 Hi guys, welcome back to my YouTube channel. Hope you are doing well. In this video, I wanted to quickly demonstrate Cloudflare access and what it can do. I kind of make these videos just as I'm working through various tech projects of my own and on the kind of chance that I need to demonstrate to someone what I'm doing or someone might find it interesting. They're looking at setting up something themselves. I have these links just to send out to people. So it's in the early stage and on medium as Daniel said, TechWorld. So basically, Cloudflare access is a very, very powerful and interesting tool within the Cloudflare suite. What it can be used for is not necessarily what you might think. So I mean, there are a lot of kind of classic uses that they're trying to say can replace a corporate VPN. One thing you can use it for, if you're in a much more simple level of technology, is to use it to protect access to a certain web application. For example, it could be a self-hosted CRM, something on your public-facing web server that should not be accessible to the public. So I have this little subdomain here on danielrosil.com called demo. And I'm just using this as purely for demonstration purposes. What I might do, for example, is create a little WordPress site here. And for example, if I had a portfolio of work that I was sending out to clients, and I did not want the internet at large to be able to access it. So in that kind of use case, there would be a few different scenarios. One might be you could look in C-Panel, has some security functionality. You can create user names and passwords. That's a bit old school. And one of the disadvantages there is that if you wanted to do something a little bit more sophisticated, such as leaving only allowing access to this Cloudflare protected area to everybody in an email address, like everyone in a subdomain, for example, or at a domain, that would be possible using Cloudflare access. And when you're doing, of course, there's also WordPress plugins. There's various solutions, but the beauty of Cloudflare is that you're doing it at the Cloudflare level rather than directly on the end server for creating the security. So basically, Cloudflare access, I'm just going to bring over the actual, and let me just get up the access pricing as well. So basically, you can have up to five users for free. And that's across every domain on your account. So for example, if you have three domains protected in Cloudflare and one access policy each, and each is one user, then you're going to be, that's going to run cumulatively. So there is bulk pricing. So Cloudflare access is free for up to five seats, starting with six seats and above the following pricing scheme applies in US dollars per seat per month. So what I would say is that this could get pretty expensive if you're using it for this purpose. I'm using it to protect my CRM. I did it for clients, but if you have the budget to spend, if you were giving access to 20 people, 20 unique email addresses, each one considered a seat, then you would be running up quite a cost of $100 per month in just securing this one application. But for more limited pools of workers having access, or maybe it just is a simple case you want to have an application accessible to a certain domain, so that would be another example. So basically, let me just bring this over and I'll show you how it works. So this is demo.daniel, this is danielrotel.com. You have a login method and you can choose from a different, you can use authenticated logins over here, Google, Facebook, GitHub. I've just gone for one time pin, so that means that basically people will be prompted for a pin by email. You can also put your own logo up here. But if you have a bunch of domains on your Cloudflare then this organization name and page is gonna be shared across all the protected access applications. So that's just something to be aware of. Next thing you'd be doing is creating an access policy. So let me actually apply this so I'm gonna be protecting today demo.danielrotel.com. And if you just leave this blank, it'll function as a wildcard. Now, if you are using this yourself, for example, my client hosted CRM, I would recommend increasing the session duration up to something like a month. That means that every time you go on to it, up to one month, so long as you don't clear your cookies, you will not be prompted to go through the authentication process every time that you log in. So let's just give this policy a name. So we're gonna say the application is client portfolio, and it's a demo, and we're gonna just give this a policy name too. I'm just logging in here. So let's say this is, let's just say this is a portfolio and we want it accessible only to one Gmail address and let's just call them DR test portfolio. Whoops, test portfolio. Now, what we can do here is allow it. So you can have emails ending in. So this is where you can create authentication for anyone at a domain, right? So you could literally have anyone, if you did ask danielrotel.com, any user that tried to pass through the authentication that has an email address ending in at danielrotel.com will be able to authenticate. For example, we could also set it at gmail.com or we can just add specific email addresses. We can also add access groups, IP ranges, and everybody. Let's just, in this simple example, I'm just gonna authenticate danielrotel.demo.gmail.com. So in this use case, only danielrotel.demo will be able to authenticate and get access to this application. Now you can also create exclude rules as well, so you can have an include policy, everyone at Gmail, but exclude specific Gmail, then have that run concurrently. But that's the basic setup that you'd want here. Advanced settings, there's nothing I found here that was of use and you can have a log out bar just to add that up at the top, you don't need that. So let's just do this one, let's just make it a client portfolio and demo is gonna be protected and only danielrotel.demo.gmail.com will be able to pass through the authentication. Sorry, I'm just getting some new features here for Gmail in the other monitor. So let's go ahead and save this rule. So this is now applied, DR test portfolio. We just created the rule within the application, we didn't create an access group. And that is basically, and you can see there's gonna be a log as well here. This is actually across the domain, so this is my address accessing my CRM and I can revoke access. So again, every domain you have on your Cloudflare, this access is gonna be shared across them. So I'm only using one seat so far this month because of my personal address accessing the CRM. Once I authenticate with danielrotel.demo.gmail to this application, that's gonna count as another seat and my seat count's gonna be up to two. And remember, it's free, only up to five. So if we do a refresh, watch the magic happen, hopefully. There we go. So now demo.danielrotel.com is a protected zone. So let's see what happened. I've only allowed danielrotel.demo.gmail.com. So if I put in something else, it should not pass through. So I haven't received the authentication. So let's this time do the one that is legitimate. The email address we configured, danielroteldemo.gmail.com. Click on send me a code and give it about two seconds and here we go. So let me just bring over this. I've now received login code for danielrotel.demo.danielrotel.com. It gives you a link and it gives you a code so you can either copy and paste this into the bar or you can just use the one click link. I'm gonna click on sign in. Ah, this was not supposed to happen. Copy link location. Okay, so that was, I think the wrong, I must have done something wrong in the clipboard. So now I've gone through that and I have authenticated. So as I said, this is a really nice way if you're looking to protect something like your CRM just for your company or it can be used in the small business application world in which, for example, you are trying to protect, you know, you're trying to give access to a domain only to your client. I've also used it for protecting a staging environment. So the staging environment's protected so that it's not accessible to the internet and when it pushes out to production, it's fine. So now if we see access policy, if we just go down to the bottom of this, we should see, there we go, that Daniel Rosso demo is authenticated and if I click on revoke session, I can manually revoke the session from the backend here and if I now refresh here, it might take a little while, might have to do a hard, there we go. I've forcibly locked that user out so you can still, you can still control access on the backend even after users have authenticated. Hope that video was useful and if you have any questions, I can be reached through my personal homepage at danielrosso.co.il. Have a great day.