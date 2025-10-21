Feature availability WARP modes Zero Trust plans ↗ Gateway with WARP

Secure Web Gateway without DNS filtering All plans System Availability Windows ✅ macOS ✅ Linux ✅ iOS ✅ Android ✅ ChromeOS ✅

Virtual networks allow you to connect private networks that have overlapping IP ranges without creating conflicts for users or services. For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be "production" and "staging". However, if the two private networks happened to receive the same RFC 1918 IP assignment, there may be two different resources with the same IP address. By creating two separate virtual networks, you can deterministically route traffic to duplicative private addresses like 10.128.0.1/32 staging and 10.128.0.1/32 production. These virtual networks will appear as user-selectable options within the WARP client GUI.

Use cases

Here are a few scenarios where virtual networks may prove useful:

Manage production and staging environments that use the same address space.

Manage acquisitions or mergers between organizations that use the same address space.

Allow IT professional services to access their customer's network for various administration and management purposes.

Allow developers or homelab users to deterministically route traffic through their home network to enforce additional security controls.

Guarantee additional segmentation (beyond just policy enforcement) between networks and resources for security reasons, while keeping all configuration within a single Cloudflare account.

Prerequisites

Install cloudflared on each private network.

on each private network. Deploy the WARP client on user devices.

Create a virtual network

The following example demonstrates how to add two overlapping IP routes to Cloudflare ( 10.128.0.1/32 staging and 10.128.0.1/32 production).

Dashboard

Terraform (v5)

Locally-managed tunnels To route overlapping IPs over virtual networks: First, create two unique virtual networks: In Zero Trust ↗ , go to Settings > WARP Client. Find the Virtual networks setting and select Manage. Select Create virtual network. Name your virtual network staging-vnet and select Save. Repeat Steps 1a-1d to create another virtual network called production-vnet . Next, create a Cloudflare Tunnel for each private network: Go to Networks > Tunnels. Select Create a tunnel. Name your tunnel Staging tunnel and select Save tunnel. Install the connector within your staging environment. In the CIDR tab, add 10.128.0.1/32 . Select Additional settings. Under Virtual networks, select staging-vnet. Save the tunnel. Repeat Steps 2a-2g to create another tunnel called Production tunnel . Be sure to install the connector within your production environment and assign the route to production-vnet. We now have two overlapping IP addresses routed over staging-vnet and production-vnet respectively. You can use the Cloudflare WARP client to switch between virtual networks. To route overlapping IPs over virtual networks: Add the following permission to your cloudflare_api_token ↗: Cloudflare Tunnel Write Create two unique virtual networks: resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "staging_vnet" { account_id = var . cloudflare_account_id name = "staging-vnet" comment = "Staging virtual network" is_default = false } resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "production_vnet" { account_id = var . cloudflare_account_id name = "production-vnet" comment = "Production virtual network" is_default = false } Create a Cloudflare Tunnel for each private network: resource "cloudflare_zero_trust_tunnel_cloudflared" "staging_tunnel" { account_id = var . cloudflare_account_id name = "Staging tunnel" config_src = "cloudflare" } resource "cloudflare_zero_trust_tunnel_cloudflared" "production_tunnel" { account_id = var . cloudflare_account_id name = "Production tunnel" config_src = "cloudflare" } Route 10.128.0.1/32 through Staging tunnel and assign it to staging-vnet . Route 10.128.0.1/32 through Production tunnel and assign it to production-vnet . resource "cloudflare_zero_trust_tunnel_cloudflared_route" "staging_tunnel_route" { account_id = var . cloudflare_account_id tunnel_id = cloudflare_zero_trust_tunnel_cloudflared . staging_tunnel . id network = "10.128.0.1/32" comment = "Staging tunnel route" virtual_network_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network . staging_vnet . id } resource "cloudflare_zero_trust_tunnel_cloudflared_route" "production_tunnel_route" { account_id = var . cloudflare_account_id tunnel_id = cloudflare_zero_trust_tunnel_cloudflared . production_tunnel . id network = "10.128.0.1/32" comment = "Production tunnel route" virtual_network_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network . production_vnet . id } Get the token for each tunnel. Using the tunnel tokens, run Staging tunnel in your staging environment and run Production tunnel in your production environment. Refer to Install and run the tunnel. To route overlapping IPs over virtual networks for locally-managed tunnels: Create a tunnel for each private network: Within your staging environment, authenticate cloudflared : Terminal window cloudflared login Create a tunnel to connect your staging network to Cloudflare. Terminal window cloudflared tunnel create staging-tunnel Within your production environment, authenticate cloudflared : Terminal window cloudflared login Create a tunnel to connect your production network to Cloudflare. Terminal window cloudflared tunnel create production-tunnel The following steps may be executed from any cloudflared instance. Create two unique virtual networks. Terminal window cloudflared tunnel vnet add staging-vnet cloudflared tunnel vnet add production-vnet Before moving on, run the following command to verify that your newly created virtual networks are listed correctly: Terminal window cloudflared tunnel vnet list Default virtual network All accounts come pre-configured with a virtual network named default . You can choose a new default by typing cloudflared tunnel vnet update --default <virtual-network-name> . Configure your tunnels with the IP/CIDR range of your private networks, and assign the tunnels to their respective virtual networks. Terminal window cloudflared tunnel route ip add --vnet staging-vnet 10.128.0.3/32 staging-tunnel cloudflared tunnel route ip add --vnet production-vnet 10.128.0.3/32 production-tunnel Verify that the IP routes are listed correctly: Terminal window cloudflared tunnel route ip list We now have two overlapping IP addresses routed over staging-vnet and production-vnet respectively. Within your staging environment, create a configuration file for staging-tunnel . The configuration file will be structured as follows: tunnel: <Tunnel-UUID> credentials-file: /root/.cloudflared/credentials-file.json warp-routing: enabled: true Run your tunnel. Terminal window cloudflared tunnel run staging-tunnel Within your production environment, repeat Steps 6 and 7 for production-tunnel . You can use now the Cloudflare WARP client to switch between virtual networks.

Delete a virtual network

Dashboard

Locally-managed tunnels To delete a virtual network: In Zero Trust ↗, go to Networks > Tunnels and ensure that no IP routes are assigned to the virtual network you are trying to delete. If your virtual network is in use, delete the route or reassign it to a different virtual network. Next, go to Settings > WARP Client. Find the Virtual networks setting and select Manage. Select the three-dot menu for your virtual network and select Delete. You can optionally delete the tunnel associated with your virtual network. To delete a virtual network for locally-managed tunnels: Delete all IP routes in the virtual network. For example, Terminal window cloudflared tunnel route ip delete --vnet staging-vnet 10.128.0.3/32 (Optional) Delete the tunnel associated with the virtual network. Terminal window cloudflared tunnel delete staging-tunnel Delete the virtual network. Terminal window cloudflared tunnel vnet delete staging-vnet You can verify that the virtual network was successfully deleted by typing cloudflared tunnel vnet list .

Connect to a virtual network

Windows, macOS, and Linux

Open the WARP client. Go to Settings > Gateway with WARP > Virtual Networks. Choose the virtual network you want to connect to, for example staging-vnet .

When you visit 10.128.0.3/32 , WARP will route your request to the staging environment.

iOS, Android, and ChromeOS

Launch the Cloudflare One Agent app. Go to Advanced > Connection options > Virtual networks. Choose the virtual network you want to connect to, for example staging-vnet .