How Argo Tunnel works
Cloudflare secures your origin servers by proxying requests to your DNS records through our anycast network, and to the external IP of your origin. However, if attackers discover those destinations, external IP addresses can still provide them with a path around Cloudflare security.
Argo Tunnel provides a secure way to connect your origin to Cloudflare without a publicly routable IP address.
With Tunnel, you don’t expose an external IP from your infrastructure to the Internet. Instead, a lightweight daemon runs in your infrastructure and creates outbound-only connections to Cloudflare’s edge. This allows you to quickly deploy infrastructure in a Zero Trust model by ensuring all requests to your resources pass through Cloudflare’s security filters.
Argo Tunnel connects your web server to the Cloudflare network over an encrypted Tunnel. An example request follows these steps:
A visitor makes a request to
The DNS lookup resolves to a Cloudflare network address.
The visitor connects to the closest Cloudflare edge PoP via Anycast.
Cloudflare routes the visitor through a special PoP-to-PoP route called and connects them to a Cloudflare edge PoP that has an established persistent connection to the daemon (
cloudflared) running on the visitor's web server.
The request is routed to the
cloudflaredinstance running on your server.
The Tunnel client forwards the request to your web service.
In more detail
cloudflared process starts, the
cloudflared client will establish an outbound HTTP connection with the two closest Cloudflare data centers. Which data centers are closest is determined by iterating through the SRV DNS record and standard Anycast routing.
Administrators can create a DNS record or a Load Balancer entry to proxy traffic to the connection created by
The connection between
cloudflared and the Cloudflare edge is a long-lived persistent HTTP2 connection encrypted with TLS. To keep the connection alive,
cloudflared sends a heartbeat to the edge in the form of a ping frame over HTTP2. If the connection is dropped, the
cloudflared client re-establishes the connection with Cloudflare.
cloudflared connects to Cloudflare on port
All packets between Cloudflare and the tunneled web server use stream multiplexing over HTTP2. In HTTP2, each request/response pair is called a Stream and given a unique Stream ID so that these streams can be “multiplexed” or sent asynchronously over the same connection.