Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Private networks

With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare’s global network. This involves installing a connector on the private network, and then setting up routes which define the IP addresses available in that environment. Unlike public hostname routes, private network routes can expose both HTTP and non-HTTP resources.

To reach private network IPs, end users must connect their device to Cloudflare and enroll in your Zero Trust organization. The most common method is to install the WARP client on their device, or you can onboard their network traffic to Cloudflare using our WARP Connector or Magic WAN.

Administrators can optionally set Gateway network policies to control access to services based on user identity and device posture.

​​ Connectors

Here are the different ways you can connect your private network to Cloudflare:

  • cloudflared installs on a server in your private network to create a secure, outbound tunnel to Cloudflare. Cloudflare Tunnel using cloudflared only proxies traffic initiated from a user to a server. Any service or application running behind the tunnel will use the server’s default routing table for server-initiated connectivity.
  • WARP-to-WARP uses the Cloudflare WARP client to establish peer-to-peer connectivity between two or more devices. Each device running WARP can access services on any other device running WARP via an assigned virtual IP address.
  • WARP Connector installs on a Linux server in your private network to establish site-to-site, bidirectional, and mesh networking connectivity. The WARP Connector acts as a subnet router to relay client-initiated and server-initiated traffic between all devices on a private network and Cloudflare.
  • Magic WAN relies on configuring legacy networking equipment to establish Anycast GRE or IPsec tunnels between an entire network location and Cloudflare.