Load balancing
When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat <UUID>.cfargotunnel.com as if it were a Load Balancing endpoint in the Cloudflare dashboard.
Unlike publicly routable IP addresses, the subdomain will only proxy traffic for a load balancer pool in the same Cloudflare account. If someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address.
To create a load balancer, refer to the Load Balancing documentation. The endpoint address is the subdomain of your tunnel, <UUID>.cfargotunnel.com.
If you want to add a monitor to your load balancer pool, you will need to add a host header to Advanced health check settings. The header will be similar to Header Name: Host and Value: www.your-zone.com. The monitor will not work without the host header if you are using a config file that defines the ingress field, as shown in this example ↗.
You can add Cloudflare Tunnel to an existing load balancer pool directly from cloudflared:
cloudflared tunnel route lb <tunnel name/uuid> <hostname> <load balancer pool>-
<hostname>: the DNS hostname of the load balancer, for examplelb.example.com. -
<load balancer pool>: the name of the pool that will contain the tunnel subdomain.
This command creates an LB DNS record that points the specified hostname to the subdomain of your tunnel (<UUID>.cfargotunnel.com). Traffic will not be proxied unless the tunnel is running.
The application will default to the Cloudflare settings for the load balancer hostname, including cache rules and firewall policies. You can change the settings for your hostname in the Cloudflare dashboard ↗.
If you have a tunnel to a port or SSH port, do not run a TCP health check.
Instead, set up a health check endpoint in cloudflared — for example, an ingress entry rule that returns a fixed HTTP status response — and create an HTTP monitor for that endpoint. The monitor will only verify that your server is reachable. It does not check whether the server is running and accepting requests.
The load balancer does not distinguish between replicas of the same tunnel. If you run the same tunnel UUID on two separate hosts, the load balancer treats both hosts as a single endpoint. To maintain session affinity between a client and a particular host, you will need to connect each host to Cloudflare using a different tunnel UUID.
If you notice traffic imbalances across endpoints in different locations, you may have to adjust your load balancer setup.
cloudflared connections give preference to tunnels that terminate in the same Cloudflare data center. This behavior can impact how connections are weighted and traffic is distributed.
The solution depends on the type of tunnel being used. If running legacy tunnels, put your origins in different pools. If running Cloudflare tunnel replicas (using a shared ID), switch to separate Cloudflare tunnels as distinct origins.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
