for seamless configuration

Deploying any agent to tens of thousands of users can become a logistical hurdle. We built the Cloudflare for Teams agent to be seamless to deploy at scale in your team. Today’s announcement gives you more options to rolling out the agent to your entire organization with API and Terraform based controls.

Automating administrative tasks is the best way to keep them consistent. At Cloudflare, we build our UI on top of a set of RESTful APIs based on HTTPS requests and JSON responses. These same APIs in the case of our device management are then exposed to users via our API Documentation and additionally via our Terraform provider. Everything exposed in the web version of https://dash.teams.cloudflare.com/ is available via one of these interfaces.

As an example of how you can accomplish automation, we’ll take a look at our domain-based split tunneling. For reference, here’s the API documentation and the Terraform equivalent.

To create a domain-based include rule for example.com:

curl -X PUT "https://api.cloudflare.com/client/v4/accounts/699d98642c564d2e855e9661899b7252/devices/policy/include" \
     -H "X-Auth-Email: user@example.com" \
     -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
     -H "Content-Type: application/json" \
     --data '[{"host":"*.example","description":"Include all traffic to example.com in the tunnel"}]'

That same rule could be created in Terraform with this:

# Including *.example.com in WARP routes
resource "cloudflare_split_tunnel" "example_split_tunnel_include" {
  account_id = "699d98642c564d2e855e9661899b7252"
  mode       = "include"
  tunnels {
    host        = "*.example.com",
    description = "Include all traffic to example.com in the tunnel"
  }
}

Another common task is to generate a report of enrolled devices. Using the Device List API, the following example shows how to list all Windows devices registered with your organization:

curl -X GET "https://api.cloudflare.com/client/v4/accounts/699d98642c564d2e855e9661899b7252/devices?type=windows" \
     --header 'Authorization: Bearer 8M7wS6hCpXVc-DoRnPPY_UCWPgy8aea4Wy6kCe5T' \
     -H "Content-Type: application/json"

Running that command would return JSON that looks something like this:

        {
            "created": "2021-12-01T17:14:23.847538Z",
            "device_type": "windows",
            "gateway_device_id": "215f9adc-52ca-11ec-9ece-f240956bdf5f",
            "id": "215f9adc-52ca-11ec-9ece-f240956bdf5f",
            "ip": "150.111.29.1",
            "key": "0mS9vj2gk0KNcXoi50pwfuL49WT0rLGAcX2gVze3ixA=",
            "last_seen": "2021-12-01T17:14:30.110663Z",
            "mac_address": "00:0c:29:6f:11:93",
            "model": "VMware7,1",
            "name": "MYVMWin10",
            "os_version": "10.0.19042",
            "serial_number": "VMware-56",
            "updated": "2021-12-01T17:14:30.110663Z",
            "user": {
                "email": "user@example.com",
                "id": "6a8e079d-8a33-4677-b610-a5e361c0c959"
            },
            "version": "2021.11.278"
        },
        {
            "created": "2021-11-08T23:59:37.621164Z",
            "device_type": "windows",
            "gateway_device_id": "ee02da10-40ef-11ec-bb68-6a56f426bb46",
            "id": "ee02da10-40ef-11ec-bb68-6a56f426bb46",
            "ip": "98.247.211.1",
            "key": "DhUI8nqeVrXL1JFhYbeCFmkeu/XEkkEjVmcZ8UraTDI=",
            "last_seen": "2021-11-08T23:59:37.621164Z",
            "model": "Latitude 7400",
            "name": "CloudBox",
            "os_version": "10.0.19043",
            "serial_number": "7CHR3Z2",
            "updated": "2021-11-23T20:03:12.046067Z",
            "user": {
                "email": "user2@example.com",
                "id": "39663a0d-9f7c-4a24-ae7f-f869a8cf07f1"
            },
            "version": "2021.11.34"
        },

Built for anyone to administer

As part of today’s releases, we also announced partnerships with MDM providers as a mechanism you can use to deploy software with your users. We also know that some organizations do not yet have an MDM or have administrators managing the deployment who prefer a visual user interface.

In the next few weeks we’ll be turning on, in beta, the ability to manage aspects of client behavior directly from the dashboard. This will allow you to immediately make changes to the client configuration without having to push a new version of the client.

What's coming next

Next year is an exciting time for the client when we are really going to double down on the supportability and flexibility of clients once deployed. Some of the features that we are most excited to deliver are:

  • Device settings by User/Group where you will be able to specify client settings (e.g. who is allowed to update, split tunnel rules, etc.) to different users

  • Posture-only mode allowing you to onboard additional Cloudflare Access posture controls if you aren’t yet ready for Cloudflare Gateway

  • Additional Linux distro support so everyone in your organization can be protected

  • Telemetry and Analytics about how devices in your organization are performing as it relates to our client and traffic flowing to Cloudflare’s network

Get Connected Now

You can find downloads for all our clients listed below:

Windows Download Beta Download Release
macOS Download Beta Download Release
Linux Setup Repository Download Packages
iOS Download Release
Android/Chrome Download Release
Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
CIO Week

Follow on X

Kyle Krum|@KyleKrum
Cloudflare|@cloudflare

Related posts