ℹ️ WARP to WARP: connect to any other device
Presented by: Abe Carryl, Kenny Johnson, Michael Keane
Originally aired on August 4, 2023 @ 8:00 AM - 8:30 AM EDT
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Abe Carryl, Kenny Johnson, and Michael Keane.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
English
CIO Week
Transcript (Beta)
But. Everyone, thanks for tuning in to Cloudflare TV and hope you're enjoying CIO Week so far.
This week we're launching a bunch of new capabilities and products and partnerships that are essentially just helping I.T.
teams do their jobs better and faster.
I'm Michael Keane and I'm on our Zero Trust team, joined by two of our product managers, also in the Zero Trust team.
And our Zero Trust platform is a really fun thing to work on because we just keep identifying new use cases and ways that organizations are modernizing their security and Cloudflare keeps figuring out new ways to help.
So this segment is all about finding a new pretty easy way to build a private network on Cloudflare with our Warp to Warp connectivity, which we're going to dive into in a bit.
It's all part of our Zero Trust platform with just, it's kind of set the ground in case you're less familiar with our Zero Trust side of the house and are in learning mode, Cloudflare Zero Trust is our platform that helps folks get started with the Zero Trust trend, whatever that might mean to them, whether they're starting with their secure access and they're considering getting rid of that VPN or helping out their developers access privileged access tools or helping out with third-party users and contractors, they might be concerned with the threat defense side of the house with phishing and ransomware on the rise.
So they're looking at maybe DNS filtering or actually load certain sites in a remote browser, or maybe they're trying to regain control and visibility over their SaaS tools, and they're thinking about Google and Microsoft Suites and how do I bolster security there?
Is my email security strong enough? So, there's so many different components to our Zero Trust platform that we're we're always finding new areas to innovate.
And this one in particular, again, we're talking about two devices, running our device agent and a new way to accomplish even easier connectivity.
So let's talk about someone starting out with Cloudflare Zero Trust, they're deploying this solution.
Abe, what should they be thinking about in terms of app connectors and device agents?
And how do those pieces work, the on and off ramps? Yeah, great question.
So, hi, my name is Abe Carryl, and I'm one of the product managers for Zero Trust.
And yeah, that's a great question.
So, kind of I'd maybe frame that first five by talking about which of those use cases you kind of walk through, we'd be specializing on here.
We're kind of focusing in on and into your point for maybe like remote access, one of the things that you often want to do is either build a private network or gain access to a private network.
So one of the things that we've allowed you to do with Cloudflare is to effectively use the Internet as your backbone, to use the Cloudflare network as your own private network to build kind of an overlay network on top.
One of the ways that we've traditionally deployed that for customers is through two different tools called Warp and Tunnel.
So we kind of commonly referred to that model as Warp to Tunnel.
In that model, you use the Warp agent, our device agent, to basically establish a WireGuard Tunnel to connect your users to Cloudflare ,send all of their device traffic to the Cloudflare network.
And then on the other end of that connection, you'll have your network, your private network, which may live on your home network in public clouds connected through Cloudflare Tunnel.
And the way that Cloudflare Tunnel works is essentially establishes four outbound only connections to the Cloudflare network, to two distinct data centers in two different regions, and then four connections to four different servers.
That way, in the event that, for one reason, one of those connections or one of those data centers is down, you still have reliability and failover to other data centers.
So what we'll do is by effectively allowing your users to connect to Cloudflare and then allowing your networks to connect to Cloudflare, we can create that connection that your users need to reach their private resources.
Then kind of in between that they can layer on Zero Trust security policies to determine not just who can reach what, but what users are able to reach which resources.
And,, Kenny, that's probably a good point to intro you for kind of our ZTNA side of the house.
Yeah, absolutely. And good to meet everybody, my name is Kenny Johnson.
I'm also based out of Austin, Texas, and I'm the product manager for Cloudflare Zero Trust Network Access solution, sometimes referred to as ZTNA Cloudflare Access.
So yeah, for the CIOs and just IT professionals broadly on the call, I think that immediate question in your mind might pop up around, Hey, isn't this the same as VPN?
Or, this sounds very similar in terms of you're putting a piece of software on the device that on ramps to a piece of my infrastructure.
However, the really the big difference is that you are able to create really granular policies at the network user device level to control exactly who and with what device can access a particular resource.
So instead of doing something with a VPN where you say, given the user connects using open VPN or another popular solution, then they can reach this broad CIDR range within your private network, and then you're creating firewall policies that aren't really centered around any specific application or anything like that.
It's just typically broad IP ranges that are really difficult to control. Instead, you can flip it around and create your policies in a way that humans actually think you can set and create your policies based around application objects and application containers.
And that can be around whether or not an application exists at a specific IP address, a specific hostname, either internally or externally.
And then you can craft specific policies for those application containers that you've created to then look at things like, Is the user in the location that they're supposed to be working in?
Like are they in the United States or are they trying to connect from a different country across the world?
Are they accessing from a device that's been issued by the company or is it their personal device?
Is it a device that has been patched against zero days? You have a lot of control granularly to see how to control whether or not a user can or can't get access.
And today's announcement in Warp to Warp is another big step forward because typically to onramp to resources within your private network, you have to have some piece of software installed on the origin side as well as installed on your user's device.
And what we're now able to do is do this all with the Cloudflare Warp client, which we'll talk a little bit more about what that looks like.
But that makes it much easier because you're installing one thing across your entire infrastructure and then it gives you really powerful flexibility to connect to anything but then also granular control from a filtering perspective to decide whether or not a user should or shouldn't have access.
So I'll pass it over to Michael to talk a little bit more about the specifics of what just got announced today.
Yeah.
Let's just let's play back the before and after. So we're talking about Zero Trust network access and locking down those resources, replacing those VPNs.
And how often we need these enabling software components with a connector like Cloudflare Tunnel connecting the resources themselves, often also then Cloudflare Warp as the device agent installed on user devices.
So, Abe, you want to rehash what Kenny just said about kind of the before and after of what folks used to need to connect two devices and why now it might be a little bit even easier and faster than before.
Yeah, sure.
In short, to Kenny's point, you know, effectively what we've given users the ability to do is to create that private network without needing the connector on the other side or on the origin side.
So you can use the exact same software that you already have deployed to your fleet.
You can use it in, maybe split it into two different ways to use it. So maybe for the home lab user or for the folks at home who are watching, who are just generally interested in remote access of their of their NAS or trying to share local dev environments or things like that.
Maybe it's overkill to have to learn how to use two different pieces of software like Warp and Tunnel to get things up and running.
Maybe you just want to create a private network between your phone and your laptop.
Now you have you already have Warp deployed on both of those things. You can create a private network connection, bidirectional communication between those two devices, running just the software that you already have on your device, Warp.
So that's something really cool on the working. Oh, sorry.
I thought you were gonna chime in there. My bad.
No, all good. Okay, cool. So, and then on the enterprise side, I think that the cool thing that you can do is that now with just the.
If you already have Warp for Tunnel deployed or you already are using Warp and Cloudflare Tunnel with just the click of a button, the toggle of a switch, you can now have device-device connectivity.
And again, like Kenny said, you can still determine which users can actually use that feature.
You can create rules to, let's say each device is going to be assigned a name IP range or IP address.
So something in the 100.64/10 block.
So you could basically create a policy to block all traffic to that, to that CIDR range and then determine which user's devices and what kind of criteria they need to meet in order to establish those communications.
So you can already probably think through all the use cases that would unlock the ability to switch between devices, the ability to RDP when you need to troubleshoot, to BNC to devices that you just want to log in to on your home network.
There's all kinds of use cases that unlocks both on the consumer side and on the enterprise side.
And one other piece, I believe this unlocks say, is if you need a bidirectional network communication.
I think that was a previously a limitation with Cloudflare Tunnel just by the nature of the fact that it's an outbound only tunnel.
That's something that gets unlocked with this as well, right?
Yeah, that's a great call out.
So, you have a server within your private network that needs to that needs to do server initiated traffic and kind of push updates to individual endpoints.
That's another use case that's kind of easily unlocked here as well, which would be really cool.
So yeah, there's there's kind of all kinds of interesting use cases that will come as a result of this.
And of course, one of the most exciting parts is that it's still included by default on all plans.
So, you know, if you have less than 50 users and you can get started with this for free today.
And I think that actually we got to run one of the first test with this technology, which is pretty cool.
And I want to say we probably had that up and running in 5 minutes and I'd say 4 minutes.
So that was me in my own kind of tech blunders, just trying to get started. Yeah, I think that's cool, it's just the platform wide trend here, it kind of falls into that industry theme of composability of however someone wants to connect Cloudflare we want to make that happen and we want to make it as easy for them as possible.
Whether we're talking about our device agent or connector or maybe layer three connectivity options to we want anything to work with anything and just make it as easy for folks to get started as we can.
This is our device agent for the full Zero Trust platform, which already has plenty of visibility and control capabilities within it.
Keeny, how should we be thinking about visibility and logging and controls within that within the context of this new aspect of our platform?
Yeah, it's a great question and it really is kind of one of the strengths of our broader Cloudflare Zero Trust platform or Cloudflare One, just more broadly.
When you bring in a networking component in the fact that everything is built on the same rails in the same network.
So, this feature on day one comes with the same set of controls that you would get from these Cloudflare Secure web gateway, so you're able to immediately layer specific policies on top of this traffic.
The logging infrastructure is also the same as well, so you are able to see real time logs of users establishing connections between two Warp enabled devices as well as you're able to push those connections out to your favorite SIEM Tool like Splunk or Sumo Logic or something in Azure or US.
There's a lot of flexibility in terms of how you're able to push those logs out, where you're able to then consume those logs and inspect for any security anomalies or breaches or things like that.
So not only do you have a lot of control, you have a lot of visibility to spot future and current threats and issues within the network, and it's all composed in the same network.
It's not something that we're patching together with a bunch of different disparate solutions.
It's all just being incrementally built into the same solution.
So if it's a really heavy kind of massive IP set connection that you're connecting your office down to the individual printer at an employee's home or an individual's phone across the world, it's all being onramp to the same network and being passed through the same set of inspection.
Yeah.
In between making connecting to devices easier to unlocking the bidirectional communication, like you mentioned earlier, it seems like a really cool connectivity option that we've added, but you all kind of have the inside scoop being the product folks working on it behind the scenes.
So how did you all feel building this?
What was it a difficult task?
Did you have to dramatically change the agent itself or what can you tell us kind of behind the scenes from Product World working closely with the platform and with the agent itself or kind of what does this mean?
Yeah, so I can hit on that for a bit.
So I think that the really cool part about this and I guess to kind of encapsulate, I think you asked how did it feel to build this and I guess maybe what I would say is that it felt meaningful.
I think that it's like it's a really cool release that unlocks so many different use cases.
On our side, as far as the difficulty or the kind of challenge of building this, what's really cool is that again, kind of so to the same point, I guess a different lens, but at the same point that Kenny mentioned, it's all built on top of the same Zero Trust architecture, which makes building things like this – of course, everything in engineering is always a massive challenge in and of itself, but it made it trivial in the sense that this is just another connection in another direction.
And I think that because of the control plane that we have and because of the data plane services that we use, it isn't a massive overhaul or refactor that's required.
It's really just something that once we kind of start marching towards it, it becomes pretty easy to do.
And I think that's credit to the awesome kind of foundation that engineering's laid.
And I think that it's part of our strategy to building, stronger bridge to Zero Trust.
one of the things that we want to do, and one of the things that I know you helped pull together was our vendor agnostic roadmap to Zero Trust, you know.
And in that we kind of lay out that it doesn't really matter where you start your journey, you should be able to start with a phone and a laptop talking to each other, or you should be able to start with a fleet of 10,000 devices and heavy, hard-duty IPsec tunnels.
Doesn't matter where you're coming from.
The roadmap and the kind of path to Zero Trust, there should always be a bridge to kind of meet you where you're at.
And this is just another set of features that helps users be able to accomplish that.
You know, so you mentioned that you all were some of the first folks to test this.
Can you make that more real for us or give us an example of what testing this device connectivity would look like?
Yeah, I think so.
Can you, for maybe a demo in this feature, I think that if you log into my Zero Trust board, then we should be able, I can run something on my computer here and we can see if you can hit it.
Yeah, absolutely.
So I've got the negative example up already. Abe's got a service running on a private IP on his machine that he provided to me before this.
He's got it running on port 13.13, and all he's running on his machine is the Cloudflare Warp client.
So all I'm going to do is I'll go ahead and switch on Warp.
I might blip for a second as it switches over the connection, but then I'll be able to show off hitting this particular endpoint.
I'm going to go ahead and connect.
I probably blipped for a second, but now you can see it cut over, showed Abe's got a cool web server running.
Kind of a basic little blog here with some places that I would also highly recommend in Austin if you ever come through, Via 313 in Veracruz are excellent.
Abe and his partner have great taste. But yeah, as you can see, I was able to hit a resource running on Abe's machine and literally the only thing that needed to be running was Warp on each device, and you just needed Warp connected to the same account.
And I'm able to hit either a basic web server all the way up to if I need to SSH to a specific machine or access via RTP.
Anything from a networking perspective becomes possible now to connect to a machine and establish a connection back and forth.
So the other piece that's possible is if I go ahead and step into the Cloudflare Zero Trust view, I can create network based policies on these as well.
So what I'm able to do is I can go ahead and create policies that look at that specific IP address.
So, I forget exactly what it was, but you can imagine I hit some 100 dot IP range and then I can do things like I want to say that it must pass a specific device posture check.
So I want to look and see is carbon black running on the machine before I allow this on top of requiring that Warp is running.
So there's a lot of flexibility here to be able to do this down to the IP or down to the port.
So, it's some more very, very excited about and it was cool to be able to show this one out because I think it really starts to become real once you're able to see it live.
Yeah.
Thanks for blowing that up, Kenny. And I think one of the other really cool parts about that was, to your point, if you're if you're doing this in more of a of a home lab, you kind of environment, you know, after Kenny and I kind of kind of ran some of the first tests naturally, like word travels fast and we start testing in a bunch of different environments so you can easily switch and log out of your Zero Trust account into somebody else's.
And again, you're able to kind of get this access, that remote access, as if we were on the same physical network.
So, really cool, really powerful to be able to see that and to kind of be able to switch in and out of those accounts, to build those posture rules to determine who can reach what resources.
And again, if you ever need to look up and figure out what IP address does this device have or that device tab, you can go straight to the Zero Trust dashboard, my team users, and you'll see the IP addresses that we assign to each one of those Warp enrolled devices.
And yeah, it should be really easy to get straight to kind of get started there.
And again, users can get started on our free plan for up to 50 users and again, for enterprises, this is something that can just be toggled on in our closed beta.
And fully acknowledging that this is live.
But we did just get a question from the audience.
So, feel free for this.
Or if you want to take a stab at this one, I'll just put out the question that we did get from the audience.
Cloudflare specific features aside, how does the Warp to Warp feature differ from existing WireGuard based services like Tailscale?
Yeah, good question.
So I'd say that aside from obviously the Cloudflare network at large, I would say that the level of policies that you can create and kind of the integrations that we have with, to Kenny's point, some of those features like the third party posture checks, I would say that those are some of the biggest things you'll be able to get here is that Zero Trust policy framework.
And are some of those integrations like device posture checks and things like that as well?
Kenny, I'm not sure if anything else sticks out to you that I missed there, but but those would be the things that I would say.
And of course, the fact that all this is happening kind of in line.
So we're not back calling traffic to a different network to do that policy evaluation.
Again, the same edge metals that you're hitting to get your traffic routed is going to be the same ones that are flying the policies.
So, yeah, I would say the performance and security aspects are probably the biggest things that I would call out there as well as the partnerships and integrations that we have.
Yeah, I think you hit it on the head.
And I would just dovetail to say I think a lot of the analysts and customers would would agree that there's always going to be plenty of point solutions out there.
But to approach something like Zero Trust network access or starting your Zero Trust journey on this full platform is really going to set you up not just for your current use case and current project, but be able to build and build as that journey continues realistically over the next several years.
So maybe last thing on this specific Warp to Warp connectivity feature is just we said you can sign up for the closed beta, but what should we be expecting?
Timeline wise over the next the next few weeks?
Yeah, great question.
So, a lot more than we that we want to do with this. Like all of our other features.
So I think there's going to be some really powerful additions that we'll be adding in the coming in classic Cloudflare fashion in the coming days and weeks, not months and quarters.
So definitely stay tuned to the blog to see some of those announcements as far as the closed beta goes.
We should be enrolling users in line, so give us a day or two to kind of collect and then enable.
But, this feature is ready for testing. So we'll kind of be as we receive your name on the wait list, we hope to get users enrolled very, very shortly after that.
So definitely ready for testing and excited to get everyone's feedback.
All right.
Well, thanks, Abe and Kenny, for joining for the quick demo to make it real.
And thanks, everyone for tuning in and enjoy the rest of CIO Week. Saxton.
Thanks, y'all. We're betting on the technology for the future, not the technology for the past.
So having a broad network, having global companies now running at full enterprise scale gives us great comfort.
It's dead clear that no one is innovating in this space as fast as Cloudflare is.
With the help of Cloudflare, we were able to add an extra layer of network security control by alliance, including DDOS Cloudflare users.
CDN also allows us to keep costs under control and caching and improve speed.
Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.
I think one of our favorite features of Cloudflare has been the worker technology.
Our origins can go down and things will continue to operate perfectly.
I think having that kind of a safety net provided by Cloudflare goes a long ways.
We were able to leverage Cloudflare to save about 250,000 within about a day.
The cost savings across the board is is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost.
Of our service with Cloudflare.
It's really amazing to partner with a vendor who's not just providing a great enterprise service, but also helping to move forward the security on the Internet.
One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.
Like Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.
We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring world class capabilities in bot management and web application firewall to protect our large public facing digital presence.
We ended up building our own fleet of proxy servers such that we could easily lose one and then it wouldn't have a massive effect.
But it was very hard to manage because we kept adding more and more machines as we grew.
With Cloudflare, we're able to just scrap all of that because Cloudflare now sits in front and does all the work for us.
Cloudflare helped us to improve the customer satisfaction.
It removed the friction with our customer engagement.
It's very low maintenance and very cost effective and are very easy to deploy and it improves the customer experiences big time.
And Cloudflare is They're amazing.
Culture is such a relief.
It's very easy to use its first Cloudflare to replace the first level of defense for us.
Cloudflare has given us peace of mind. They've got our backs.
Cloudflare has been fantastic.
I would definitely recommend Cloudflare.
Cloudflare is providing an incredible service to the world right now.
Cloudflare has helped save lives through Project Fair Shot.
We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient and ethical manner.
Thank you.
Q2.
Customers love our ability to innovate quickly and deliver what was traditionally very static old school banking applications into more modern technologies and integrations in the marketplace.
Our customers are banks, credit unions and fintech clients.
We really focus on providing end to end solutions for the account holders throughout the course of their financial lives.
Our availability is super important to our customers here too.
Even one minute of downtime can have an economic impact.
So we specifically chose Cloudflare for their Magic Transit Solution because it offered a way for us to displace legacy vendors in the Layer three and force base, but also extend layer seven services to some of our Cloud native products and more traditional infrastructure.
I think one of the things that separates Magic Transit from some of the legacy solutions that we had leveraged in the past is the ability to manage policy from a single place.
What I love about Cloudflare for Q2 is it allows us to get ten times the coverage as we previously could with legacy technologies.
I think one of the many benefits of Cloudflare is just how quickly the solution allows us to scale and deliver solutions across multiple platforms.
My favorite thing about Cloudflare is that they keep development solutions in products.
They keep providing solutions. They keep investing in technology.
They keep making the Internet safe.
Security has always been looked at as a friction point, but I feel like with Cloudflare it doesn't need to be.
You can deliver innovation quickly, but also have those innovative solutions be secure.
Mindbody specifically focused on the health and wellness space and was built by people who were passionate about health and wellness.
We serve health and wellness businesses all over the world.
We allow our customers to spend more time focusing on the parts of their business that they love and less time worrying about scheduling, software and payroll and other day to day administrative work.
We want to protect customers from attacks that could hurt their business and their brand.
And at Mindbody, we're passionate about ensuring that our customers' data is secure.
When we first approached Cloudflare, we had a lot of different tools in our security stack and there was a lot of management overhead associated with all that kind of complexity.
I think at one point we had four different graphs, a separate tool for bot management and takedowns, and we basically managed to consolidate all of that into using just Cloudflare without losing any of the functionality or any of the protections that we had in place.
It was the kind of tool I could hand to junior analysts or senior engineers, and they would all know how to manage it pretty quickly.
With our old environment, we were constantly fighting botnets and attempts to scrape our inventory Credential stuffing attacks.
When we moved Cloudflare, we were able to mitigate a lot of these kinds of attacks much easier and more consistently.
Using Cloudflare Management, we see a lot fewer false positives with actual valid end users using our application and being flagged as a bot.
We've gone from dealing with several per day to only a few per week.
With the Cloudflare access solution, we are able to provide Zero Trust access to sensitive internal applications to contractors and third party vendors.
It puts our internal applications behind strong authentication protocols and allows us to ensure that only authorized users are able to even see the service.
The health and wellness industry is only going to grow.
I think mindbody is going to be part of that rising tide that floats all boats.
Cloudflare will help us scale and grow and secure all those services as the industry expands.