Source from repo
Cloudflare Platform Skill

Comprehensive Cloudflare platform skill covering Workers, D1, R2, KV, AI, Durable Objects, and security.
cloudflareGitHub cloudflareSource repo Original GitHub link Publisher page
Files
321
Skill
n/a
Size
1.4 MB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/spectrum/patterns.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown197 linesFree
references/spectrum/patterns.md
1## Common Use Cases
2 
3### 1. SSH Server Protection
4 
5**Terraform:**
6```hcl
7resource "cloudflare_spectrum_application" "ssh" {
8  zone_id  = var.zone_id
9  protocol = "tcp/22"
10 
11  dns {
12    type = "CNAME"
13    name = "ssh.example.com"
14  }
15 
16  origin_direct      = ["tcp://10.0.1.5:22"]
17  ip_firewall        = true
18  argo_smart_routing = true
19}
20```
21 
22**Benefits:** Hide origin IP, DDoS protection, IP firewall, Argo reduces latency
23 
24### 2. Game Server
25 
26**TypeScript (Minecraft):**
27```typescript
28const app = await client.spectrum.apps.create({
29  zone_id: 'your-zone-id',
30  protocol: 'tcp/25565',
31  dns: { type: 'CNAME', name: 'mc.example.com' },
32  origin_direct: ['tcp://192.168.1.10:25565'],
33  proxy_protocol: 'v1',  // Preserves player IPs
34  argo_smart_routing: true,
35});
36```
37 
38**Benefits:** DDoS protection, hide origin IP, Proxy Protocol for player IPs/bans, Argo reduces latency
39 
40### 3. MQTT Broker
41 
42IoT device communication.
43 
44**TypeScript:**
45```typescript
46const mqttApp = await client.spectrum.apps.create({
47  zone_id: 'your-zone-id',
48  protocol: 'tcp/8883',  // Use 1883 for plain MQTT
49  dns: { type: 'CNAME', name: 'mqtt.example.com' },
50  origin_direct: ['tcp://mqtt-broker.internal:8883'],
51  tls: 'full',  // Use 'off' for plain MQTT
52});
53```
54 
55**Benefits:** DDoS protection, hide broker IP, TLS termination at edge
56 
57### 4. SMTP Relay
58 
59Email submission (port 587). **WARNING**: See [gotchas.md](gotchas.md#smtp-reverse-dns)
60 
61**Terraform:**
62```hcl
63resource "cloudflare_spectrum_application" "smtp" {
64  zone_id  = var.zone_id
65  protocol = "tcp/587"
66 
67  dns {
68    type = "CNAME"
69    name = "smtp.example.com"
70  }
71 
72  origin_direct = ["tcp://mail-server.internal:587"]
73  tls           = "full"  # STARTTLS support
74}
75```
76 
77**Limitations:**
78- Spectrum IPs lack reverse DNS (PTR records)
79- Many mail servers reject without valid rDNS
80- Best for internal/trusted relay only
81 
82### 5. Database Proxy
83 
84MySQL/PostgreSQL. **Use with caution** - security critical.
85 
86**PostgreSQL:**
87```typescript
88const postgresApp = await client.spectrum.apps.create({
89  zone_id: 'your-zone-id',
90  protocol: 'tcp/5432',
91  dns: { type: 'CNAME', name: 'postgres.example.com' },
92  origin_dns: { name: 'db-primary.internal.example.com' },
93  origin_port: 5432,
94  tls: 'strict',      // REQUIRED
95  ip_firewall: true,  // REQUIRED
96});
97```
98 
99**MySQL:**
100```hcl
101resource "cloudflare_spectrum_application" "mysql" {
102  zone_id  = var.zone_id
103  protocol = "tcp/3306"
104 
105  dns {
106    type = "CNAME"
107    name = "mysql.example.com"
108  }
109 
110  origin_dns {
111    name = "mysql-primary.internal.example.com"
112  }
113 
114  origin_port = 3306
115  tls         = "strict"
116  ip_firewall = true
117}
118```
119 
120**Security:**
121- ALWAYS use `tls: "strict"`
122- ALWAYS use `ip_firewall: true`
123- Restrict to known IPs via zone firewall
124- Use strong DB authentication
125- Consider VPN or Cloudflare Access instead
126 
127### 6. RDP (Remote Desktop)
128 
129**Requires IP firewall.**
130 
131**Terraform:**
132```hcl
133resource "cloudflare_spectrum_application" "rdp" {
134  zone_id  = var.zone_id
135  protocol = "tcp/3389"
136 
137  dns {
138    type = "CNAME"
139    name = "rdp.example.com"
140  }
141 
142  origin_direct = ["tcp://windows-server.internal:3389"]
143  tls           = "off"       # RDP has own encryption
144  ip_firewall   = true        # REQUIRED
145}
146```
147 
148**Security:** ALWAYS `ip_firewall: true`, whitelist admin IPs, RDP is DDoS/brute-force target
149 
150### 7. Multi-Origin Failover
151 
152High availability with load balancer.
153 
154**Terraform:**
155```hcl
156resource "cloudflare_load_balancer" "database_lb" {
157  zone_id          = var.zone_id
158  name             = "db-lb.example.com"
159  default_pool_ids = [cloudflare_load_balancer_pool.db_primary.id]
160  fallback_pool_id = cloudflare_load_balancer_pool.db_secondary.id
161}
162 
163resource "cloudflare_load_balancer_pool" "db_primary" {
164  name    = "db-primary-pool"
165  origins { name = "db-1"; address = "192.0.2.1" }
166  monitor = cloudflare_load_balancer_monitor.postgres_monitor.id
167}
168 
169resource "cloudflare_load_balancer_pool" "db_secondary" {
170  name    = "db-secondary-pool"
171  origins { name = "db-2"; address = "192.0.2.2" }
172  monitor = cloudflare_load_balancer_monitor.postgres_monitor.id
173}
174 
175resource "cloudflare_load_balancer_monitor" "postgres_monitor" {
176  type = "tcp"; port = 5432; interval = 30; timeout = 5
177}
178 
179resource "cloudflare_spectrum_application" "postgres_ha" {
180  zone_id     = var.zone_id
181  protocol    = "tcp/5432"
182  dns         { type = "CNAME"; name = "postgres.example.com" }
183  origin_dns  { name = cloudflare_load_balancer.database_lb.name }
184  origin_port = 5432
185  tls         = "strict"
186  ip_firewall = true
187}
188```
189 
190**Benefits:** Automatic failover, health monitoring, traffic distribution, zero-downtime deployments
191 
192## See Also
193 
194- [configuration.md](configuration.md) - Origin type setup
195- [gotchas.md](gotchas.md) - Protocol limitations
196- [api.md](api.md) - SDK reference
197
Preparing the source view

Cloudflare Platform Skill

references/spectrum/patterns.md
