# Phase 1 Architecture Update: Cloudflare Tunnel + Private IPs

## Updated Architecture

### Network Configuration
- **Backend VMs (5 US regions)**: Private IPs only (no public IPs)
- **Nginx Proxy (West Europe)**: Public IP (for Cloudflare Tunnel connection)
- **Cloudflare Tunnel**: Connects to Nginx proxy public IP, handles DNS and SSL termination

### Security Benefits
1. **Reduced Attack Surface**: Backend VMs have no public IPs, not directly accessible from internet
2. **Cloudflare Protection**: DDoS protection, WAF, and SSL/TLS handled by Cloudflare
3. **No Inbound Ports**: Cloudflare Tunnel uses outbound connection only
4. **Private Network**: Backend VMs communicate via private IPs (once VPN is deployed)

## Changes Made

### 1. VM Module Updates
- Removed public IP creation for "besu-node" type
- Only "sentry" and "rpc" node types get public IPs (if needed in future)
- Backend VMs now use private IPs only

### 2. Nginx Proxy Updates
- Updated to use private IPs for backend connectivity
- Added Cloudflare Tunnel installation and configuration
- Created systemd service for Cloudflare Tunnel
- Added setup instructions in cloud-init script

### 3. NSG Rules
- Updated comments to reflect VPN/ExpressRoute requirement
- Noted that RPC rules should be restricted to Nginx proxy subnet once VPN is deployed

## Cross-Region Connectivity Requirement

**Important**: Backend VMs are in US regions while Nginx proxy is in West Europe. Since backend VMs use private IPs only, cross-region connectivity requires:

### Option 1: Azure VPN/ExpressRoute (Recommended)
- Deploy VPN Gateway or ExpressRoute
- Connect all regions via VPN
- Nginx proxy can reach backend VMs via private IPs
- Most secure option for production

### Option 2: Cloudflare Tunnel on Each Backend VM
- Install Cloudflare Tunnel agent on each backend VM
- Each VM exposes RPC endpoints via Cloudflare Tunnel
- Nginx proxy connects to Cloudflare Tunnel endpoints
- Simpler setup, but requires Cloudflare Tunnel on each VM

### Option 3: Temporary Public IPs (Testing Only)
- For initial testing, temporarily enable public IPs
- Restrict NSG rules to Nginx proxy IP only
- Not recommended for production

## Cloudflare Tunnel Setup

See `CLOUDFLARE_TUNNEL_SETUP.md` for detailed setup instructions.

Quick steps:
1. SSH to Nginx proxy VM
2. Run `cloudflared tunnel login`
3. Run `cloudflared tunnel create <tunnel-name>`
4. Configure `/etc/cloudflared/config.yml`
5. Enable and start `cloudflared` service
6. Configure DNS in Cloudflare Dashboard

## Next Steps

1. **Deploy Phase 1 infrastructure** (with current configuration)
2. **Set up Cloudflare Tunnel** on Nginx proxy
3. **Deploy VPN/ExpressRoute** for backend connectivity OR
4. **Install Cloudflare Tunnel** on each backend VM
5. **Test end-to-end connectivity**
6. **Restrict NSG rules** to specific IP ranges once connectivity is established

## Files Modified

- `terraform/modules/vm-deployment/main.tf`: Removed public IPs for "besu-node" type
- `terraform/modules/vm-deployment/outputs.tf`: Updated outputs
- `terraform/modules/nginx-proxy/nginx-cloud-init.yaml`: Added Cloudflare Tunnel setup
- `terraform/phases/phase1/phase1-main.tf`: Updated backend_vms to use private IPs only
- `terraform/modules/networking-vm/main.tf`: Updated NSG rule comments

## Documentation Created

- `CLOUDFLARE_TUNNEL_SETUP.md`: Detailed Cloudflare Tunnel setup guide
- `ARCHITECTURE_UPDATE.md`: This file