Cloudflare Tunnel

Protect your web servers from direct attack

From the moment an application is deployed, developers and IT spend time locking it down — configuring ACLs, rotating IP addresses, and using clunky solutions like GRE tunnels.

There’s a simpler and more secure way to protect your applications and web servers from direct attacks: Cloudflare Tunnel.

Ensure your server is safe, no matter where it’s running: public cloud, private cloud, Kubernetes cluster, or even a Mac mini under your TV.


Challenges of protecting origin infrastructure

Your origin IP addresses and open ports are exposed and vulnerable to advanced attackers, even when they’re behind your cloud-based security services. Some common ways to stop these direct DDoS or data breach attempts include monitoring incoming IP addresses through access control lists (ACLs) and enabling IP security via GRE tunnels.

Compared to other network security solutions — like secure tunneling software — these approaches are often slow and expensive, time-consuming to set up and maintain, and lack fully integrated encryption.

Securely connect origins directly to Cloudflare

Cloudflare Tunnel is tunneling software that lets you quickly secure and encrypt application traffic to any type of infrastructure, so you can hide your web server IP addresses, block direct attacks, and get back to delivering great applications.

Here’s how it works:

The Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center, all without opening any public inbound ports.

After locking down all origin server ports and protocols using your firewall, any requests on HTTP/S ports are dropped, including volumetric DDoS attacks. Data breach attempts — such as snooping of data in transit or brute force login attacks — are blocked entirely.

Learn more about how we built Tunnel — and how we're continuing to improve it.

Protect web servers from direct attacks

Argo tunnel diagram

Tunnel works with Cloudflare DDoS Protection and Web Application Firewall (WAF) to defend your web properties from attacks.

Once you deploy the Tunnel daemon and lock down your firewall, all inbound web traffic is filtered through Cloudflare’s network.

Now, your web server’s firewall can block volumetric DDoS attacks and data breach attempts from reaching your application’s origin servers.

Argo tunnel diagram

Secure access to internal applications

Teams access newway diagram

Tunnel allows you to quickly deploy infrastructure in a Zero Trust environment, so all requests to your resources first pass through Cloudflare’s robust security filters.

When Tunnel is combined with Cloudflare Access, our comprehensive Zero Trust access solution, users are authenticated by major identity providers (like Gsuite and Okta) without the help of a VPN.

Applications once accessible to anyone through the origin IP are now only accessible to authenticated users through Cloudflare’s network.

And you can restrict access to internal applications (including those in development environments) that you’d like to make externally facing.

Learn more about how Cloudflare enables Zero Trust security.

Teams access newway diagram

Accelerate origin traffic with Argo Smart Routing

Argo smart routing diagram map

Any organization can create Cloudflare Tunnels, for free! Try getting started by connecting an origin to Cloudflare with a single command.

Organizations can also augment their Tunnels by adding Argo Smart Routing, which improves application performance by using Cloudflare's private network to route visitors through the least congested and most reliable paths. Smart Routing reduces average origin traffic latency by 30% and connection errors by 27%.

Learn more about adding Argo Smart Routing to your subscription.

Argo smart routing diagram map

Key Features

Easy-to-install agent with low performance overhead
Command-line configuration
Built-in DDoS protection
Load balancing across origin pools with Cloudflare Load Balancer
Custom tags to identify tunnels
Encrypted tunnels with TLS (origin-side certificates)
Application and protocol-level error logging

Trusted by millions of Internet properties

Logo doordash trusted by gray
Logo garmin trusted by gray
Logo 23andme trusted by gray
Logo lending tree trusted by gray
NCR logo
Thomson Reuters logo
Logo zendesk trusted by gray