Private network routing
Private network routing allows you to proxy HTTP/HTTPS traffic from public hostnames to origins in your private network. When you enable this setting on a DNS record, Cloudflare routes traffic through your configured tunnel instead of over the public Internet.
Before you enable private network routing, consider the following:
- You need an active tunnel connection to Cloudflare through one of the supported on-ramp methods. Refer to Cloudflare WAN for further guidance.
- Private network routing is available for
A(IPv4) andAAAA(IPv6) records only. Records must be proxied. - If you have multiple
AorAAAArecords on the same name, and at least one of them has private network routing enabled, all records on that name will use private network routing. This is consistent with the proxy status behavior in these cases.
The following private address ranges are automatically detected:
| Range | Description |
|---|---|
10.0.0.0/8 | Private (RFC 1918 ↗) |
172.16.0.0/12 | Private (RFC 1918 ↗) |
192.168.0.0/16 | Private (RFC 1918 ↗) |
fc00::/7 | Private (RFC 4193 ↗) |
100.64.0.0/10 | CGNAT (RFC 6598 ↗) |
When you use an IP address from one of these ranges, the Use private network routing toggle turns on automatically. You can also turn it on manually for public IP addresses that are only reachable through your tunnel.
-
In the Cloudflare dashboard, go to the DNS Records page.
Go to Records -
Select Add record or select Edit on an existing
AorAAAArecord. -
Enter the origin IP address.
-
Verify that Proxy status is enabled (orange cloud).
-
Turn on Use private network routing.
For private IP addresses (for example,
10.0.0.50), the toggle turns on automatically. For public IP addresses used with private infrastructure, turn on the toggle manually. -
Select Save.
To create a record with private routing enabled, use a POST request and set private_routing to true:
Required API token permissions
At least one of the following token permissions
is required:
DNS Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "type": "A", "name": "app.example.com", "content": "10.0.0.50", "proxied": true, "private_routing": true }'To enable private routing on an existing record, use a PATCH request:
Required API token permissions
At least one of the following token permissions
is required:
DNS Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "private_routing": true }'If you use the API to create or edit DNS records with private network routing, consider the following:
| Scenario | private_routing value |
|---|---|
Proxied A/AAAA record with private IP | Auto-set to true |
Proxied A/AAAA record with public IP | Defaults to false |
Non-A/AAAA record types | Field not supported |
Also, if you manually set private_routing: false on a proxied A/AAAA record with private IP, the API will return an error.
This error occurs when you proxy a private IP address without the necessary entitlement. Contact your account team to request access.
Check for other records on the same name.
Private network routing applies per name, not per record. If you have multiple A or AAAA records on the same name and at least one of them has private network routing enabled, all records on that name will use private network routing.
If traffic is not reaching your private origin:
- Verify your tunnel is active and healthy in the Cloudflare dashboard.
- Confirm the origin IP is routable within your private network.
- Check that
private_routingis set totrueon the DNS record. - Verify the record has proxy status enabled.