System configuration
System requirements
Our connector, cloudflared
, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server in a data center.
Unlike legacy VPNs where throughput is determined by the server's memory, CPU and other hardware specifications, Cloudflare Tunnel throughput is primarily limited by the number of ports configured in system software. Therefore, when sizing your cloudflared
server, the most important element is sizing the available ports on the machine to reflect the expected throughput of TCP and UDP traffic.
For most use cases, we recommend the following baseline configuration:
- Run a
cloudflared
replica on two dedicated host machines per network location. Using two hosts enables server-side redundancy and traffic balancing. - Size each host with minimum 4GB of RAM and 4 CPU cores.
- Allocate 50,000 ports to the
cloudflared
process on each host.
This setup is usually sufficient to handle traffic from 8,000 WARP users (4,000 per host). The actual amount of resources used by cloudflared
will depend on many variables, including the number of requests per second, bandwidth, network path and hardware. As additional users are onboarded, or if network traffic increases beyond your existing tunnel capacity, you can scale your tunnel by adding an additional cloudflared
host in that location.
When cloudflared
receives a request from a WARP device, it uses the ports on the host machine to evaluate and forward the request to your origin service. Every machine by system design is hardware-limited to a maximum 65,535 ports. Additionally, each service on the machine has a limited number of ports that it can consume. For this reason, we recommend the following deployment model:
cloudflared
should be deployed on a dedicated host machine. This model is typically appropriate, but there may be serverless or clustered workflows where a dedicated host is not possible.- The host machine should allocate 50,000 ports to be available for use by the
cloudflared
service. The remaining ports are reserved for system administrative processes.
To increase the number of ports available to cloudflared
on Linux:
If your machine has a /etc/sysctl.d/
directory:
Otherwise:
To increase the number of ports available to cloudflared
on Windows, set the dynamic port range ↗ for TCP and UDP:
On Linux and macOS, ulimit
settings determine the system resources available to a logged-in user. We recommend configuring the following ulimits on the cloudflared
server:
ulimit | Description | Value |
---|---|---|
-n | Maximum number of open files or file descriptors | ≥ 70,000 |
To view your current ulimits, open a terminal and run:
To set the open files ulimit
:
Most private network traffic proxied by cloudflared
falls in one of two categories:
- TCP requests (more common, less resource intensive)
- UDP requests (less common, more resource intensive)
TCP traffic uses and releases ports almost instantaneously. This means that in order to overload a cloudflared
instance with 50,000 available ports, your organization would need to continuously generate 50,001 TCP requests per second.
UDP traffic is more unique. DNS queries - usually the bulk of UDP traffic - are held by ports in cloudflared
for five seconds. Non-DNS UDP traffic holds each port for the duration of the connection, which can be any amount of time. This means that in order to overload a cloudflared
instance with 50,000 available ports, you would need to continuously generate either 10,000 DNS queries to your private resolver per second, or a cumulative 50,000 non-DNS UDP requests over a shorter time than your connection reset rate.
Our baseline recommendations serve as a starting point for a Cloudflare Tunnel deployment. Once you have a representative population of users engaging with your network for at least a week, you can customize tunnel sizing according to your own traffic patterns.
To calculate your tunnel capacity:
- Set up a metrics service when you run the tunnel.
- After a week or so, query the following tunnel metrics:
cloudflared_tcp_total_sessions
cloudflared_udp_total_sessions
- Compute the average TCP requests per second and Non-DNS UDP requests per second by dividing total sessions by total time.
- In your private DNS resolver, obtain the average Private DNS requests per second.
- Input your values into our sizing calculator:
Metrics
Result
You can use these results to determine if your tunnel is appropriately sized. To increase your tunnel capacity, add identical host machines running cloudflared
replicas.