Cloudflare Tunnel

Cloudflare Tunnel creates secure connections from your infrastructure to Cloudflare's global network, providing the network connectivity that allows Workers to access your private resources.

When you create a VPC Service, you specify a tunnel ID and target service. Workers VPC then routes requests from your Worker to the specified tunnel, which establishes a connection to the specified hostname or IP address, such that the target service receives the request and returns a response back to your Worker.

To allow members to create VPC Services that represent a target service reachable via a tunnel, you must assign them the Connectivity Directory Admin role. Members must possess Connectivity Directory Bind role to bind to existing VPC Services from worker.

The tunnel maintains persistent connections to Cloudflare, eliminating the need for inbound firewall rules or public IP addresses.

Note

This section provides tunnel configuration specific to Workers VPC use cases. For comprehensive tunnel documentation including monitoring and advanced configurations, refer to the full Cloudflare Tunnel documentation.

Create and run tunnel (cloudflared)

Cloudflare Tunnel requires the installation of a lightweight and highly scalable server-side daemon, cloudflared, to connect your infrastructure to Cloudflare.

Cloudflare Tunnels can be created one of two ways:

1. Remotely-managed tunnels (recommended): Remotely-managed configurations are stored on Cloudflare, allowing you to manage the tunnel from any machine using the dashboard, API, or Terraform.
2. Locally-managed tunnels: A locally-managed tunnel is created by running cloudflared tunnel create <NAME> on the command line. Tunnel configuration is stored in your local cloudflared directory.

For Workers VPC, we recommend creating a remotely-managed tunnel through the dashboard. Follow the Tunnels for Workers VPC dashboard setup guide to create your tunnel with provided installation commands shown in the dashboard.

For locally-managed tunnels, refer to the cloudflared locally-managed tunnels guide. For manual installation, refer to the cloudflared downloads page for platform-specific installation instructions.

Important Note

Cloudflare Tunnels can either be configured for usage with Cloudflare Zero Trust or Workers VPC.

Use Tunnels with Zero Trust when you are exposing internal applications securely to your employees with Cloudflare Access and hostnames.

Use Tunnels with Workers VPC when you want to access private APIs, private databases, internal services or other HTTP services within your cloud or on-premise private network from Workers.

The same cloudflared instance can be used to cover both Zero Trust and Workers VPC use cases simultaneously.

Note

Ingress configurations for locally-managed tunnels are only relevant when using tunnels to expose services to the public internet, and are not required for Workers VPC as routing is handled by the VPC Service configuration.

Cloud platform setup guides

For platform-specific tunnel deployment instructions for production workloads:

• AWS - Deploy tunnels in Amazon Web Services
• Azure - Deploy tunnels in Microsoft Azure
• Google Cloud - Deploy tunnels in Google Cloud Platform
• Kubernetes - Deploy tunnels in Kubernetes clusters
• Terraform - Deploy tunnels using Infrastructure as Code

Refer to the full Cloudflare Tunnel documentation on how to setup Tunnels for high availability and failover with replicas.

Note

We do not recommend using cloudflared in autoscaling setups because downscaling (removing replicas) will break existing user connections to that replica. Additionally, cloudflared does not load balance across replicas; replicas are strictly for high availability and requests are routed to the nearest replica.

Next steps

• Configure VPC Services to connect your tunnels to Workers
• Review hardware requirements for capacity planning
• Review the complete Cloudflare Tunnel documentation for advanced features