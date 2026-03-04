Securely connect your origin servers, APIs, and services to Cloudflare with post-quantum encrypted tunnels — no public IPs required.

Available on all plans

Cloudflare Tunnel connects your infrastructure to Cloudflare through an outbound-only, post-quantum encrypted connection. Instead of exposing a public IP, you install a lightweight daemon called cloudflared on your server. It creates a persistent tunnel to Cloudflare's global network, so all traffic to your origins flows through Cloudflare — where CDN caching, WAF, Bot Management, and DDoS protection are applied automatically.

No open inbound ports. No public IPs. No attack surface.

How it works

Install cloudflared on your server or network. cloudflared establishes outbound, post-quantum encrypted connections to Cloudflare — no inbound ports or firewall changes required. Map public hostnames to local services (for example, app.example.com to http://localhost:8080 ). Traffic flows through Cloudflare's network to your origin, with full CDN and security applied.

Each tunnel maintains four long-lived connections to two Cloudflare data centers for built-in redundancy. You can run multiple cloudflared replicas for additional high availability.

Use cases

Secure origin connectivity — Eliminate public origin IPs. All traffic flows through Cloudflare with CDN, WAF, and DDoS protection applied.

— Eliminate public origin IPs. All traffic flows through Cloudflare with CDN, WAF, and DDoS protection applied. Public ingress routing — Publish internal applications to the internet by mapping public hostnames to local services. Supports HTTP, HTTPS, TCP, SSH, RDP, and more.

— Publish internal applications to the internet by mapping public hostnames to local services. Supports HTTP, HTTPS, TCP, SSH, RDP, and more. Workers VPC — Enable Cloudflare Workers to securely access private databases, APIs, and services through your tunnel.

— Enable Cloudflare Workers to securely access private databases, APIs, and services through your tunnel. Load Balancing — Use tunnels as origin endpoints in Cloudflare Load Balancer pools for high availability and intelligent traffic steering.

Looking for Zero Trust and private networking? For VPN replacement, private network access, and network traffic filtering, refer to the Cloudflare One Tunnel documentation.

Get started