Connect your key server to Cloudflare without exposing it to the internet.
Integrations
Cloudflare Tunnel integrates with other Cloudflare products to extend connectivity, security, and availability for your applications.
Beyond publishing public applications, Cloudflare Tunnel is the connectivity layer for Cloudflare One — Cloudflare's SASE platform. The same post-quantum encrypted tunnels that serve your public applications can also serve private traffic when combined with the WARP client:
- Private applications — Expose internal web apps, SSH servers, RDP hosts, and other services to authenticated users without making them publicly reachable.
- Private networks — Route entire IP ranges (RFC 1918, custom CIDRs) through a tunnel, replacing site-to-site VPNs. Users on WARP-enrolled devices reach private IPs as if they were on your private network.
- Network traffic filtering — Apply DNS, HTTP, and network-level policies through Cloudflare Gateway to all traffic flowing through the tunnel.
If you are using Cloudflare Tunnel for Zero Trust network access, VPN replacement, or private network connectivity, refer to the Cloudflare One Tunnel documentation for setup and configuration.
Related: Connect private networks | SSH guide | RDP guide | Replace your VPN
Workers VPC enables Cloudflare Workers to access private resources such as databases, internal APIs, and other services. Cloudflare Tunnel serves as the connectivity layer, establishing a post-quantum encrypted outbound connection from your private network to Cloudflare.
Get started: Create a tunnel and then follow the Workers VPC guide to configure VPC Services.
Related: Connect to a private API | Connect to an S3 bucket
Cloudflare Load Balancing distributes traffic across multiple origins using health checks, steering algorithms, and failover logic. Combined with Tunnel, you can load balance traffic to origins without publicly routable IP addresses.
Each tunnel is assigned a subdomain (<UUID>.cfargotunnel.com). Add this as an endpoint in a Load Balancer pool with the application hostname as the host header.
Get started: Refer to Load Balancing setup for step-by-step instructions.
Related: Tunnel replicas | Load Balancing reference architecture
Cloudflare Access provides an identity-aware proxy that authenticates every request to your applications. Combined with Tunnel, Access lets you publish internal web applications to the Internet while ensuring only authorized users can reach them. You can configure Access policies based on user identity, source IP ranges, service tokens for machine-to-machine authentication, and more.
Get started: Publish a self-hosted application.
Related: Identity providers | Validate Access JWTs
Cloudflare Spectrum extends DDoS protection and traffic acceleration to non-HTTP protocols. You can route Spectrum application traffic to origins connected via Tunnel using a DNS CNAME record or Load Balancer.
Spectrum integration with Tunnel is only supported for HTTP and HTTPS applications. For the full list of limitations, refer to the Spectrum limitations documentation.
TLS 1.3 tunnels with post-quantum key agreement between your data centers and Cloudflare.
Restrict tunnel connectivity to specific regions for data residency requirements.
Use Tunnel with Cloudflare for SaaS to enhance your SaaS application origin security.
Connect Hyperdrive to a private database through Cloudflare Tunnel.