Tunnels FAQ
Yes. With Named Tunnels ↗ you can create a CNAME at the apex that points to the named tunnel.
Yes. Cloudflare Tunnel has full support for Websockets.
Yes.
Cloudflare Tunnel supports gRPC traffic via private subnet routing. Public hostname deployments are not currently supported.
Cloudflare offers two modes of setup: Full Setup, in which the domain uses Cloudflare DNS nameservers, and Partial Setup (also known as CNAME setup) in which the domain uses non-Cloudflare DNS servers.
The best experience with Cloudflare Tunnel is using Full Setup because Cloudflare manages DNS for the domain and can automatically configure DNS records for newly started Tunnels.
You can still use Tunnel with Partial Setup. You will need to create a new DNS record with your current DNS provider for each new hostname connected through Cloudflare Tunnel. The DNS record should be of type CNAME or ALIAS if it is on the root of the domain. The name of the record should be the subdomain it corresponds to (e.g. example.com or tunnel.example.com) and the value of the record should be subdomain.domain.tld.cdn.cloudflare.net. (e.g. example.com.cdn.cloudflare.net or tunnel.example.com.cdn.cloudflare.net)
Tunnel can expose web applications to the Internet that sit behind a NAT or firewall. Thus, you can keep your web server otherwise completely locked down. To double check that your origin web server is not responding to requests outside Cloudflare while Tunnel is running you can run netcat in the command line:
netcat -zv [your-server's-ip-address] 80netcat -zv [your-server's-ip-address] 443If your server is still responding on those ports, you will see:
[ip-address] 80 (http) openIf your server is correctly locked down, you will see:
[ip-address] 443 (https): Connection refusedNamed Tunnels can be routed via DNS records, in which case we use CNAME records to point to the <UUID>.cfargotunnel.com; Or as Load Balancing endpoints, which also point to <UUID>.cfargotunnel.com.
No. When using Cloudflare Tunnel, all requests to the origin are made internally between cloudflared and the origin.
To log external visitor IPs, you will need to configure an alternative method.
Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, we changed the name to Argo Tunnel to match. Once we no longer required users to purchase Argo to create Tunnels, we renamed Argo Tunnel to Cloudflare Tunnel.
For more information about migrating from Argo Tunnel, refer to Migrate legacy tunnels.
No. You cannot undo a tunnel deletion. If the tunnel was locally-managed, its config.yaml file will still be present and you can create a new tunnel with the same configuration. If the tunnel was remotely-managed, both the tunnel and its configuration are permanently deleted.
Before contacting the Cloudflare support team:
-
Take note of any specific error messages and/or problematic behaviors.
-
Make sure that
cloudflaredis updated to the latest version ↗. -
Gather any relevant error/access logs from your server.
-
(Locally-managed tunnels only) Set
--logleveltodebug, so the Cloudflare support team can get more info from thecloudflared.logfile. -
Include your Cloudflare Tunnel diagnostic logs (
cloudflared-diag-YYYY-MM-DDThh-mm-ss.zip).
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
