Cloudflare Docs
Load Balancing
Load Balancing
Edit this page on GitHub
Set theme to dark (⇧+D)

Set up private IPs with Cloudflare Tunnel

Consider the following steps to learn how to configure Cloudflare local traffic management (LTM) solution, using Cloudflare Tunnel as the off-ramp to securely connect to your private/internal services.

​​ 1. Configure a Cloudflare tunnel with an assigned virtual network

The specific configuration steps can vary depending on your infrastructure and services you are looking to connect. If you are not familiar with Cloudflare Tunnel, the pages linked on each step provide more guidance.

  1. Create a tunnel.
  2. Deploy the tunnel to connect to the data center hosting the origin servers.
  3. Create a virtual network and assign it to the tunnel you configured in the previous steps.

To create a virtual network:

  1. Within the Zero Trust dashboard, go to Settings > WARP Client and find the Virtual networks setting.
  2. Select Add new or Manage > Create virtual network to create virtual networks.
  3. Define your virtual network name and select Save.

To assign the virtual network to the tunnel:

  1. Go to Networks > Tunnels.
  2. Select the tunnel you created in the previous steps and select Configure.
  3. Under Private Network, select Add a private network.
  4. Specify an IP range under CIDR and select the virtual network under Additional settings.
  5. Select Save private network.

To create a virtual network:

$ cloudflared tunnel vnet add <VNET_NAME>

To assign the virtual network to the tunnel:

$ cloudflared tunnel route ip add --vnet <VNET_NAME> <IP_RANGE> <TUNNEL_NAME>

​​ 2. Configure Cloudflare Load Balancing

Once you have Cloudflare tunnels with associated virtual networks (VNets) configured, the VNets can be specified for each origin when you create or edit a pool. This will enable Cloudflare load balancers to use the correct tunnel and securely reach the private IP origins.

  1. Create the Load Balancing monitor according to your needs.
  2. Create the origin pool specifying your private origin IP addresses and corresponding virtual networks.

You can create a pool within the load balancer workflow or in the Origin Pools section of the dashboard:

  1. Go to Traffic > Load Balancing.

  2. Select Manage Pools and then Create.

  3. For your pool, enter the following information:

    • A name (must be unique)
    • A description to provide more detail on the name
    • A choice for Origin Steering, which affects how your pool routes traffic to each origin
  4. For each origin, enter the following information:

    • A name (must be unique)
    • The origin server address or associated hostname
    • (Optional) A Virtual Network. Required when the origin has a private IP address.
    • A Weight
    • (Optional) A hostname by clicking Add host header
  1. Repeat this process for additional origins in the pool.

  2. (Optional) Set up coordinates for Proximity Steering on the pool.

  3. On the origin pool, update the following information:

    • Health Threshold: The Health Threshold is the number of healthy origins for the pool as a whole to be considered Healthy and receive traffic based on pool order in a load balancer. Increasing this number makes the pool more reliable, but also more likely to become unhealthy.
    • Monitor: Attach a monitor
    • Health Monitor Regions: Choose whether to check pool health from multiple locations, which increases accuracy but can lead to probe traffic to your origin
    • Pool Notifications: You can set up new alerts - and view existing alerts - to be notified when pools are enabled or disabled, or pools or origins have changes in their health status.
  4. When finished, select Save.

To get a list of your current virtual networks, use the List virtual networks API operation.

Enable virtual/private IP support by adding the virtual_network_id field to the origins in you API request. Refer to the Cloudflare Load Balancer API documentation for more information on how to create a pool using the API.

Consider the following example for updating an existing Load Balancer pool with a Virtual IP origin using cURL.

$ curl --request PATCH \<account_id>/load_balancers/pools/<pool_id> \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <email>' \
--header 'X-Auth-Key: <key>' \
--data '{
"origins": [
"name": "origin-1",
"address": "",
"enabled": true,
"weight": 1,
"virtual_network_id": "a5624d4e-044a-4ff0-b3e1-e2465353d4b4"
  1. Create the load balancer, specifying the pool and monitor you created in the previous steps, as well as the desired load-balancing method.