Tunnel limits/overages?
Hello!
I have a CDN that I'm testing behind a CF Tunnel, however, I'm curious if there are bandwidth/throughput billing overages and/or limitations. When I review the "Account Limits" KBA, it doesn't specify anything about that and all of the billing info I can see stipulates 50+ users, but I didn't want to catch a surprise bill. If there was some other billing mechanism that would be tripped based on data throughput usage I'd just abandon the tunnel and create a firewall rule and NAT policy since I'll have a few thousand devices pulling various files of all sizes including some ISO files in the 4-14GB range.
Account Limits Citation
https://developers.cloudflare.com/cloudflare-one/account-limits/#cloudflare-tunnel-limitations
ZeroTrust Billing Citation:
https://www.cloudflare.com/plans/zero-trust-services/
Zero Trust & SASE Plans & Pricing | Cloudflare
Explore our Zero Trust offerings and find the plan that’s right for your business to secure users, devices, and networks.
Cloudflare Docs
Account limits · Cloudflare Zero Trust docs
This page lists the default account limits for rules, applications, fields, and other features. These limits may be increased on Enterprise accounts. …
4 Replies
The biggest limitation is just with the fact that all tunnel traffic goes through the CDN, and the cdn terms say no large files/video, just primarily web pages/web assets
https://www.cloudflare.com/service-specific-terms-application-services/#content-delivery-network-terms
Cloudflare’s content delivery network (the “CDN”) Service can be used to cache and serve web pages and websites. Unless you are an Enterprise customer, Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN. Cloudflare reserves the right to disable or limit your access to or use of the CDN, or to limit your End Users’ access to certain of your resources through the CDN, if you use or are suspected of using the CDN without such Paid Services to serve video or a disproportionate percentage of pictures, audio files, or other large files. We will use reasonable efforts to provide you with notice of such action.
Oh! That's very helpful. Thank you! I figured there were other "gotchas" that I just didn't know I didn't know about.
even then though they're more targeting big bandwidth users not just private services for friends, and you'll get emails first: https://discord.com/channels/595317990191398933/1128753516081582192/1129499373722673243
a few thousand devices downloading gigabytes of iso files does sound excessive though, depends on rate..
Cloudflare R2, Cloudflare's S3-compatiable storage service is except from that clause and you only pay for requests and not bandwidth, potentially an option
Yeah, though this one is for professional use. I have my home lab and Plex service through my personal tunnel, but the current deployment for this is to force the Windows 11 upgrade via ISO since MSFT is making the download URLs GUIDs that expire... so rather than dealing with that mess I figured I'd host my own file but didn't want to setup an SFTP server so I opted for a PSITransfer docker container and then created the tunnel for it. I expect it will transfer in the vicinity of 23-30 TB in the next week or two 🤣
The server running the containers is in our colo datacenter, so I can just make a macvlan network, a static IP for the container and create the relevant firewall rule/NAT policy for it.
I just like the tunnel to obfuscate my IP and mitigate attack surface by having a block rule for the domain as a whole and a bypass rule for the specific path to the file(s) that are there to help limit any vulns that may exist on the container.
Ultimately, not a big deal since it's in a DMZ on a dedicated subnet with no access to anything but the internet, but if it were compromised it could still pose blacklist issues on my datacenter IPs and I'd like to avoid that 🤣