|
| 1 | +--- |
| 2 | + |
| 3 | +pcx_content_type: how-to |
| 4 | +title: Set up Private Network Load Balancing with WARP-to-Tunnel |
| 5 | +sidebar: |
| 6 | + order: 4 |
| 7 | + |
| 8 | +--- |
| 9 | + |
| 10 | +import { DashButton, Render, Tabs, TabItem, APIRequest, GlossaryTooltip } from "~/components" |
| 11 | + |
| 12 | +You can use Private Network Load Balancing to distribute WARP client traffic to private IP addresses connected via [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). |
| 13 | + |
| 14 | +For example, assume you have an internal application running in two data centers, and you want WARP users to access the application from the data center closest to their geographic location. A typical load balancing configuration is shown in the following diagram: |
| 15 | + |
| 16 | +```mermaid |
| 17 | +graph LR |
| 18 | + W[WARP clients] --> C{Private load balancer <br> 100.112.0.0} |
| 19 | + C -- Tunnel 1 --> cf1 |
| 20 | + C -- Tunnel 2 --> cf2 |
| 21 | + subgraph D2[Data center 2] |
| 22 | + cf2@{ shape: processes, label: "cloudflared" } |
| 23 | + subgraph F[Pool 2] |
| 24 | + S3["Endpoint <br> 10.0.0.1 (VNET-2)"] |
| 25 | + S4["Endpoint <br> 10.0.0.2 (VNET-2)"] |
| 26 | + end |
| 27 | + cf2-->S3 |
| 28 | + cf2-->S4 |
| 29 | + end |
| 30 | + subgraph D1[Data center 1] |
| 31 | + cf1@{ shape: processes, label: "cloudflared" } |
| 32 | + subgraph E[Pool 1] |
| 33 | + S1["Endpoint <br> 10.0.0.1 (VNET-1)"] |
| 34 | + S2["Endpoint <br> 10.0.0.2 (VNET-1)"] |
| 35 | + end |
| 36 | + cf1-->S1 |
| 37 | + cf1-->S2 |
| 38 | + end |
| 39 | +
|
| 40 | + style E stroke-width:2px,stroke-dasharray: 5 5 |
| 41 | + style F stroke-width:2px,stroke-dasharray: 5 5 |
| 42 | +``` |
| 43 | + |
| 44 | +The components in the diagram include: |
| 45 | +- **cloudflared**: Each data center is connected to Cloudflare with its own Cloudflare Tunnel. `cloudflared` installs on one or [more](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/#cloudflared-replicas) host machines in the network. |
| 46 | +- **Virtual network (VNET)**: If the networks behind each tunnel have the same internal IP range, we assign a distinct [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) per tunnel so that Load Balancer can deterministically route requests to the correct endpoint. |
| 47 | +- **Private load balancer IP**: End users connect to the application using the load balancer's IP address. This can either be a Cloudflare-assigned CGNAT IP (`100.64.0.0/10`) or a custom [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) IP. |
| 48 | +- **Load balancer pool**: The load balancer is configured with one [pool](/load-balancing/understand-basics/load-balancing-components/#pools) per tunnel. [Global traffic steering policies](/load-balancing/understand-basics/traffic-steering/steering-policies/) control how traffic routes to your pools / tunnels. |
| 49 | +- **Load balancer endpoint**: A pool contains one or more endpoints, where each endpoint is a server behind `cloudflared` that is running the application. The load balancing endpoint is defined by the server's private IP address and virtual network (for example, `10.0.0.1 (VNET-1)`). [Local steering policies](/load-balancing/understand-basics/traffic-steering/origin-level-steering/) control how traffic routes to endpoints within a pool. |
| 50 | + |
| 51 | +## 1. Create a Cloudflare Tunnel |
| 52 | + |
| 53 | +Skip to [step 2](/load-balancing/private-network/warp/#2-create-load-balancer-pools) if you have already connected your private networks with Cloudflare Tunnel. |
| 54 | + |
| 55 | +To create a new tunnel: |
| 56 | + |
| 57 | +<Render file="tunnel/create-tunnel" product="cloudflare-one" /> |
| 58 | +9. Go to the **CIDR** tab. |
| 59 | +10. In **CIDR**, enter the private IP address or CIDR range of your service (for example, `10.0.0.1` or `10.0.0.0/8`). |
| 60 | +10. (Optional) Under **Additional settings**, select a virtual network. If you do not select a virtual network, the IP route will be assigned to the `default` network. |
| 61 | + |
| 62 | + :::note |
| 63 | + If you need to create a new virtual network, select **Manage virtual networks**. For more information, refer to the [virtual networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) documentation. |
| 64 | + ::: |
| 65 | +11. Select **Complete seup**. |
| 66 | + |
| 67 | +You can go to **Networks** > **Routes** to view all of your IP routes and their associated virtual networks. |
| 68 | + |
| 69 | +## 2. Create load balancer pools |
| 70 | + |
| 71 | +Load balancer pools are logical groupings of endpoints, typically organized by physical datacenter or geographic region. The endpoints in the pool are the destinations where traffic is ultimately routed. |
| 72 | + |
| 73 | +:::note[Limitation] |
| 74 | +A pool cannot have multiple endpoints with the same IP address, even when using different virtual networks. You can assign endpoints with overlapping IPs to different pools, as shown in the [example diagram](#_top). |
| 75 | +::: |
| 76 | + |
| 77 | +Pools can be created using either the Cloudflare dashboard or the API. |
| 78 | + |
| 79 | +<Tabs syncKey="dashPlusAPI"> |
| 80 | + |
| 81 | +<TabItem label="Dashboard"> |
| 82 | + |
| 83 | +To create a pool using the dashboard, refer to the [Create a pool](/load-balancing/pools/create-pool/#create-a-pool) documentation. |
| 84 | + |
| 85 | +:::note |
| 86 | +All endpoints with private IPs must have a virtual network (VNET) specified. |
| 87 | +::: |
| 88 | + |
| 89 | +</TabItem> |
| 90 | + |
| 91 | +<TabItem label="API"> |
| 92 | + |
| 93 | +To get a list of your current virtual networks, use the [List virtual networks](/api/resources/zero_trust/subresources/networks/subresources/virtual_networks/methods/list/) API operation. |
| 94 | + |
| 95 | +Enable virtual/private IP support by adding the `virtual_network_id` field to the `origins` in your API request. Refer to the [Cloudflare Load Balancer API documentation](/api/resources/load_balancers/subresources/pools/methods/create/) for more information on how to create a pool using the API. |
| 96 | + |
| 97 | +The following example adds a Cloudflare Tunnel endpoint to an existing Load Balancer pool: |
| 98 | + |
| 99 | +:::note |
| 100 | + |
| 101 | +All endpoints with private IPs must have `virtual_network_id` specified. |
| 102 | + |
| 103 | +::: |
| 104 | + |
| 105 | +<APIRequest |
| 106 | + path="/accounts/{account_id}/load_balancers/pools/{pool_id}" |
| 107 | + method="PATCH" |
| 108 | + json={{ |
| 109 | + origins: [ |
| 110 | + { |
| 111 | + name: "server-1", |
| 112 | + address: "10.0.0.1", |
| 113 | + enabled: true, |
| 114 | + weight: 1, |
| 115 | + virtual_network_id: "a5624d4e-044a-4ff0-b3e1-e2465353d4b4", |
| 116 | + }, |
| 117 | + ], |
| 118 | + }} |
| 119 | +/> |
| 120 | + |
| 121 | +</TabItem> |
| 122 | +</Tabs> |
| 123 | + |
| 124 | + |
| 125 | +## 3. Create a private load balancer |
| 126 | + |
| 127 | +1. In the Cloudflare dashboard, go to the **Load Balancing** page. |
| 128 | + |
| 129 | + <DashButton url="/?to=/:account/load-balancing" /> |
| 130 | + |
| 131 | +2. Select **Create a Load Balancer**. |
| 132 | +3. Select **Private Load Balancer**. |
| 133 | +4. On the next step you can choose to associate this load balancer with either: |
| 134 | + - A Cloudflare-assigned IP from the `100.64.0.0/10` range |
| 135 | + - A custom [RFC 1918 address](https://datatracker.ietf.org/doc/html/rfc1918) |
| 136 | +5. Add a descriptive name to identify your load balancer. |
| 137 | +6. Proceed through the setup. |
| 138 | + |
| 139 | +After completing the setup, you will be redirected to the Load Balancing dashboard. You can locate your load balancer using the search bar or by filtering for **Private** load balancers. Be sure to note the load balancer IP as it will be required in the following steps. |
| 140 | + |
| 141 | +## 4. Route the load balancer IP through WARP |
| 142 | + |
| 143 | +In order for WARP clients to connect to your load balancer, the load balancer's IP address must route through the WARP tunnel in your [Split Tunnel settings](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/). |
| 144 | + |
| 145 | +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. |
| 146 | +2. Under **Device settings**, find the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Edit**. |
| 147 | +3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**. |
| 148 | +4. Select **Manage**. Depending on the mode: |
| 149 | + |
| 150 | + - **Exclude mode**: Delete the IP range that contains your load balancer IP. For example, if your load balancer has a Cloudflare-assigned CGNAT IP, delete `100.64.0.0/10`. We recommend [adding back the IPs](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used by your load balancer. |
| 151 | + :::note |
| 152 | + Some IPs in the `100.64.0.0/10` range may be reserved for other Zero Trust services such as Gateway <GlossaryTooltip term = "initial resolved IP">initial resolved IPs</GlossaryTooltip> or <GlossaryTooltip term = "CGNAT IP">WARP CGNAT IPs</GlossaryTooltip>. These IPs should remain deleted from the Exclude list. |
| 153 | + - **Include mode**: Add your load balancer IP. |
| 154 | + |
| 155 | +WARP traffic can now reach your private load balancer. For example, if your load balancer points to a web application, you can test by running `curl <load-balancer-IP>` from the WARP device. This traffic will be distributed over Cloudflare Tunnel to your private endpoints according to your configured steering method. |
| 156 | + |
| 157 | +## 5. (Optional) Assign a hostname to the load balancer |
| 158 | + |
| 159 | +If you want your load balancer and its endpoints to be transparently accessible to users via a hostname, you can create a Gateway DNS [Override policy](/cloudflare-one/policies/gateway/dns-policies/#override) that maps the hostname to the load balancer's IP address. This ensures that traffic destined for the hostname resolves to the correct IP. |
| 160 | + |
| 161 | +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies**> **DNS**. |
| 162 | +2. Select **Add DNS policy**. |
| 163 | +3. In **Traffic**, create an expression where the **Selector** equals `Host`, the **Operator** equals `is`, and **Value** is the hostname you wish to associate with your load balancer. For example, |
| 164 | + |
| 165 | + | Selector | Operator | Value | |
| 166 | + | -------- | -------- | ----------------- | |
| 167 | + | Host | is | `app.internal.local` | |
| 168 | + |
| 169 | +4. Set the **Action** to _Override_. |
| 170 | +5. In **Override Hostname**, enter your private load balancer IP (for example, `100.112.0.0`). |
| 171 | + |
| 172 | +Requests to the hostname will now resolve to your private load balancer. |
0 commit comments