1️⃣ Tunnel Private Network Discovery
Join our product and engineering teams as they discuss what products have shipped today during Cloudflare One Week!
Read the blog posts:
Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!
Hello and welcome back to Cloudflare TV. This week we have been going through a bunch of innovations and announcements for Cloudflare One and I'm your host today, Noelle Gotthardt, one of our product managers within the Zero Trust organization.
And I'm really excited to have here today Abe Carryl, our product manager for Tunnel.
Today we are announcing something very exciting that I'm sure ABC is very excited to talk about.
Private Network Discovery. So Abe, before we really dive into it, can you introduce yourself a bit for the audience?
Thanks for the introduction. And my name is Abe Carryl, I'm the product manager for Cloudflare Tunnel.
I've been at Cloudflare for about two years and I've worked on a lot of different areas of the Zero Trust suite.
So super excited to be talking to you all today and really excited to talk about Private Network Discovery.
It's a feature that I've been really excited about for quite some time.
I'm definitely excited to have it in closed beta and get some customers using it, but I'm sure we'll dive more into the details of it in a second.
But yeah, I'm really excited to be here.
And I'm super excited to talk to you about it. So first, sort of backing up, because this is a question that we both get all of the time and we're always sort of excited to sort of go into the background here.
But what exactly is Zero Trust and why is it beneficial for customers?
Yeah, great question.
This is kind of the heart of really what we talked about earlier this week in some of our Zero Trust roadshows that are happening at the exact same time.
We had one in San Jose earlier this week. We had one in Dallas on Wednesday that I drove up for.
I think we have ten more cities coming up, so definitely check those out.
I'll see if I can get the list and share those at the end.
But it was a huge part of the discussion was, What is Zero Trust?
For us, it's a product suite.
We have an entire Zero Trust product line that includes things like Zero Trust Network Access and Secure Web Gateways and CASB and DLP and all the kind of things that come along with it.
But really, Zero Trust is a principle and it's a kind of never trust, always verify approach to security, where each and every request that's sent in your network, outside of your network is validated first on Zero Trust policies that are identity-driven, device-driven, so you can ensure that you're not just opening up an entire network range or an entire network segment to say all of these users, once they're here, are trusted by default.
You're actually saying evaluate each one of these requests and ensure that only the right users can reach the right resources at the right time.
And that's kind of my short pitch for what Zero Trust is.
I like the way you summarize it. Thank you.
So then sort of pivoting off of what Zero Trust is and you're the product manager for Cloudflare Tunnel, so can you describe a little bit more about what Cloudflare Tunnel is and how it works?
Cloudflare Tunnel has a really interesting kind of story at Cloudflare. It was launched about four years ago and it really started as a way to...
as really an origin IP protection solution.
So a way to obfuscate your IP for private resources that you want to connect to Cloudflare.
The role that it kind of plays within Zero Trust, though, is to act as a as a connector, a lightweight connector that establishes connectivity between your private network and Cloudflare.
So I like to say that it's an easy way or one of the easiest ways to connect your resources to Cloudflare.
In this case, for the purposes of this conversation, we'll mostly be talking about connecting your private network segment to Cloudflare and building your private network on Cloudflare.
But the short is that it's a lightweight connector that you can deploy anywhere within your private network, deploy on your subnet and then have connectivity to that, to that entire network range over Cloudflare Zero Trust.
There's a lot of different ways that we can get traffic to you.
We call those on-ramps, and then there's a lot of different ways that we can evaluate that traffic and we call those filters generally.
So things like Access and Gateway, the products I'm sure all of our viewers are familiar with.
But yeah, that's a little bit about Tunnel and kind of the origin story and how it relates to Zero Trust today.
Yeah, that's super cool. So then exactly, you sort of mentioned this in terms of where we're going, but how do tunnels connect to a private network, and I guess a little bit more specifically?
Yeah, for sure.
So I like to talk about it as like as kind of a three-part recipe.
So to kind of form this cohesive private network or Zero Trust private network, we want to do three things.
We want to make sure that end user device traffic gets to Cloudflare.
We want to make sure that when that traffic gets to Cloudflare, that we send it as as securely and performantly as we can across our network and then evaluate those requests, again through Zero Trust policies, to say which requests are able to go down to your private network.
And then we want to connect your private network to Cloudflare so we kind of have a cohesive end-to-end flow of traffic.
So to kind of expand on that three-part recipe a little bit, we have our WARP agent.
It's built on the same principles and same technology as our WARP consumer app that has millions of downloads around the world.
And if you want to use that, check it out on the App Store.
It's got a lot of great reviews and you can kind of start using that today.
And that's what we use to send all of your private network traffic to Cloudflare.
And one of the key things to talk about there is that if I were to have the client deployed on my iPhone, then we'll establish connectivity to the closest data center to you.
Closest could mean geography, but generally means performance based, so whatever the closest is.
So my traffic will go from my device to the...
I'm in Austin, Texas so it would go to Dallas.
From there, then we would send it to Access or Gateway to have those Zero Trust policies applied to it.
And then we would send it to Tunnel and Tunnel would actually connect your private network.
And that's going to be connected to data centers that are as close to your origin or your application servers as possible.
So that three-part recipe kind of looks like the WARP client to get end user traffic to Cloudflare, your Zero Trust policies based on Access and Gateway that sit in the middle, and then Tunnel, which then sends those connections into your network.
And kind of to talk a little bit about that connector piece since, since I'm talking from the Tunnel perspective right now.
I'll say the tunnel's powered by our lightweight open source connector, Cloudflare D, and by design Cloudflare D kind of operates in a high availability mode.
What I mean by that is just that, really simply is that you deploy the agent on a, on a host within your private network and then from there the Tunnel or Cloudflare D you will establish four outbound-only connections to two different data centers on the Cloudflare network and four different metals.
The reason why we do that again is high availability.
But what I mean by that is in in the event that one of those four connections ever goes down, you still have three others available to proxy traffic over.
In the event that one data center is going through a restart process or kind of like normal, normal maintenance cycles, we still have two other connections in the event that one server goes offline for an update or because different services are being restarted, you still have three other connections there too.
So that's kind of how we think about high availability with Tunnel as well.
And actually I'll take that a bit further if you don't mind and say that there's also ways that we can ensure high availability within your own private network and we call those replicas.
And essentially that allows you to deploy the same tunnel on multiple hosts, so that again, in your environment, let's say that I'm using my for me, I'm bad bad visual here, but I'm looking at my Raspberry Pi on my desk right now.
And let's say that I accidentally, and I actually just kicked it, so came to mind.
Let's see that I kicked my power cord right now and it disconnects my Raspberry Pi.
I don't want to lose connectivity to everything in my network just because my Raspberry Pi went down that has Cloudflare D on it.
I want to still be able to be resilient in the face of disconnects and things like that as well.
So I also have it on my Raspberry Pi out in my living room as well.
So that just is another way that you can kind of run the same tunnel from different Cloudflare D processes and we call those replicas.
So I know that was a bit of a long winded answer, but that's kind of how the three part recipe works of getting WARP traffic to the Cloudflare network, analyzing that traffic for Zero Trust policies, and then getting that traffic into your private network.
So it does sound very much like you like to test out your own product, which is pretty cool.
That's very fun. And then one other sort of background I want to dive into, and I imagine for a lot of the customers that are listening right now, they probably already know this story, but you've sort of mentioned that you're leveraging the closest point of presence based on your location, sort of to reiterate that for some of our customers.
Can you talk a little bit more about the Cloudflare network and why it is such an advantage to build on that network?
Yeah, for sure.
And right before I go into the network piece, I want to hit on something that you mentioned, which is which is the dog fooding piece.
And yeah, I love to test our own product.
But one of my favorite things is that Cloudflare loves to, loves to test our own products.
So our customer number one, one of my favorite questions that we get asked by some of our product engineering leaders is, Who's customer number one?
Is there an opportunity for Cloudflare to be customer number one of this product or this feature?
And that's one of my favorite questions to get asked. And in seeing different teams use Tunnel, it's one of the best sources of feedback that we have because if our own internal users can't set it up simply and run into issues and that's a great way for us to get feedback and a really quick kind of turn and then be able to address that and hopefully address that before it impacts anyone else.
So that's a really kind of fun cycle. I'll also say that on the personal side, we definitely, I definitely test our own products and and kind of a funny, funny story, but I also deploy it to all of all of our end devices.
So, so my fiance is also running the WARP client and and it's a great source of feedback as well.
You know, if if, for example, we can't order UberEats or something like that because they're...
because we need a Do Not Inspect policy or something like that.
Again, just using it in your everyday life, really great way to kind of get to know the products and to have a true representative experience of what our users see as well.
And apparently two Raspberry Pis. Yeah.
...still convinced that it's a snack that I have...
So I asked you so many questions and I got you to answer the first one, but now I'm going to I'm going to point you back to the second one.
Can you talk more about the Cloudflare network?
Yeah, for sure.
So one of the things that makes the network so powerful is that A, the reach of the network, but B, the composability and the programmability of the network as well.
So I think that one of the things that's really helpful to think about whenever you're deploying Tunnel for private networks is that you want to deploy Tunnel as close to your origin servers as possible and you want your end users to connect to the closest data center as possible.
So you can kind of cut out as much as much of the roundtrip time as you as as you can.
So the fact that we have such a large network spread across the globe, 225 different points of presence in the world, is really helpful from that regard, because if you have application servers that are running in LAX and then some that are running in New York, you can kind of distribute your tunnels accordingly.
And of course, your users can also get routed that way.
We'll look at those different tunnels and we'll try to pick the most effective path to get to get your traffic to to its destination, in this case, origin servers, application servers that are running behind Tunnel.
And I think that that that reach but also that the programmability is something that's been really helpful for us.
Thanks for talking about that. So then I guess kind of kind of pivoting here to what we're really supposed to be announcing is what exactly did we announce today?
So we announced Private Network Discovery and it's, it's it's a bit of a continuation of a feature that we announced about a year ago called Shadow IT Discovery.
And really what we did with Shadow IT Discovery was, was start to surface different applications and SAS applications that users are going to when they're surfing the internet, outbound traffic.
So, so things like...
So that would be useful in the example, and again, this is a a feature that we use internally too, which I love.
So a good example of that could be if you're using Google Chat at your company, and you know that that's the only thing that's that's sanctioned in your environment.
If you see a lot of users going to Slack, you know there's two different things there.
There's business drivers, but there's also IT motivators as well.
From the IT side, you want to make sure that you know why those users are using that, how they're interacting, what kind of things they're sending, so you don't, you know, I'm talking to the perfect person because data loss prevention and things like that as well.
But you also, from a business, I want to know that if I'm paying for for Google licenses, I want to know that those are being used effectively or I want to be able to, from an IT side, again, kind of switching back and forth, but going to the IT side, maybe you want to start a security evaluation of a new tool that you see that users are starting to trend and lean towards.
It's just a good way to get that insight.
It's something that that we use internally.
And I've gotten pings before that's like, hey, you do we think that we should be like thinking about this application?
Is it something that you're using for this purpose, for that purpose?
I think it's just a great way to have better visibility into your environment...
that a bit. That's kind of similar to what we're doing with Private Network Discovery, but for a bit of a different reason, to be honest.
So one of the things that we heard is as as customers were starting to connect their private networks to Cloudflare was This is great.
Now I have traffic flowing through my network.
And I think that's a great question. What is the next step?
How how does the...
what is the typical journey or path to Zero Trust look like? And it's not something that you should have to guess at.
It's not something that you should have to translate policies from one place to another for.
It's something that should be really intuitive. So that's what we wanted to build out of this feature was essentially to say, let's catalog each individual origin that we see requests to.
Let's catalog the users that are going to those as well.
And let's give users the ability to quickly tag all of those origins to an application and then correct, and then create Zero Trust security policies around those things.
So really, really high level. That's what the feature does, just kind of catalogs the different traffic that you see in your network and the users who are hitting those applications as well.
That's some really cool stuff right there. You sort of tapped on it a little bit, but just to kind of sort of dive further so that this really resonates with the customers who are having this problem and like trying to figure out sort of their best options, How were customers sort of presenting you with the problems that they were seeing and the challenges they were seeing and sort of how does this really address those?
Yeah, great question.
So I think the first one was that question of, Ok, what now?
I went from a world where where I was controlling access to the front door, not necessarily to...
the classic kind of hotel analogy where it's like you need a key card to get in, but then once you're in, you could go to any room.
Well, maybe that's not the most secure approach.
Maybe you want to have a key card and you only want to be able to get to the rooms that you need to have access to.
Kind of a similar approach here where customers are kind of moving from that world and saying, I don't know who needs key cards to what.
Can you help me along with that process?
So that's kind of the first use case.
I think the second is networks are constantly changing...
different applications, different ser...
being spun up constantly in these private networks and keeping track of that creates this endless due diligence cycle for network and security teams to stay on top of their environment, see what's being spun up.
If you have a tool that kind of automatically does that for you, that's great.
That's best case scenario. So that was one of the main things that we heard from customers was A, you know, I want a baseline or kind of honestly, the word that I heard the most was we want a project plan.
We want a plan to get us to Zero Trust and to help us define the policies that we need.
And then the second was, on top of those policies and that kind of path to Zero Trust, we also want we also want to be able to kind of easily tag those things as well.
That's awesome. You sort of touched on a piece that I think really has a lot of overlap with with data loss prevention.
And sort of one of the things that really comes with that challenge is like, Ok, I need the visibility.
Like I need to be able to see everything that's going on so I can really understand how to manage.
And so how are you providing that visibility to customers so that they have it and feel like they're more in control of the situation?
Yeah, great question.
So the way that we're doing that right now is we're kind of graphically representing the report.
So what is...
So I probably should have backed up.
I talked a little bit of how it works, but not but maybe not necessarily like how it actually looks and feels within the dashboard.
So the way that we're surfacing all this information is through a graphical report that essentially shows every origin that's discovered is by default, goes into an unreviewed state.
So you'll see net new origins, let's say, for example, speaking of dog food, one thing that we do is we use our own kind of custom video conferencing system to test our UDP traffic and make sure that we're trying new things and always kind of monitoring that state.
So that's one thing that we set up within our own private network that we test every day.
So for that, it talks on, I'll use I'll use some examples, but it talks on 10.0.0.1, 443, 80 and a media port at 10,000.
So, or 1000, sorry.
So of those, those are three different origins.
Each one of those would surface uniquely within your report.
They would all have a base on reviewed state.
And then you can kind of view all of these origins real time as traffic is kind of going through and we'll catalog each one of those uniquely.
We classify an origin as a unique protocol, port, IP and virtual network for your tunnel.
Once you do that, you can kind of click into their report, you can get a more table view and then you can kind of define each individual origin specifically.
What I really like about this feature is that the origins by themselves are interesting, but generally to that exact point of the video conferencing system.
Those three origins are really what compose the entire application and there's really no need that that you would want to block access to, I don't know, just one of those three origins.
You're going to want to treat that as a as a single application.
So we've allowed the ability to tag each one of those three origins into one application and kind of logically group those things.
And then from there, you'll see our our team, our tunnel engineering team, for example, has, you'll see all, each one of those members making requests to that application.
And it kind of inherently builds that policy for you because now you can kind of say, okay, so I know that these three things are our video conferencing system.
I know that I can pull these all into an application.
I can see all the users who are going to them.
I can build the Zero Trust policy against that, and it kind of like again starts to build that project plan for you.
So so I don't know if that if that answers your question.
I know I hopped around a little bit.
So so yeah, that's that's kind of how it manifests itself in the Zero Trust dashboard.
No, that's awesome. It was a, it's a great discussion of how you see it and how it really helps guide the customer.
I'm backtracking here a little bit, but it was also just sort of something I was I was interested in and we talked about the fact that you're solving a customer problem.
How do you really drive the product management perspective of something like this?
So you're you're sort of seeing this customer problem. How do you walk through that process of like Ok, a customer's saying they have this issue?
How do you approach, Okay, I'm going to build a solution for them? Yeah, great question.
So I think that I think that that's one of my favorite parts of working in product at Cloudflare is that I don't feel like there's often a lot of guessing involved of, I wonder if customers want this.
I wonder if customers want that. Generally, it's, it's pretty it's pretty direct feedback.
And we and we have a really strong idea directly from the customers.
And it really feels like a like a fairly straightforward interaction of customers all kind of reach logical points in the evolution of the product where they see different features being built in the dashboard.
Naturally, more than one kind of says, Huh, that's interesting.
Like, what if I could do this?
And it kind of snowballs.
I've very, very rarely seen features where we had to go out and, you know, I don't I don't want to I don't want to oversimplify it.
But but I think that a lot of times it's it's it's not a large vision quest.
It's just a snowball of customers all saying, hey, you know, it would be great if we could have a project plan that tells us what policies we need to build.
And that's exactly how it worked here.
I think that there was some creative freedom there of how should we build this specifically?
And I think things like Is it helpful to have states associated with unreviewed, reviewed, approved, unapproved applications?
Is the graphical representation something that's helpful?
Should we allow users to tag assets and tag them as like this is billing or that's not?
So there's some sort of creativity there and in the requirements gathering process, kind of going back and saying, hey, would this be helpful?
An example is, is labels, you know, that's something that that at first thought maybe it would be helpful, but I think that as we started talking to customers, they were like, Yeah, maybe, but I don't see that being incredibly impactful.
So something that was easy to cut from scope.
But yeah, again, I know I kind of bounced around a little bit there, but I think that a lot of times I feel like there's there's not much ambiguity.
It's it's my favorite aspect of the job is having a lot of direct communication with customers and kind of getting to hear directly from them, and really taking their feedback into account and not trying to overcomplicate it and say, Well, they said this, but they probably mean that.
You know, I think it's it's often just really helpful just to just kind of listen to the problem and go try to build the thing that you think's going to solve it.
That's that's awesome.
And I agree with you in terms of just the ability to get such great feedback from our customers.
And they really do make the job a lot easier because they are so engaged with with solving the problem with us.
How did you feel about building this specific feature? Like was this one a big accomplishment?
Was this one a big challenge? Sort of like walk me through that experience for you.
Yeah, it's probably not a secret.
And I know this will be surprising to all of our all of our viewers, but I'm a very excitable person, so I was very excited to build this feature.
But but I was excited for a lot of reasons.
I think that for for one reason, just the fact that that it felt like it was solving a very clear problem.
It felt like it was it was something very intuitive to go build.
It felt like it was a logical progression on something that we already had.
We felt very well positioned to go do it.
And again, something that ultimately not only gives you better observability, but helps you get to where you want to go faster and that's to deploying Zero Trust at scale.
So I think that it was exciting from that regard and I think that it was a it was a fun feature to go build as well because we got to touch so many different aspects of things.
But some of my favorite parts were, you know, we always try to think about, "A feature's not fully launch until it's easy to use and it's well integrated and it kind of like gives you that end to end experience." So I think from that perspective, this feature hopefully, hopefully does that and not...
doesn't just surface information for you, but gives you a really easy way to act on that information, plug that information into Cloudflare Access, build policies, and then kind of again have that contained experience without losing your context, hopping around the dashboard or doing things like that.
So I think that that to me was probably the most exciting piece, was just tying things together because of, again, a lot of the one plus one equals three nature of of the Cloudflare network and of the Cloudflare Zero Trust and Cloudflare One suite.
It sounds... you can hear how excited you are about the product, which is is really cool.
So then what's next?
You've got to be already be thinking about it. You can't have this much excitement and then not be already planning the next ten steps down the road.
So what have you got cooking going next?
So for, for... There are a lot of exciting features coming up in Zero Trust, but I think that for this feature specifically, I'm really excited for V2 of it.
Version two, we're going to do something I think pretty neat where we're not just going to surface the IPs, we're going to do a reverse lookup and surface the hostname associated with that as well.
That kind of again like just takes out one of those quick hops where it makes it to where you don't have to go and say, okay, 10.0.0.1...
ok, that's my, my video conferencing system.
Let me go plug that back in. We'll just show you that it's video.meet.com and you can kind of run from there.
So I think that that I'm super excited for that.
We kind of do that a little bit now with S&I, to the extent that we already have the host name, we can pull that in.
So that will be really exciting.
And yeah, some of the I think that kind of the next logical progression there will probably be more tunnel analytics.
So giving you more reporting and kind of alerting on the state of your tunnel, the traffic that's going through it, where that's going, and then of course the next logical step there would be taking that in a layer and saying, what about the applications and the resources behind that tunnel?
What are the health of those?
And a big piece of that is supporting ICMP traffic. So that's something that's coming up as well.
Right now we have full TCP and UDP support.
So all things that kind of, again, logically chain onto them or onto each other, I should say so.
So, yeah, I'm really excited.
I think that, I think there's a lot of really cool things coming.
There's some other things that that that I'll hold onto in the chest for now, but that are going to be really exciting that we'll start working on in Q4.
But those are some of the things that I'm most excited about right now.
And again, your excitement is definitely palpable, which is pretty cool.
I'm going to I'm going to kind of change tones a little bit here. But so say someone sort of stumbled upon this broadcast and they haven't been thinking much about Zero Trust and they hear you talking about it and hear some overlaps but aren't really sure where to start.
So if if you're a new customer and you're interested in Zero Trust and you kind of want to get involved, how would you recommend that you start the Zero Trust journey or consider starting a Zero Trust journey?
I love that question.
I think that...
and that's another one that we got a lot at the Zero Trust Roadshow. So again, if you're in one of the cities that we're coming up to, I think we're going to Toronto, D.C., Miami.
Chicago is on the list.
I believe Seattle is on the list.
Seattle is on the list.
I'm attending New York and Phoenix, so they're on the list.
There you go.
Yeah. So so we have a lot of these coming up. I definitely recommend trying to make it to one of those sessions, if you can.
This was a question that came up a lot, and I'd say that that that just to kick off, we have a free plan that's free up to 50 users.
Really easy to get started.
Takes less than 5 minutes to sign up for an account.
And then the the some of the processes that we talked about today are really quick as well.
You can build tunnels directly from the dashboard and just have a small install script that you put in your command prompt.
It's really, really easy to get started, so I definitely recommend that.
Outside of that, one of the easiest things to do is to sign up for a workshop with either Noelle or myself.
Feel free to email us directly, find us on Twitter or Reddit or wherever you can find us.
But we're more than happy to set up those workshops because to be honest, the path is very different for every single customer.
Some of the easiest....
That's a bit of a non-answer though. So I'll say that the easiest places to get started oftentimes are in use cases where you have where you have a need for additional access for contractors and you have, let's say, like a timesheet application that most of your customers go to, or sorry, most of your internal users go to.
But you also need contractors to access that.
That's a great place to get started.
It's also really helpful because with Access you can use multiple IDPs.
So let's say that you have a design team that you're hiring and you use Google, but they're using Okta or something like that.
Very easy to get them onboarded to Figma or to timesheet apps or things like that.
I'd say also find other applications.
Generally, I always kind of recommend to find the largest one and kind of start there, but it's also it's not right for everyone.
So starting with a small use case like contractors or something like that is really easy as well.
There's other really cool use cases for smaller teams, developer teams, SSH into a browser is a really cool tutorial and that we have online that you can check out.
That is another great way to get started.
So it kind of depends on on your team, but I think the important takeaway is that the free plan is free for up to 50 users.
So it should support most use cases to kind of get started.
And you can start with things like Access for contractors, Access for a web-based application or even using Tunnel and Access for non-HTTP flows for like developer use cases and things like that.
Yeah, it's a great product suite, so I'm excited to hear you talk about it even though I know about it.
Are there any other places that you can, that our customers can kind of get involved in a community, whether it be Twitter or whatever, like any other good places to reach out to?
Yeah, subscribe to the blog.
We hardly ever post...no, I'm just kidding.
We're always writing new blog, so it's a great place to follow along and it's an it's a good way to kind of keep up with the individual products.
You can follow individual tags and get updates on Zero Trust or product news or Cloudflare Tunnel or DLP and kind of like keep up with the latest.
Twitter's another great resource.
We have Discord channels and Reddit channels.
So we're kind of spread all over.
So if you're on, if you're on the Internet, we'll find you.
But, but yeah, I'd start with maybe the blog and some places like that.
Thank you so much for talking through all this today. You were an awesome interview and you are clearly so excited about the product and it's awesome to hear.
And as Abe already shared, there are many ways to reach out.
We are all over the Internet here at Cloudflare, so please feel invited and welcome to start a discussion with us.
And I just wanted to say thank you to all our customers for attending and please feel free to stay online and listen to some more Cloudflare TV, but thank you Abe and talk to you soon.
Have a good one.