--- title: Connectivity options description: Connectivity options in Zero Trust networking. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Connectivity options Cloudflare One provides multiple connectivity options for your users, devices, and network infrastructure. Each option serves different use cases, from protecting individual devices to connecting entire data centers. This page helps you understand which connectivity options to use based on your requirements, and how to combine multiple options in a single deployment. ## Cloudflare One on-ramps and off-ramps Cloudflare One connectivity options use the concept of on-ramps and off-ramps: * **On-ramps** send traffic into Cloudflare's network. For example, a user's device with the Cloudflare One Client installed on-ramps their traffic to Cloudflare for inspection and policy enforcement. * **Off-ramps** send traffic from Cloudflare's network to your infrastructure. For example, Cloudflare Tunnel off-ramps traffic to your private applications without exposing them to the public Internet. Some connectivity options support both directions (bidirectional), while others only support one direction. ## Connectivity options comparison The following table provides a high-level comparison of all connectivity options available to Cloudflare One customers. **Table 1: All Cloudflare One connectivity options** | Connectivity option | Protocol | Direction | Typical deployment model | Use when | | ----------------------------------------------------------------------- | --------------------------- | ------------- | --------------------------------------- | ------------------------------------------------- | | [Cloudflare Tunnel](#cloudflare-tunnel) | HTTP/2, QUIC | Off-ramp only | Software daemon (cloudflared) on server | Exposing private applications without a public IP | | [Cloudflare One Client](#cloudflare-one-client) | MASQUE (default), WireGuard | Bidirectional | Client software on end-user devices | Securing remote workforce devices | | [Cloudflare Mesh](#cloudflare-mesh) | MASQUE | Bidirectional | Software client on Linux host | Connecting sites with IoT or VoIP devices | | [DNS locations](#dns-locations) | DNS (DoH, DoT, IPv4/IPv6) | On-ramp only | DNS resolver configuration | Filtering DNS traffic without device agents | | [Proxy endpoints](#proxy-endpoints) | HTTP/HTTPS | On-ramp only | Browser PAC file configuration | Filtering web traffic without device agents | | [Clientless Web Isolation](#clientless-web-isolation) | HTTP/HTTPS | On-ramp only | Prefixed URL with Access authentication | Secure web access for unmanaged devices | | [GRE tunnels](#gre-tunnels) | GRE | Bidirectional | Network tunnel from router or firewall | Connecting sites with existing network hardware | | [IPsec tunnels](#ipsec-tunnels) | IPsec | Bidirectional | Network tunnel from router or firewall | Encrypted site connectivity over the Internet | | [Cloudflare One Appliance](#cloudflare-one-appliance) | IPsec | Bidirectional | Hardware or virtual appliance | Zero-touch branch office deployments | | [Cloudflare Network Interconnect](#cloudflare-network-interconnect-cni) | Direct, Partner, Cloud | Bidirectional | Physical or virtual cross-connect | Bypassing the public Internet entirely | | [Multi-Cloud Networking](#multi-cloud-networking) | IPsec (automated) | Bidirectional | Cloud provider VPN integration | Connecting cloud VPCs with automated tunnel setup | --- ## Cloudflare Tunnel Cloudflare Tunnel provides a secure way to connect your resources to Cloudflare without a publicly routable IP address. The `cloudflared` daemon creates outbound-only connections to Cloudflare's global network over port `7844` (TCP/UDP) using HTTP/2 or QUIC. This allows you to expose web servers, SSH servers, remote desktops, and other services without opening inbound ports on your firewall. Use Cloudflare Tunnel when you need to expose private web applications, protect origin servers by hiding their IP addresses, or deploy cloud-native ingress for Kubernetes services. Important to know Cloudflare Tunnel is off-ramp only and does not support server-initiated protocols (VoIP, SIP). Your origin sees the `cloudflared` process IP instead of the original client IP. For HTTP traffic, use the `CF-Connecting-IP` header to retrieve the client IP. For non-HTTP protocols (SSH, RDP, TCP), the original source IP is not available to the origin server. For detailed configuration, refer to the [Cloudflare Tunnel documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). --- ## Cloudflare One Client The Cloudflare One Client is a device agent that securely connects end-user devices to Cloudflare's global network. The Cloudflare One Client encrypts traffic from the device using MASQUE (with post-quantum cryptography) or WireGuard and routes it through Cloudflare, where Gateway policies filter and inspect the traffic. Use Cloudflare One Client to secure remote workforce devices, replace traditional VPN solutions, enforce DNS filtering and web security policies, implement device posture checks, and enable [Mesh connectivity](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) between enrolled devices. Important to know Cloudflare One Client is a bidirectional L3 tunnel — it on-ramps device traffic to Cloudflare and can also off-ramp traffic sent to the device's virtual IP address. Any connectivity option that routes traffic through Cloudflare's network (for example, IPsec tunnels, GRE tunnels, CNI, or another device via [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/)) can initiate connections towards a Cloudflare One Client-enrolled device. For detailed configuration, refer to the [Cloudflare One Client documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). --- ## Cloudflare Mesh (beta) Cloudflare Mesh connects your services and devices with post-quantum encrypted networking. Every enrolled device and mesh node receives a private [Mesh IP](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/#mesh-ips) and can communicate with any other participant over TCP, UDP, or ICMP — including device-to-device without any infrastructure. Mesh nodes run the Cloudflare One Client (`warp-cli`) in headless mode on Linux servers. They can advertise [CIDR routes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/routes/) to make subnets behind them reachable, enabling connectivity to devices that cannot run the client (IoT, printers, legacy servers). All traffic preserves source IP addresses end-to-end. Use Cloudflare Mesh for bidirectional connectivity (VoIP, SIP, AD updates, SCCM, DevOps), site-to-site networking, device-to-device connectivity, or any scenario where source IP preservation is important. For outbound-only access to private services, [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) (`cloudflared`) is simpler to deploy and runs on all platforms. Cloudflare WAN compatibility Accounts on Legacy routing mode do not support Cloudflare Mesh when Cloudflare WAN (formerly Magic WAN) is enabled. Your account must be on [Cloudflare One Unified Routing](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/traffic-steering/#unified-routing-mode-beta) for both to work together. Note Cloudflare Mesh supports [high availability](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/) with active-passive replicas for nodes with CIDR routes. For detailed configuration, refer to the [Cloudflare Mesh documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/). --- ## DNS locations DNS locations allow you to filter DNS traffic from networks without deploying the Cloudflare One Client. By configuring your network's DNS resolver to point to Cloudflare Gateway, Gateway applies DNS policies to all queries from that location. DNS locations support multiple endpoint types: * **IPv4/IPv6**: Standard DNS resolution using Cloudflare's resolver IPs * **DNS over HTTPS (DoH)**: Encrypted DNS queries over HTTPS * **DNS over TLS (DoT)**: Encrypted DNS queries over TLS Use DNS locations when you need to filter DNS traffic for an entire office or network, per device without installing agents on devices, or integrate with existing network infrastructure. Important to know DNS locations filter DNS traffic only. To filter HTTP traffic, use the Cloudflare One Client or proxy endpoints. For identity-based DNS policies without the Cloudflare One Client, configure [DNS over HTTPS with user tokens](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-https/#filter-doh-requests-by-user). To resolve internal domain names or route queries to private DNS servers, use [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) (Enterprise only). For detailed configuration, refer to the [DNS locations documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/). --- ## Proxy endpoints Proxy endpoints allow you to apply Cloudflare Gateway HTTP policies without installing a client on devices. By configuring a Proxy Auto-Configuration (PAC) file at the browser level, you route web traffic through Gateway for filtering and policy enforcement. Cloudflare One supports two types of proxy endpoints: * **Authorization endpoints**: Use Cloudflare Access for identity-based authentication * **Source IP endpoints**: Authorize traffic based on originating IP address (Enterprise only) Use proxy endpoints when you need to filter web traffic without device agents, integrate with existing proxy infrastructure, or deploy Gateway alongside other security tools. Important to know Proxy endpoints only filter HTTP/HTTPS traffic routed through the PAC file. They do not support UDP traffic, HTTP/3, non-browser applications, or Browser Isolation. For detailed configuration, refer to the [Proxy endpoints documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/). --- ## Clientless Web Isolation Clientless Web Isolation allows users to securely access web applications through a remote browser without installing the Cloudflare One Client. Users navigate to a prefixed URL (`https://.cloudflareaccess.com/browser/`), authenticate through Cloudflare Access, and Cloudflare renders the web content in an isolated browser, streaming only [safe draw commands ↗](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/) to the user's device while enforcing isolation policies. Use Clientless Web Isolation when you need to provide secure web access for unmanaged devices (contractors, BYOD), enable access to sensitive applications without requiring endpoint software, or on-ramp users who cannot install the Cloudflare One Client. Important to know Clientless Web Isolation requires the Browser Isolation add-on and user authentication through Cloudflare Access. Gateway HTTP and DNS policies apply to isolated traffic. For detailed configuration, refer to the [Clientless Web Isolation documentation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). --- ## GRE tunnels Generic Routing Encapsulation (GRE) tunnels provide lightweight, stateless network connectivity between your infrastructure and Cloudflare. GRE tunnels are used with Cloudflare WAN (formerly Magic WAN) and Magic Transit to connect sites, data centers, and cloud environments using existing routers and firewalls. Use GRE tunnels when you need to connect branch offices or data centers with minimal configuration overhead, integrate with Magic Transit for DDoS protection, or deploy redundant tunnels alongside IPsec. Important to know GRE does not encrypt traffic — use IPsec if encryption is required. GRE requires a static public IP and careful MTU planning (1,476 bytes MTU, MSS clamping at 1,436 bytes or lower). For detailed configuration, refer to the [GRE and IPsec tunnels documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/gre-ipsec-tunnels/). --- ## IPsec tunnels IPsec tunnels provide encrypted, stateful network connectivity between your infrastructure and Cloudflare. IPsec tunnels are used with Cloudflare WAN and Magic Transit for secure site-to-site connectivity, using IKEv2 for tunnel negotiation and AES-GCM or AES-CBC for encryption. Use IPsec tunnels when you need to encrypt traffic over the public Internet, meet compliance requirements for encrypted connections, or replace expensive MPLS links. Important to know Requires a static public IP and supports IKEv2 only (not IKEv1). If behind NAT, initiate IKE on port `4500`. When traffic from Cloudflare WAN egresses to the public Internet through Gateway, source IP addresses are translated to Cloudflare dedicated egress IP addresses. For cloud environments (AWS, Azure, GCP), use [Multi-Cloud Networking](#multi-cloud-networking) to automate IPsec tunnel creation instead of configuring tunnels manually. For detailed configuration, refer to the [GRE and IPsec tunnels documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/gre-ipsec-tunnels/). Key consideration IPsec and GRE tunnels require a Cloudflare WAN subscription. --- ## Cloudflare One Appliance Cloudflare One Appliance (formerly Magic WAN Connector) is a plug-and-play SD-WAN appliance that automates connectivity to Cloudflare's network. It establishes IPsec tunnels automatically and provides traffic steering. You can deploy it as a hardware appliance (Dell VEP1460) or virtual appliance (VMware ESXi, Proxmox). Use Cloudflare One Appliance for zero-touch branch office deployments, to replace edge routers, achieve high throughput (1 Gbps or higher), or manage multiple sites through a centralized dashboard. Key consideration Cloudflare One Appliance requires a Cloudflare WAN subscription and dedicated hardware or VM (cannot run alongside other software on the same host). For detailed configuration, refer to the [Cloudflare One Appliance documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/appliances/). --- ## Cloudflare Network Interconnect (CNI) Cloudflare Network Interconnect (CNI) allows you to connect your network infrastructure directly to Cloudflare through private, dedicated connections that bypass the public Internet. CNI provides predictable latency, consistent throughput, and reduced exposure to attacks. Use CNI when you need to meet security requirements that prohibit public Internet traffic, reduce cloud egress costs, or deploy in highly regulated industries (financial services, healthcare). ### CNI connection types The following table describes the Cloudflare Network Interconnect (CNI) connection types. **Table 2: Cloudflare One CNI connection types** | Type | Description | Ideal for | | ------------------------ | ----------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | **Direct Interconnect** | Physical fiber cross-connect in a shared data center | Customers colocated with Cloudflare who require maximum control and performance | | **Partner Interconnect** | Virtual connection through connectivity partners (Megaport, Equinix Fabric, PacketFabric) | Customers not colocated with Cloudflare or who prefer managed connectivity | | **Cloud Interconnect** | Private connection from cloud providers (AWS, GCP, Azure) | Customers with workloads in public clouds requiring private connectivity | Key consideration CNI requires an Enterprise plan and is available only in locations where Cloudflare has interconnect facilities. Important to know CNI supports both Magic Transit (DDoS protection) and Cloudflare WAN (private networking). CNI also supports [BGP peering](https://developers.cloudflare.com/network-interconnect/get-started/) (closed beta) with the Cloudflare Virtual Network routing table for dynamic route exchange. BGP over CNI is not currently available to new customers — contact your account team if you are interested. When used with Magic Transit, cleaned inbound traffic always flows over CNI. Return traffic can either egress directly to the Internet (Direct Server Return, default) or route back through Cloudflare via [Magic Transit Egress](https://developers.cloudflare.com/magic-transit/reference/egress/). For detailed configuration, refer to the [Cloudflare Network Interconnect documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/network-interconnect/). --- ## Multi-Cloud Networking Multi-Cloud Networking (formerly Magic Cloud Networking) is an automation layer that simplifies connecting cloud environments to Cloudflare WAN. Rather than manually configuring IPsec tunnels, Multi-Cloud Networking automatically discovers your cloud resources and creates the necessary VPN tunnels and routes on both sides (cloud provider and Cloudflare WAN). Multi-Cloud Networking is not a separate tunnel type — it orchestrates your cloud provider's native VPN functionality (AWS VPN Gateway, Azure VPN, GCP Cloud VPN) to establish IPsec connectivity to Cloudflare WAN. ### Use cases * Connect AWS, Azure, or GCP VPCs to Cloudflare WAN with minimal configuration * Automate tunnel and route creation instead of manual IPsec setup * Connect multiple VPCs through a hub architecture (AWS Transit Gateway) * Simplify multi-cloud networking across different providers ### Cloudflare One Multi-Cloud on-ramp types The following table describes the Multi-Cloud Networking on-ramp types. **Table 3: Cloudflare One Multi-Cloud Networking on-ramp types** | Type | Description | Use when | | -------------- | ----------------------------------------------------------------------------- | -------------------------------------------------------------- | | **Single VPC** | Connects one VPC directly to Cloudflare WAN via VPN tunnel | You have a single VPC to connect | | **Hub** | Connects multiple VPCs through a cloud hub (for example, AWS Transit Gateway) | You need to connect multiple VPCs with inter-VPC communication | ### Supported cloud providers * AWS (single VPC and hubs) * Azure (single VPC) * GCP (single VPC) Key consideration Multi-Cloud Networking requires a Cloudflare WAN subscription with Multi-Cloud Networking. Contact your account team to enable Multi-Cloud Networking. ### Deployment notes * **Azure VNet sizing**: Multi-Cloud Networking creates a GatewaySubnet (`/27`) within your VNet for the Azure VPN Gateway. Ensure your VNet has sufficient address space. A `/20` or larger VNet is recommended to avoid address exhaustion. * **Cloud provider costs**: Multi-Cloud Networking uses your cloud provider's native VPN services. Standard VPN gateway and data transfer costs from your cloud provider apply in addition to Cloudflare WAN costs. * **Tunnel creation time**: Cloud provider VPN gateways can take 15-45 minutes to provision. Plan for this delay when onboarding new VPCs. For detailed configuration, refer to the [Multi-Cloud Networking documentation](https://developers.cloudflare.com/multi-cloud-networking/). --- ## Choose the right Cloudflare One connectivity option The following table maps common requirements to recommended Cloudflare One connectivity options. These are not exhaustive recommendations. **Table 4\. Recommend Cloudflare One connectivity options for common requirements** | Requirement | Recommended option | | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Expose a private web application without a public IP | [Cloudflare Tunnel](#cloudflare-tunnel) | | Secure end-user devices | [Cloudflare One Client](#cloudflare-one-client) | | Replace traditional VPN for remote access | [Cloudflare Tunnel](#cloudflare-tunnel) (primary) + [Cloudflare Mesh](#cloudflare-mesh) (for bidirectional needs) | | Connect a site with IoT devices or VoIP systems | [GRE](#gre-tunnels) or [IPsec tunnels](#ipsec-tunnels) (from existing router/firewall), [Cloudflare One Appliance](#cloudflare-one-appliance) (zero-touch deployment), or [Cloudflare Mesh](#cloudflare-mesh) (requires a Linux host) | | Connect a branch office using existing routers | [GRE](#gre-tunnels) or [IPsec tunnels](#ipsec-tunnels) | | Encrypt traffic over the public Internet | [IPsec tunnels](#ipsec-tunnels) | | Zero-touch branch office deployment | [Cloudflare One Appliance](#cloudflare-one-appliance) | | Connect cloud VPCs (AWS, Azure, GCP) with minimal configuration | [Multi-Cloud Networking](#multi-cloud-networking) | | Bypass the public Internet entirely | [Cloudflare Network Interconnect](#cloudflare-network-interconnect-cni) | | High-throughput enterprise connectivity | [Cloudflare One Appliance](#cloudflare-one-appliance) or [CNI](#cloudflare-network-interconnect-cni) | Note The connectivity options on this page connect your private infrastructure, sites, and users through Cloudflare's network. If you also need to protect public-facing services, these are handled by separate products: * **Non-HTTP traffic** (TCP/UDP protocols such as gaming, email, or custom services) — refer to [Spectrum](https://developers.cloudflare.com/spectrum/). * **Network-level DDoS protection** (for on-premises, cloud-hosted, and hybrid networks) — refer to [Magic Transit](https://developers.cloudflare.com/magic-transit/). ### Cloudflare One recommendations by team The team driving your Cloudflare One connectivity project influences which option provides the smoothest adoption path. The following table provides examples. **Table 5\. Cloudflare One connectivity recommendations for teams** | Primary team | Recommended starting point | Rationale | | ----------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | | Security / InfoSec | [Cloudflare Tunnel](#cloudflare-tunnel) \+ [Cloudflare One Client](#cloudflare-one-client) | Minimal network infrastructure changes required. Security controls are managed within the Cloudflare One dashboard. | | Network Operations | [Cloudflare WAN](#ipsec-tunnels) (IPsec/GRE) or [Cloudflare One Appliance](#cloudflare-one-appliance) | Familiar routing and tunnel configuration. Integrates with existing network equipment and workflows. | | DevOps / Platform Engineering | [Cloudflare Mesh](#cloudflare-mesh) or [Cloudflare Tunnel](#cloudflare-tunnel) | Software-defined deployment. Scriptable via API. No hardware dependencies. | | Facilities / Branch IT | [Cloudflare One Appliance](#cloudflare-one-appliance) | Zero-touch deployment with centralized management. No on-site networking expertise required. | ### Cloudflare Mesh and Cloudflare One Appliance comparison Cloudflare Mesh and Cloudflare One Appliance both provide site-level connectivity, but serve different deployment scenarios. | Aspect | Cloudflare Mesh | Cloudflare One Appliance | | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | **Protocol** | MASQUE | IPsec | | **Deployment model** | Software on Linux host (can run alongside other workloads) | Dedicated hardware appliance or virtual machine | | **Best for** | Cloud VPCs, development environments, smaller deployments with an available Linux host | Enterprise branch offices, data centers, sites requiring high throughput (1 Gbps+) | | **Platform support** | Linux only (x86\_64, ARM64). Currently in beta. | Hardware appliance (Dell VEP1460) or virtual (VMware ESXi, Proxmox) | | **High availability** | [Active-passive replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/) for nodes with routes | Supported through multiple connectors per site | | **Management** | Configured as a device in the Cloudflare One Client settings | Centralized through the Cloudflare WAN dashboard with zero-touch provisioning | Use Cloudflare Mesh when you need lightweight, software-only connectivity for cloud workloads or sites where a Linux host is available. Use Cloudflare One Appliance when you need enterprise-grade throughput, high availability, or integration with existing network infrastructure. --- ## Combine Cloudflare One connectivity options Most enterprise Cloudflare One deployments use multiple connectivity options together. This section covers compatibility considerations and common deployment patterns. ### Cloudflare One connectivity compatibility matrix Not all Cloudflare One connectivity options work together in the same account. Review the following compatibility information before designing your deployment. **Table 7\. Cloudflare One connectivity compatibility** | Combination | Compatible | Notes | | ----------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Cloudflare Mesh + Cloudflare WAN | Conditional | Requires [Cloudflare One Unified Routing](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/reference/traffic-steering/#unified-routing-mode-beta). Accounts on Legacy routing mode cannot use both. | | Cloudflare One Client + Cloudflare WAN | Yes | Cloudflare One Client users can access Cloudflare WAN-connected sites. Cloudflare WAN sites can also initiate connections to Cloudflare One Client devices using their virtual IP addresses. | | Cloudflare Tunnel + Cloudflare WAN | Yes | Avoid overlapping IP routes. Cloudflare Tunnel takes priority if the same CIDR is configured for both. | | GRE + IPsec | Yes | Use for redundancy or migration scenarios. | | CNI + GRE or IPsec | Yes | Use Internet-based GRE or IPsec tunnels as backup connectivity alongside CNI. | | Cloudflare One Client + Cloudflare Tunnel + Cloudflare Mesh | Yes | Common pattern for remote access to private applications. All three work together. | | CNI + Cloudflare Tunnel | Conditional | cloudflared connects to multiple Cloudflare regions for redundancy. If CNI only advertises one region, the tunnel operates with reduced redundancy. Evaluate whether Cloudflare Tunnel is necessary if CNI already provides private connectivity. | ### Cloudflare One routing considerations When using multiple Cloudflare One connectivity options, follow these guidelines to avoid routing conflicts: * **Avoid overlapping CIDR ranges**: Do not configure the same IP range for multiple tunnel types. If an overlap exists, Cloudflare Tunnel takes priority over Cloudflare WAN routes. * **No automatic failover**: Cloudflare does not automatically fail over traffic between different connectivity options. Plan your routing to handle failures within each tunnel type. * **Virtual Networks**: Use [Virtual Networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) to handle overlapping private IP ranges from different environments (for example, multiple cloud VPCs using `10.0.0.0/8`). ### Cloudflare One MTU planning When layering Cloudflare One tunnels or using multiple encapsulation methods, account for overhead to prevent fragmentation. **Table 8\. Effective MTU values for Cloudflare One tunnel types** | Scenario | Effective MTU | MSS clamping | | ------------------------------------------------------------------ | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | GRE tunnel | 1,476 bytes | 1,436 bytes or lower | | IPsec tunnel | 1,400-1,436 bytes (varies by encryption) | 1,360-1,396 bytes | | Cloudflare One Client behind Cloudflare WAN (double encapsulation) | \~1,300 bytes | Configure based on testing | | Cloudflare Mesh to Cloudflare One Client | \~1,280 bytes | Configure based on testing. Traffic is encapsulated twice: by Cloudflare Mesh and again by Cloudflare before delivery to the Cloudflare One Client. | Configure MSS clamping on your edge devices to ensure TCP traffic does not require fragmentation. ### Cloudflare One source IP preservation Cloudflare One connectivity options handle source IP addresses differently. The following table shows how each Cloudflare One connectivity option handles source IP addresses. **Table 9\. Cloudflare One source IP behavior** | Connectivity option | Source IP behavior | | ------------------------ | ------------------------------------------------------------------------------------- | | Cloudflare Tunnel | Origin sees the cloudflared process IP. Use CF-Connecting-IP header for HTTP traffic. | | Cloudflare Mesh | Preserves original source IP end-to-end. | | GRE and IPsec tunnels | Preserves original source IP within the tunnel. | | Cloudflare One Appliance | Preserves original source IP within the tunnel. | Source IP preservation is required for: * VoIP and SIP protocols that embed IP addresses in signaling * Audit logging that requires client IP visibility * Applications that make authorization decisions based on source IP ### Cloudflare One Traffic direction capabilities The following table shows traffic direction support for each Cloudflare One connectivity option. **Table 10\. Cloudflare One connectivity traffic direction support** | Connectivity option | Client-initiated traffic | Server-initiated traffic | | ------------------------ | ------------------------ | ------------------------ | | Cloudflare Tunnel | Yes | No | | Cloudflare One Client | Yes | Yes | | Cloudflare Mesh | Yes | Yes | | GRE and IPsec tunnels | Yes | Yes | | Cloudflare One Appliance | Yes | Yes | | CNI | Yes | Yes | If your application requires server-initiated connections (for example, VoIP callbacks, database replication), use a bidirectional connectivity option such as Cloudflare One Client, Cloudflare Mesh, Cloudflare WAN (IPsec/GRE), or CNI. Cloudflare Tunnel does not support server-initiated traffic. --- ## Common Cloudflare One deployment patterns The following patterns illustrate how organizations combine Cloudflare One connectivity options for different scenarios. ### Enterprise with remote workers and branch offices This pattern serves organizations with a distributed workforce and multiple physical locations. **Components:** * **Cloudflare One Client** for remote employees, providing secure access from any location * **IPsec tunnels** (via Cloudflare WAN) for branch offices with existing network infrastructure * **Cloudflare Tunnel** for specific internal applications that need clientless browser access **Traffic flow:** 1. Remote employees connect through the Cloudflare One Client, which on-ramps their traffic to Cloudflare. 2. Gateway policies inspect and filter traffic based on user identity and device posture. 3. Traffic destined for branch office resources routes through IPsec tunnels to Cloudflare WAN-connected sites. 4. Traffic destined for specific applications routes through Cloudflare Tunnel to origin servers. ### Cloud-first organization This pattern serves organizations with primarily cloud-based infrastructure and minimal on-premises equipment. **Components:** * **Multi-Cloud Networking** for cloud VPCs (AWS, GCP, Azure), automating IPsec tunnel creation to Cloudflare WAN * **Cloudflare Tunnel** for Kubernetes services and containerized applications * **Cloudflare One Client** for employee devices **Traffic flow:** 1. Multi-Cloud Networking automatically creates IPsec tunnels between cloud VPCs and Cloudflare WAN. 2. Cloudflare Tunnel provides ingress for external-facing applications. 3. Employees access cloud resources through the Cloudflare One Client. **Alternative:** For organizations not using Cloudflare WAN, Cloudflare Mesh can provide bidirectional connectivity for cloud VPCs. Note that accounts on Legacy routing mode cannot use Cloudflare Mesh and Cloudflare WAN together. ### Highly regulated enterprise This pattern serves organizations with strict compliance requirements that prohibit traffic from traversing the public Internet. **Components:** * **Cloudflare Network Interconnect (CNI)** for primary connectivity from data centers * **IPsec tunnels** as backup connectivity in case of CNI issues * **Cloudflare One Client** for remote employees **Traffic flow:** 1. Data center traffic routes through CNI, never touching the public Internet. 2. IPsec tunnels provide backup connectivity if CNI experiences issues. 3. Remote employees connect through the Cloudflare One Client over the public Internet (encrypted). 4. Gateway policies enforce compliance rules on all traffic regardless of connectivity method. --- ## Related resources * [SASE reference architecture](https://developers.cloudflare.com/reference-architecture/architectures/sase/) \- Guide to deploying Cloudflare One * [WAN transformation](https://developers.cloudflare.com/cloudflare-wan/wan-transformation/) \- Plan your migration from legacy WAN to Cloudflare One * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) * [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) * [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) * [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) * [WAN Connectors on-ramps](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/on-ramps/) \- Full list of supported on-ramps * [Multi-Cloud Networking](https://developers.cloudflare.com/multi-cloud-networking/) \- Automate cloud VPC connectivity * [Magic Transit](https://developers.cloudflare.com/magic-transit/) * [Cloudflare One Appliance](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/appliances/) * [Cloudflare Network Interconnect](https://developers.cloudflare.com/network-interconnect/) * [Virtual Networks](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) * [DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) \- Filter DNS traffic without device agents * [Proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) \- Filter web traffic using PAC files * [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) \- Secure web access without device agents For implementation guidance on combining Cloudflare One connectivity options, refer to the [SASE reference architecture](https://developers.cloudflare.com/reference-architecture/architectures/sase/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/networks/","name":"Networks"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/networks/connectivity-options/","name":"Connectivity options"}}]} ```