Argo Tunnel
Protect Your Web Servers from Direct Attack
From the moment an application is deployed, developers and IT spend time locking it down: configuring ACLs, rotating IP addresses, and using clunky solutions like GRE tunnels.
There’s a simpler and more secure way to protect your applications and web servers from direct attacks: Cloudflare’s Argo Tunnel.
Ensure your server is safe, no matter where it’s running: public cloud, private cloud, Kubernetes cluster, or even a Mac mini under your TV.
Already a customer? Get Started
Co-Founder and CTO at Netwrk
Challenges of Protecting Origin Infrastructure
Your origin IP addresses and open ports are exposed and vulnerable to advanced attackers, even when they’re behind your cloud-based security services. Some common ways to stop these direct DDoS or data breach attempts include: creating ACL’s and whitelisting incoming IP addresses, or establishing GRE tunnels and enabling IP security.
These approaches are painful to setup and maintain, lack fully integrated encryption, and can be slower or more costly.
Securely Connect Origins Directly to Cloudflare
Cloudflare’s lightweight Argo Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center — all without opening any public inbound ports.
After locking down all origin server ports and protocols using your firewall, any request on HTTP/S ports are dropped, including volumetric DDoS attacks. Data breach attempts — such as snooping of data in transit or brute force login attacks — are blocked entirely.
Argo Tunnel lets you quickly secure and encrypt application traffic to any type of infrastructure, freeing you to focus on delivering great applications. Now you can encrypt origin traffic and hide your web server IP addresses so direct attacks can’t happen.
Protect Web Servers from Direct Attacks
After you deploy the Argo Tunnel daemon and lock down your firewall, only inbound web traffic through Cloudflare’s network ever reaches your application’s origin servers.
Now your web server’s firewall blocks volumetric DDoS attacks and customer data breach attempts.
Secure Access to Internal Applications
Argo Tunnel is the perfect solution for only allowing the right people to access internal applications (including those in development environments) that you’d like to make externally facing.
When Argo Tunnel is combined with Cloudflare Access, users are authenticated by major identity providers, like Gsuite and Okta, without a VPN.
Applications once accessible to anyone through the origin IP are now only accessible by authenticated users through Cloudflare’s network.
Accelerate Origin Traffic with Smart Routing
To use Argo Tunnel, you’ll need to enable your Argo subscription in the Cloudflare dashboard. Argo includes access to: Smart Routing, Tunnel, and Tiered Caching.
Argo Smart Routing improves application performance by routing visitors through the least congested and most reliable paths, using Cloudflare's private network. Smart Routing reduces average origin traffic latency by 30% and connection errors by 27%.
Argo Tunnel Walkthrough
Setting up Argo Tunnel to protect origin servers and ports is easy
- Install Tunnel Daemon
- Login to Cloudflare
- Start a Tunnel
- Confirm Lockdown
$ brew install cloudflare/cloudflare/cloudflared
==> Installing cloudflared from
cloudflare/cloudflare
==> Downloading https://warp.cloudflare.com/
dl/warp-2018.3.0-darwin-amd64.tgz
$ cloudflared login
$ cloudflared --hostname tunnel.example.com
--url http://localhost:8000
INFO Registered at https://tunnel.example.com
$ netcat -v -z [Origin IP Address] 80
[Origin IP Address] 80 (http):
Connection refused
$ netcat -v -z [Origin IP Address] 443
[Origin IP Address] 443 (https):
Connection refused
Key Features
Argo Smart Routing included
Easy-to-install agent with low performance overhead
Command-line configuration
Load-balanced across origin pools (when used with Cloudflare Load Balancer)
Custom tags to identify tunnels
Encrypted tunnels with TLS (origin-side certificates)
Application and protocol-level error logging
Everyone can start using Argo Today
To start using Argo Tunnel, you'll need a Cloudflare plan and an Argo subscription. By enabling Argo in the Cloudflare dashboard, you’ll receive access to Smart Routing, Tiered Caching, and Tunnel.
Already a customer? Get Started
Argo for Cloudflare’s Free Plan
+ $5/Month
First 1 GB of transfer free; $0.10 per GB thereafter.
Includes Smart Routing, Tunnel, and Tiered Caching
Argo for Cloudflare’s Pro Plan
+ $5/Month
First 1 GB of transfer free; $0.10 per GB thereafter.
Includes Smart Routing, Tunnel, and Tiered Caching
Argo for Cloudflare’s Business Plan
+ $5/Month
First 1 GB of transfer free; $0.10 per GB thereafter.
Includes Smart Routing, Tunnel, and Tiered Caching
Argo for Cloudflare’s Enterprise Plan
Custom
Custom Pricing
Includes Smart Routing, Tunnel, and Tiered Caching*
* Tiered Caching included by default on all Enterprise plans
