Skip to content

gRPC

gRPC is a Remote Procedure Call (RPC) framework that allows client applications to call methods on a remote server as if they were running on the same local machine. You can connect gRPC servers and clients to Cloudflare's global network, making it easier to build applications that use services across different data centers and environments.

Cloudflare Tunnel supports gRPC traffic via private subnet routing. Public hostname deployments are not currently supported.



In this example, we will connect a gRPC server to Cloudflare using the cloudflared daemon, secure the server with Gateway policies, and open a gRPC channel to the server using the Cloudflare WARP client.

1. Set up a gRPC server

  1. To set up a gRPC Python application, follow this quick start guide.

  2. Start the server:

Terminal window
~/grpc/examples/python/helloworld $ python3 greeter_server.py
WARNING: All log messages before absl::InitializeLog() is called are written to STDERR
I0000 00:00:1721770418.373806 3677 config.cc:230] gRPC experiments enabled: call_status_override_on_cancellation, event_engine_dns, event_engine_listener, http2_stats_fix, monitoring_experiment, pick_first_new, trace_record_callops, work_serializer_clears_time_cache
Server started, listening on 50051

2. Connect the server to Cloudflare

To establish a secure, outbound-only connection to Cloudflare:

  1. Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.

  2. In the Private Networks tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP).

3. Route private network IPs through WARP

By default, WARP excludes traffic bound for RFC 1918 space, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.

  1. First, check whether your Split Tunnels mode is set to Exclude or Include mode.

  2. If you are using Include mode, add your network's IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.

  3. If you are using Exclude mode:

    1. Delete your network's IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.
    2. Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user's access to local resources.

You can configure Gateway network policies to either block or allow access to the gRPC server. The following example consists of two policies: the first allows gRPC connections from devices that pass device posture checks, and the second blocks all other traffic. Make sure that the Allow policy has higher priority.

1. Allow secured devices

SelectorOperatorValueLogicAction
Destination Portis50051AndAllow
Destination IPis172.31.0.133And
Passed Device Posture ChecksismacOS firewall (Firewall)And
Passed Device Posture ChecksismacOS disk encryption (Disk encryption)

2. Block everything else

SelectorOperatorValueAction
Destination IPin172.31.0.0/16Block

For more details on setting up the Gateway proxy, refer to Filter network traffic with Gateway.

5. Set up the client

gRPC clients can connect to the server by installing Cloudflare WARP on the device and enrolling in your Zero Trust organization. When the client makes a request to a private IP exposed through Cloudflare Tunnel, WARP routes the connection through Cloudflare's network to the corresponding tunnel.

To set up the gRPC client:

  1. Deploy the WARP client on your device in Gateway with WARP mode.
  2. Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
  3. Install gRPC on the device by following this quick start guide.
  4. Modify greeter.py to point to the private IP of your gRPC server. This is the same private IP configured in your Cloudflare Tunnel routes. For example,
def run():
# NOTE(gRPC Python Team): .close() is possible on a channel and should be
# used in circumstances in which the with statement does not fit the needs
# of the code.
print("Will try to greet world ...")
with grpc.insecure_channel("172.31.0.133:50051") as channel:
stub = helloworld_pb2_grpc.GreeterStub(channel)
response = stub.SayHello(helloworld_pb2.HelloRequest(name="you"))
print("Greeter client received: " + response.message)

6. Test the connection

  1. On the client device, ensure that WARP is Connected.
  2. Run the gRPC client application:
Terminal window
~/grpc/examples/python/helloworld $ python3 greeter_client.py
Will try to greet world ...
WARNING: All log messages before absl::InitializeLog() is called are written to STDERR
I0000 00:00:1721771484.489711 4414247 config.cc:230] gRPC experiments enabled: call_status_override_on_cancellation, event_engine_dns, event_engine_listener, http2_stats_fix, monitoring_experiment, pick_first_new, trace_record_callops, work_serializer_clears_time_cache
Greeter client received: Hello, you!

You can view Tunnel logs to validate that requests are coming into the tunnel and reaching the gRPC server as intended.