GCP
This guide covers how to connect a Google Cloud Project (GCP) virtual machine to Cloudflare using our lightweight connector, cloudflared
.
We will deploy:
- A Google Cloud Project (GCP) virtual machine that runs a basic HTTP server.
- A Cloudflare Tunnel that allows users to connect to the service via either a public hostname or a private IP address.
To complete the following procedure, you will need to:
- Add a website to Cloudflare
- Deploy the WARP client on an end-user device
-
In your Google Cloud Console ↗, create a new project ↗.
-
Go to Compute Engine > VM instances.
-
Select Create instance.
-
Name your VM instance. In this example we will name it
http-test-server
. -
Choose your desired operating system and specifications. For this example, you can use the following settings:
- Machine family: General Purpose
- Series: E2
- Machine type: e2-micro
- Boot disk image: Debian GNU/Linux 12
- Firewalls: Allow HTTP and HTTPS traffic
-
Under Advanced options > Management > Automation, add the following startup script. This example deploys a basic Apache web server on port
80
. -
Select Create.
-
The operating system automatically starts the Apache HTTP server. To verify that the server is running:
- Copy the External IP for the VM instance.
- Open a browser and go to
http://<EXTERNAL IP>
. You should see the Hello Cloudflare! test page.
-
To login to the VM instance, open the dropdown next to SSH and select Open in browser window.
Next, we will create a Cloudflare Tunnel in Zero Trust and run the tunnel on the GCP VM.
-
Log in to Zero Trust ↗ and go to Networks > Tunnels.
-
Select Create a tunnel.
-
Choose Cloudflared for the connector type and select Next.
-
Enter a name for your tunnel (for example,
gcp-tunnel
). -
Select Save tunnel.
-
Under Choose your environment, select Debian. Copy the command shown in the dashboard and run it on your GCP VM.
-
Once the command has finished running, your connector will appear in Zero Trust.
-
Select Next.
Public hostname routes allow anyone on the Internet to connect to HTTP resources hosted on your virtual private cloud (VPC). To add a public hostname route for your Cloudflare Tunnel:
- In the Public Hostname tab, enter a hostname for the application (for example,
hellocloudflare.<your-domain>.com
). - Under Service, enter
http://localhost:80
. - Select Save hostname.
- To test, open a browser and go to
http://hellocloudflare.<your-domain>.com
. You should see the Hello Cloudflare! test page.
You can optionally create an Access application to control who can access the service.
To configure a private network route for your Cloudflare Tunnel:
-
In the Private Network tab, enter the Internal IP of your GCP VM instance (for example,
10.0.0.2
). You can expand the IP range later if necessary. -
In your Split Tunnel configuration, make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete
10.0.0.0/8
. We recommend re-adding the IPs that are not explicitly used by your GCP VM -- you can use this calculator ↗ to determine which IP addresses to re-add. -
To test on a user device:
- Log in to the WARP client.
- Open a terminal window and connect to the service using its private IP:
You can optionally create Gateway network policies to control who can access the VM via its private IP.
To secure your VM instance, you can configure your VPC firewall rules ↗ to deny all ingress traffic and allow only egress traffic to the Cloudflare Tunnel IP addresses. Since GCP denies ingress traffic by default ↗, you can delete all ingress rules and leave only the relevant egress rules.
After configuring your VPC firewall rules, verify that you can still access the service through Cloudflare Tunnel via its public hostname or private IP. The service should no longer be accessible from outside Cloudflare Tunnel -- for example, if you go to http://<EXTERNAL IP>
the test page should no longer load.