This guide covers how to connect an Amazon Web Services (AWS) EC2 instance to Cloudflare using cloudflared and publish a web application through a Cloudflare Tunnel.

Prerequisites

1. Create an EC2 instance

From the AWS console, go to Compute > EC2 > Instances Select Launch instance. Name your VM instance. In this example we will name it http-test-server . For *Amazon Machine Image (AMI) choose your desired operating system and specifications. For this example, we will use Ubuntu Server 24.04 LTS (HVM), SSD Volume Type. For Instance type:, you can select t2.micro which is available on the free tier. In Key pair (login), create a new key pair to use for SSH. You will need to download the .pem file onto your local machine. In Network settings, select Create security group. Turn on the following Security Group rules: Allow SSH traffic from My IP to prevent the instance from being publicly accessible.

to prevent the instance from being publicly accessible. Allow HTTPS traffic from the internet

Allow HTTP traffic from the internet Select Launch instance. Once the instance is up and running, go to the Instances summary page and copy its Public IPv4 DNS hostname (for example, ec2-44-202-59-16.compute-1.amazonaws.com ). To log in to the instance over SSH, open a terminal and run the following commands:

Terminal window cd Downloads

chmod 400 "YourKeyPair.pem"

Terminal window ssh -i "YourKeyPair.pem" ubuntu@ec2-44-202-59-16.compute-1.amazonaws.com

Run sudo su to gain full admin rights to the instance. For testing purposes, you can deploy a basic Apache web server on port 80 :

Terminal window apt update apt -y install apache2 cat << EOF > /var/www/html/index.html <html><body><h1>Hello Cloudflare!</h1> <p>This page was created for a Cloudflare demo.</p> </body></html> EOF

To verify that the Apache server is running, open a browser and go to http://ec2-44-202-59-16.compute-1.amazonaws.com (make sure to connect over http , not https ). You should see the Hello Cloudflare! test page.

2. Create a tunnel

In the Cloudflare dashboard ↗ , go to Networking > Tunnels. Select Create Tunnel and enter a name (for example, aws-tunnel ). Select Create Tunnel. Under Setup Environment, select Debian 64-bit. Copy the install commands and run them on your EC2 instance. Once the tunnel connects, select Continue.

3. Publish an application

Under Routes, select Add route > Published application. Enter a hostname (for example, hellocloudflare.<your-domain>.com ). Under Service, enter http://localhost:80 . Select Add route.

To test, open a browser and go to the hostname you configured. You should see your web server's page.

Looking for private network access? To connect to your EC2 instance via private IP using the WARP client, refer to the Cloudflare One Tunnel documentation.

Firewall configuration

To secure your AWS instance, you can configure your Security Group rules ↗ to deny all inbound traffic and allow only outbound traffic to the Cloudflare Tunnel IP addresses. All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules.

Note If you delete the inbound rule for port 22 , you will be unable to SSH back into the instance.