Tunnel with firewall
You can implement a positive security model with Cloudflare Tunnel by blocking all ingress traffic and allowing only egress traffic from cloudflared
. Only the services specified in your tunnel configuration will be exposed to the outside world.
The parameters below can be configured for egress traffic inside of a firewall.
cloudflared
connects to Cloudflare's global network on port 7844
. To use Cloudflare Tunnel, your firewall must allow outbound connections to the following destinations on port 7844
(via UDP if using the quic
protocol or TCP if using the http2
protocol).
Domain | IPv4 | IPv6 | Port | Protocols |
---|---|---|---|---|
region1.v2.argotunnel.com | 198.41.192.167 198.41.192.67 198.41.192.57 198.41.192.107 198.41.192.27 198.41.192.7 198.41.192.227 198.41.192.47 198.41.192.37 198.41.192.77 | 2606:4700:a0::1 2606:4700:a0::2 2606:4700:a0::3 2606:4700:a0::4 2606:4700:a0::5 2606:4700:a0::6 2606:4700:a0::7 2606:4700:a0::8 2606:4700:a0::9 2606:4700:a0::10 | 7844 | TCP/UDP (http2 /quic ) |
region2.v2.argotunnel.com | 198.41.200.13 198.41.200.193 198.41.200.33 198.41.200.233 198.41.200.53 198.41.200.63 198.41.200.113 198.41.200.73 198.41.200.43 198.41.200.23 | 2606:4700:a8::1 2606:4700:a8::2 2606:4700:a8::3 2606:4700:a8::4 2606:4700:a8::5 2606:4700:a8::6 2606:4700:a8::7 2606:4700:a8::8 2606:4700:a8::9 2606:4700:a8::10 | 7844 | TCP/UDP (http2 /quic ) |
_v2-origintunneld._tcp.argotunnel.com 1 | Not applicable | Not applicable | 7844 | TCP (http2 ) |
cftunnel.com 1 | Not applicable | Not applicable | 7844 | TCP/UDP (http2 /quic ) |
h2.cftunnel.com 1 | Not applicable | Not applicable | 7844 | TCP (http2 ) |
quic.cftunnel.com 1 | Not applicable | Not applicable | 7844 | UDP (quic ) |
1 This rule is only required for firewalls that enforce SNI.
Opening port 443 enables some optional features. Failure to allow these connections may prompt a log error, but cloudflared
will still run correctly.
Domain | IPv4 | IPv6 | Port | Protocols | Description |
---|---|---|---|---|---|
api.cloudflare.com | 104.19.192.29 104.19.192.177 104.19.192.175 104.19.193.29 104.19.192.174 104.19.192.176 | 2606:4700:300a::6813:c0af 2606:4700:300a::6813:c01d 2606:4700:300a::6813:c0ae 2606:4700:300a::6813:c11d 2606:4700:300a::6813:c0b0 2606:4700:300a::6813:c0b1 | 443 | TCP (HTTPS) | Allows cloudflared to query if software updates are available. |
update.argotunnel.com | 104.18.25.129 104.18.24.129 | 2606:4700::6812:1881 2606:4700::6812:1981 | 443 | TCP (HTTPS) | Allows cloudflared to query if software updates are available. |
github.com | GitHub's IP addresses ↗ | GitHub's IP addresses ↗ | 443 | TCP (HTTPS) | Allows cloudflared to download the latest release and perform a software update. |
<your-team-name>. cloudflareaccess.com | 104.19.194.29 104.19.195.29 | 2606:4700:300a::6813:c31d 2606:4700:300a::6813:c21d | 443 | TCP (HTTPS) | Allows cloudflared to validate the Access JWT. Only required if the access setting is enabled. |
pqtunnels. cloudflareresearch.com | 104.18.4.64 104.18.5.64 | 2606:4700::6812:540 2606:4700::6812:440 | 443 | TCP (HTTPS) | Allows cloudflared to report post-quantum key exchange ↗ errors to Cloudflare. |
If you host your services on a virtual machine (VM) instance in a cloud provider, you may set up instance-level firewall rules to block all ingress traffic and allow only egress traffic. For example, on Google Cloud Platform (GCP), you may delete all ingress rules, leaving only the relevant egress rules. This is because GCP's firewall denies ingress traffic unless it matches an explicit rule.
Alternatively, you may use operating system (OS)-level firewall rules to block all ingress traffic and allow only egress traffic. For example, if your server runs on Linux, you may use iptables
to set up firewall rules:
-
Check your current firewall rules.
-
Allow
localhost
to communicate with itself. -
Allow already established connection and related traffic.
-
Allow new SSH connections.
-
Drop all other ingress traffic.
-
After setting the firewall rules, use this command to check the current
iptables
settings:
Run your tunnel and check that all configured services are still accessible to the outside world via the tunnel, but not via the external IP address of the server.
You can also secure your application with Cloudflare Access.
To test your connectivity to Cloudflare, you can use the dig
command to query the hostnames listed above. Note that cloudflared
defaults to connecting with IPv4.
On Windows, you can use PowerShell commands if dig
is not available.
To test DNS:
To test ports: