Is it possible to connect a private service through cloudflare tunnels?
I understand that Cloudflare Tunnels are typically used to expose services from a private network to the public internet, but what if I want to connect one private network to another? I’ve read the documentation, and I think this is possible in some way, but I'm still pretty confused.
I have two instances connected through the same Cloudflare Tunnel. Both instances are running HTTP services, but only instance1 has access to an etcd service that instance2 needs to connect to. I want instance2 to access the etcd service on instance1 using a private hostname, without exposing any IP addresses, and for Cloudflare to handle all the DNS and routing between them privately.
Example:
- The etcd service on instance1 (e.g.,
http://localhost:2379) should be accessible from instance2 via a private hostname like etcd-instance1.internal.
- Both instances are connected through the same tunnel, and I want Cloudflare to resolve the private hostname and securely route traffic between these two private networks.
I also read that WARP could possibly be a solution here, but I believe cloudflared itself has support for WARP routing as well.2 Replies
Yea, thats my post :P
Cloudflare Tunnels use Cloudflare's proxy, which only supports proxying HTTP Traffic. If you want to use non-http applications over your tunnel, Cloudflare has a few other options:
For a few specific protocols such as SSH, RDP, and SMB, Cloudflare has guides for them here:
https://developers.cloudflare.com/cloudflare-one/applications/non-http/
For Arbitrary TCP like Minecraft, MySQL, and any other tcp application, Cloudflare has a guide here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/
For Arbitrary UDP like Minecraft Bedrock, SMTP, and any other udp application, you will need to use Private Networking with WARP: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/connect-private-networks/
Please note for all of these except SSH and VNC which can be browser-rendered, you will either need to use cloudflared (Cloudflare's tunnel daemon) on the client machine running in the background or Private Networking with WARP, and have WARP installed on the client machine logged into your Zero Trust Team.