Private networks
With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare's global network. This involves installing a connector on the private network, and then setting up routes which define the IP addresses available in that environment. Unlike published applications, private network routes can expose both HTTP and non-HTTP resources.
To reach private network IPs, end users must connect their device to Cloudflare and enroll in your Zero Trust organization. The most common method is to install the Cloudflare One Client on their device, or you can onboard their network traffic to Cloudflare using Cloudflare Mesh, Cloudflare Tunnel, or Cloudflare WAN.
Administrators can optionally set Gateway network policies to control access to services based on user identity and device posture.
Here are the different ways you can connect your private network to Cloudflare:
- Cloudflare Mesh creates a private network between mesh nodes, client devices, and the services behind them. Each participant is assigned a Mesh IP for direct connectivity. Mesh nodes install on a Linux server and act as subnet routers for site-to-site, bidirectional, and mesh networking. Client devices install the Cloudflare One Client for device-to-device and device-to-network connectivity.
- Cloudflare Tunnel (
cloudflared) installs on a server in your private network and creates a secure, outbound-only tunnel to Cloudflare.cloudflaredonly proxies traffic initiated from a user to a server. Any service or application running behind the tunnel will use the server's default routing table for server-initiated connectivity. - Cloudflare WAN connects entire network locations to Cloudflare using anycast GRE or IPsec tunnels configured on your existing networking equipment.