Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Load balancers

When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat UUID.cfargotunnel.com as if it were an origin target in the Cloudflare dashboard.

Unlike publicly routable IP addresses, the subdomain will only proxy traffic for a DNS record or a Load Balancer pool in the same Cloudflare account. If someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address.

​​ Add a tunnel to a load balancer pool

To create or edit a Cloudflare Load Balancer pool, refer to the load balancer documentation. When adding an origin server address, enter the subdomain of your tunnel (UUID.cfargotunnel.com).

If you want to add a monitor to your load balancer pool, you will need to add a host header to Advanced health check settings. The header will be similar to Header Name: Host and Value: www.your-zone.com. The monitor will not work without the host header if you are using a config file that defines the ingress field, as shown in this example.

You can add Cloudflare Tunnel to an existing load balancer pool directly from cloudflared:

$ cloudflared tunnel route lb <tunnel name/uuid> <hostname> <load balancer pool>
  • <hostname>: the DNS hostname of the load balancer, for example lb.example.com.

  • <load balancer pool>: the ID of the pool that will contain the tunnel subdomain.

This command creates an LB DNS record that points the specified hostname to the subdomain of your tunnel (UUID.cfargotunnel.com). Traffic will not be proxied unless the tunnel is running.

​​ Optional Cloudflare settings

The application will default to the Cloudflare settings for the load balancer hostname, including cache rules and firewall policies. You can changes the settings for your hostname in the Cloudflare dashboard.

​​ Known limitations

​​ Monitors and TCP Tunnel origins

If you have a tunnel to a port or SSH port, do not run a TCP health check.

Instead, set up a health check endpoint in cloudflared — for example, an ingress entry rule that returns a fixed HTTP status response — and create an HTTP monitor for that endpoint. The monitor will only verify that your server is reachable. It does not check whether the server is running and accepting requests.

​​ Session affinity and replicas

The load balancer does not distinguish between replicas of the same tunnel. If you run the same tunnel UUID on two separate hosts, the load balancer treats both hosts as a single origin server. To maintain session affinity between a client and a particular host, you will need to connect each host to Cloudflare using a different tunnel UUID.

​​ Local connection preference

If you notice traffic imbalances across origin servers in different locations, you may have to adjust your load balancer setup.

cloudflared connections give preference to tunnels that terminate in the same Cloudflare data center. This behavior can impact how connections are weighted and traffic is distributed.

The solution depends on the type of tunnel being used. If running legacy tunnels, put your origins in different pools. If running Cloudflare tunnel replicas (using a shared ID), switch to separate Cloudflare tunnels as distinct origins.