Cloudflare Tunnel integrates with other Cloudflare products to extend connectivity, security, and availability for your applications.

Cloudflare One (private networking)

Beyond publishing public applications, Cloudflare Tunnel is the connectivity layer for Cloudflare One — Cloudflare's SASE platform. The same post-quantum encrypted tunnels that serve your public applications can also serve private traffic when combined with the WARP client:

Private applications — Expose internal web apps, SSH servers, RDP hosts, and other services to authenticated users without making them publicly reachable.

— Expose internal web apps, SSH servers, RDP hosts, and other services to authenticated users without making them publicly reachable. Private networks — Route entire IP ranges (RFC 1918, custom CIDRs) through a tunnel, replacing site-to-site VPNs. Users on WARP-enrolled devices reach private IPs as if they were on your private network.

— Route entire IP ranges (RFC 1918, custom CIDRs) through a tunnel, replacing site-to-site VPNs. Users on WARP-enrolled devices reach private IPs as if they were on your private network. Network traffic filtering — Apply DNS, HTTP, and network-level policies through Cloudflare Gateway to all traffic flowing through the tunnel.

If you are using Cloudflare Tunnel for Zero Trust network access, VPN replacement, or private network connectivity, refer to the Cloudflare One Tunnel documentation for setup and configuration.

Related: Connect private networks | SSH guide | RDP guide | Replace your VPN

Workers VPC

Workers VPC enables Cloudflare Workers to access private resources such as databases, internal APIs, and other services. Cloudflare Tunnel serves as the connectivity layer, establishing a post-quantum encrypted outbound connection from your private network to Cloudflare.

Get started: Create a tunnel and then follow the Workers VPC guide to configure VPC Services.

Related: Connect to a private API | Connect to an S3 bucket

Load Balancing

Cloudflare Load Balancing distributes traffic across multiple origins using health checks, steering algorithms, and failover logic. Combined with Tunnel, you can load balance traffic to origins without publicly routable IP addresses.

Each tunnel is assigned a subdomain ( <UUID>.cfargotunnel.com ). Add this as an endpoint in a Load Balancer pool with the application hostname as the host header.

Get started: Refer to Load Balancing setup for step-by-step instructions.

Related: Tunnel replicas | Load Balancing reference architecture

Cloudflare Access

Cloudflare Access provides an identity-aware proxy that authenticates every request to your applications. Combined with Tunnel, Access lets you publish internal web applications to the Internet while ensuring only authorized users can reach them. You can configure Access policies based on user identity, source IP ranges, service tokens for machine-to-machine authentication, and more.

Get started: Publish a self-hosted application.

Related: Identity providers | Validate Access JWTs

Spectrum

Cloudflare Spectrum extends DDoS protection and traffic acceleration to non-HTTP protocols. You can route Spectrum application traffic to origins connected via Tunnel using a DNS CNAME record or Load Balancer.

Spectrum integration with Tunnel is only supported for HTTP and HTTPS applications. For the full list of limitations, refer to the Spectrum limitations documentation.

Additional integrations