GCP

This guide covers how to connect a Google Cloud Platform (GCP) virtual machine to Cloudflare using cloudflared and publish a web application through a Cloudflare Tunnel.

Prerequisites

• A Google Cloud Project ↗
• A zone on Cloudflare

1. Create a VM instance

1. In your Google Cloud Console ↗, create a new project ↗.

2. Go to Compute Engine > VM instances.

3. Select Create instance.

4. Name your VM instance. In this example we will name it http-test-server.

5. Choose your desired operating system and specifications. For this example, you can use the following settings:

   • Machine family: General Purpose
   • Series: E2
   • Machine type: e2-micro
   • Boot disk image: Debian GNU/Linux 12
   • Firewalls: Allow HTTP and HTTPS traffic

6. Under Advanced options > Management > Automation, add the following startup script. This example deploys a basic Apache web server on port 80.

   #!/bin/bash
   apt update
   apt -y install apache2
   cat <<EOF > /var/www/html/index.html
   <html><body><h1>Hello Cloudflare!</h1>
   <p>This page was created for a Cloudflare demo.</p>
   </body></html>
   EOF

7. Select Create.

8. The operating system automatically starts the Apache HTTP server. To verify that the server is running:

   1. Copy the External IP for the VM instance.
   2. Open a browser and go to http://<EXTERNAL IP>. You should see the Hello Cloudflare! test page.

9. To login to the VM instance, open the dropdown next to SSH and select Open in browser window.

2. Create a tunnel

1. In the Cloudflare dashboard ↗, go to Networking > Tunnels.
2. Select Create Tunnel and enter a name (for example, gcp-tunnel).
3. Select Create Tunnel.
4. Under Setup Environment, select Debian 64-bit.
5. SSH into your VM and run the install commands shown in the dashboard.
6. Once the tunnel connects, select Continue.

3. Publish an application

1. Under Routes, select Add route > Published application.
2. Enter a hostname (for example, hellocloudflare.<your-domain>.com).
3. Under Service, enter http://localhost:80.
4. Select Add route.

To test, open a browser and go to the hostname you configured.

You can optionally add Cloudflare Access to control who can reach the service.

Looking for private network access?

To connect to your VM via private IP using the WARP client, refer to the Cloudflare One Tunnel documentation.

Firewall configuration

To secure your VM instance, you can configure your VPC firewall rules ↗ to deny all ingress traffic and allow only egress traffic to the Cloudflare Tunnel IP addresses. Since GCP denies ingress traffic by default ↗, you can delete all ingress rules and leave only the relevant egress rules.

Note

If you delete the default allow-ssh rule, you will be unable to SSH back into the VM.

After configuring your VPC firewall rules, verify that you can still access the service through Cloudflare Tunnel via its public hostname. The service should no longer be accessible from outside Cloudflare Tunnel -- for example, if you go to http://<EXTERNAL IP> the test page should no longer load.