Connect with cloudflared
2 min read
Cloudflare Tunnel is an outbound-only daemon service that can run on nearly any host machine and proxies local traffic once validated from the Cloudflare network. User traffic initiated from the WARP endpoint client onramps to Cloudflare, passes down your Cloudflare Tunnel connections, and terminates automatically in your local network. Traffic reaching your internal applications or services will carry the local source IP address of the host machine running the cloudflared daemon.
Create a tunnel
To connect your private network:
Log in to Zero Trust and go to Networks > Tunnels.
Select Create a tunnel.
Choose Cloudflared for the connector type and select Next.
Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example,
enterprise-VPC-01).Select Save tunnel.
Next, you will need to install
cloudflaredand run it. To do so, check that the environment under Choose an environment reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command.Once the command has finished running, your connector will appear in Zero Trust.
Select Next.
In the Private Networks tab, enter the CIDR of your private network (for example,
10.0.0.0/8).Select Save tunnel.
All internal applications and services in this IP range are now connected to Cloudflare.
Best practices
- Segregate production and staging traffic among different Cloudflare tunnels.
- Add a
cloudflaredreplica to another host machine for an additional point of availability. - Distribute access to critical services (for example, private DNS, Active Directory, and other critical systems) across different tunnels for blast-radius reduction in the event of a server-side outage.
- Enable notifications in the Cloudflare dashboard to monitor tunnel health.
- Monitor performance metrics to identify potential bottlenecks.
- Update
cloudflaredregularly.