Cloudflare Tunnel

Securely connect your origin servers, APIs, and services to Cloudflare with post-quantum encrypted tunnels — no public IPs required.

Available on all plans

Cloudflare Tunnel connects your infrastructure to Cloudflare through an outbound-only, post-quantum encrypted connection. Instead of exposing a public IP, you install a lightweight daemon called cloudflared on your server. It creates a persistent tunnel to Cloudflare's global network, so all traffic to your origins flows through Cloudflare — where CDN caching, WAF, Bot Management, and DDoS protection are applied automatically.

No open inbound ports. No public IPs. No attack surface.

How it works

Install cloudflared on your server or network.
cloudflared establishes outbound, post-quantum encrypted connections to Cloudflare — no inbound ports or firewall changes required.
Map public hostnames to local services (for example, app.example.com to http://localhost:8080).
Traffic flows through Cloudflare's network to your origin, with full CDN and security applied.

Each tunnel maintains four long-lived connections to two Cloudflare data centers for built-in redundancy. You can run multiple cloudflared replicas for additional high availability.

How an HTTP request reaches an origin connected with Cloudflare Tunnel

Use cases

Secure origin connectivity — Eliminate public origin IPs. All traffic flows through Cloudflare with CDN, WAF, and DDoS protection applied.
Public ingress routing — Publish internal applications to the internet by mapping public hostnames to local services. Supports HTTP, HTTPS, TCP, SSH, RDP, and more.
Workers VPC — Enable Cloudflare Workers to securely access private databases, APIs, and services through your tunnel.
Load Balancing — Use tunnels as origin endpoints in Cloudflare Load Balancer pools for high availability and intelligent traffic steering.