cloudflare · ranbel · Sep 16, 2025 · May 19, 2025 · May 19, 2025 · May 21, 2025
@@ -66,7 +66,7 @@ This page lists the default account limits for rules, applications, fields, and
 | ---------------------------------------- | ----- |
 | `cloudflared` tunnels per account        | 1,000 |
 | WARP Connectors per account              | 10    |
-| IP routes per account                    | 1,000 |
+| Routes per tunnel                       | 1,000 |
 | Active `cloudflared` replicas per tunnel | 25    |
 
 ## Digital Experience Monitoring (DEX)

@@ -27,7 +27,7 @@ You can securely publish internal tools and applications by adding Cloudflare Ac
 [Set up a Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) to publish your internal application. Only users who match your Access policies will be granted access.
 
 :::note
-We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, public hostname routes in Tunnel are available to anyone on the Internet.
+We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, the published application will be available to anyone on the Internet.
 :::
 
 If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using [other methods](/fundamentals/security/protect-your-origin-server/).

@@ -24,7 +24,7 @@ Cloudflare Access short-lived certificates can work with any modern SSH server,
 
 To secure your server behind Cloudflare Access:
 
-1. [Connect the server to Cloudflare](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) as a public hostname route.
+1. [Connect the server to Cloudflare](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) as a published application.
 2. Create a [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for the server.
 
 :::note

@@ -140,11 +140,11 @@ On Windows, Cloudflare Tunnel installs itself as a system service using the Regi
 
 ## Update origin configuration
 
-To configure how `cloudflared` sends requests to your [public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) services:
+To configure how `cloudflared` sends requests to your [published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**.
 2. Choose a tunnel and select **Configure**.
-3. Select the **Public Hostname** tab.
-4. Choose a route and select **Edit**.
+3. Select the **Published application routes** tab.
+4. Choose an application and select **Edit**.
 5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/).
-6. Select **Save hostname**.
+6. Select **Save**.
@@ -171,7 +171,7 @@ The timeout after which a TCP keepalive packet is sent on a connection between C
 | ------- | ------------------- |
 | `""`    | Protect with Access |
 
-Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname routes that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header.
+Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname services that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header.
 
 To enable this security control in a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#origin-configuration), [get the AUD tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`:
 

@@ -113,23 +113,23 @@ The following configuration will modify settings in your Cloudflare account.
         	proxied = true
         }
 
-        # Configures tunnel with a public hostname route for clientless access.
-        resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
-        	tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
-        	account_id = var.cloudflare_account_id
-        	config     = {
-        		ingress 	= [
-        			{
-        				hostname = "http_app.${var.cloudflare_zone}"
-        				service  = "http://localhost:80"
-        			},
-        			{
-        				service  = "http_status:404"
-        			}
-        		]
-        	}
-        }
-        ```
+		# Configures tunnel with a published application for clientless access.
+		resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
+			tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
+			account_id = var.cloudflare_account_id
+			config     = {
+				ingress 	= [
+					{
+						hostname = "http_app.${var.cloudflare_zone}"
+						service  = "http://localhost:80"
+					},
+					{
+						service  = "http_status:404"
+					}
+				]
+			}
+		}
+		```
 
 ### Configure GCP resources
 

@@ -98,8 +98,8 @@ EOF
 
 [Private network routes](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) allow users to connect to your virtual private cloud (VPC) using the WARP client. To add a private network route for your Cloudflare Tunnel:
 
-1.  In the **Private Network** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary.
-2.  In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance.
+1. In the **CIDR** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance.
 
         To determine which IP addresses to re-add, subtract your AWS instance IPs from `172.16.0.0/12`:
 

@@ -76,8 +76,8 @@ To complete the following procedure, you will need to:
 
 To configure a private network route for your Cloudflare Tunnel:
 
-1.  In the **Private Network** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary.
-2.  In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM.
+1. In the **CIDR** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM.
 
         To determine which IP addresses to re-add, subtract your GCP instance IPs from `10.0.0.0/8`:
 

@@ -157,22 +157,22 @@ The following configuration will modify settings in your Cloudflare account.
         	proxied = true
         }
 
-        # Configures tunnel with a public hostname route for clientless access.
-        resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
-        	tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
-        	account_id = var.cloudflare_account_id
-        	config     = {
-        		ingress 	= [
-        			{
-        				hostname = "http_app.${var.cloudflare_zone}"
-        				service  = "http://httpbin:80"
-        			},
-        			{
-        				service  = "http_status:404"
-        			}
-        		]
-        	}
-        }
+		# Configures tunnel with a published application for clientless access.
+		resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
+			tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
+			account_id = var.cloudflare_account_id
+			config     = {
+				ingress 	= [
+					{
+						hostname = "http_app.${var.cloudflare_zone}"
+						service  = "http://httpbin:80"
+					},
+					{
+						service  = "http_status:404"
+					}
+				]
+			}
+		}
 
         # (Optional) Routes internal IP of GCP instance through the tunnel for private network access using WARP.
         resource "cloudflare_zero_trust_tunnel_cloudflared_route" "example_tunnel_route" {
@@ -241,20 +241,20 @@ The following configuration will modify settings in your Cloudflare account.
         	proxied = true
         }
 
-        # Configures tunnel with a public hostname route for clientless access.
-        	resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
-        		tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
-        		account_id = var.cloudflare_account_id
-        		config {
-        			ingress_rule {
-        				hostname = "${cloudflare_record.http_app.hostname}"
-        				service  = "http://httpbin:80"
-        			}
-        			ingress_rule {
-        				service  = "http_status:404"
-        			}
-        		}
-        	}
+		# Configures tunnel with a published application for clientless access.
+			resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
+				tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
+				account_id = var.cloudflare_account_id
+				config {
+					ingress_rule {
+						hostname = "${cloudflare_record.http_app.hostname}"
+						service  = "http://httpbin:80"
+					}
+					ingress_rule {
+						service  = "http_status:404"
+					}
+				}
+			}
 
         # (Optional) Route internal IP of GCP instance through the tunnel for private network access using WARP.
         resource "cloudflare_zero_trust_tunnel_route" "example_tunnel_route" {

@@ -62,16 +62,16 @@ Make a `POST` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subre
 
 Copy the `id` and `token` values shown in the output. You will need these values to configure and run the tunnel.
 
-The next steps depend on whether you want to [connect an application](#3a-connect-an-application) or [connect a network](#3b-connect-a-network).
+The next steps depend on whether you want to [publish an application to the Internet](#3a-publish-an-application) or [connect a private network](#3b-connect-a-network).
 
-## 3a. Connect an application
+## 3a. Publish an application
 
-Before you connect an application through your tunnel, you must:
+Before you publish an application through your tunnel, you must:
 
 - [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/).
 - [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/).
 
-Follow these steps to connect an application through your tunnel. If you are looking to connect a network, skip to the [Connect a network section](#3b-connect-a-network).
+Follow these steps to publish an application to the Internet. If you are looking to connect a private resource, skip to the [Connect a network](#3b-connect-a-network) section.
 
 1. Make a [`PUT` request](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/) to route your local service URL to a public hostname. For example,
 
@@ -130,7 +130,7 @@ To connect a private network through your tunnel, [add a tunnel route](/api/reso
   }}
 />
 
-To configure Zero Trust policies and connect as a user, refer to [Connect private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
+`cloudflared` can now route traffic to these destination IPs. To configure Zero Trust policies and connect as a user, refer to [Connect private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
 
 ## 4. Install and run the tunnel
 

@@ -13,30 +13,31 @@ Follow this step-by-step guide to create your first [remotely-managed tunnel](/c
 
 <Render file="tunnel/create-tunnel" product="cloudflare-one" />
 
-The next steps depend on whether you want to [connect an application](#2a-connect-an-application) or [connect a network](#2b-connect-a-network).
+The next steps depend on whether you want to [publish an application to the Internet](#2a-publish-an-application) or [connect a private network](#2b-connect-a-network).
 
-## 2a. Connect an application
+## 2a. Publish an application
 
-Before you connect an application through your tunnel, you must:
+Before you publish an application through your tunnel, you must:
 
 - [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/).
 - [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/).
 
-Follow these steps to connect an application through your tunnel. If you are looking to connect a network, skip to the [Connect a network section](#2b-connect-a-network).
+Follow these steps to publish an application to the Internet. If you are looking to connect a private resource, skip to the [Connect a network](#2b-connect-a-network) section.
 
-<Render file="tunnel/add-public-hostname" product="cloudflare-one" />
+<Render file="tunnel/add-published-application" product="cloudflare-one" />
 
-The application is now publicly available on the Internet. To allow or block specific users, [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+Anyone on the Internet can now access the application at the specified hostname. To allow or block specific users, [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
 
 ## 2b. Connect a network
 
-Follow these steps to connect a private network through your tunnel.
+To connect a private network through your tunnel:
 
-1. In the **Private Networks** tab, add the IP or CIDR of your service.
+1. Go to the **CIDR** tab.
+2. In **CIDR**, enter the private IP address or CIDR range of your service (for example, `10.0.0.1` or `10.0.0.0/8`).
 
-2. Select **Save tunnel**.
+`cloudflared` can now route traffic to these destination IPs. To configure Zero Trust policies and connect as a user, refer to [Connect an IP/CIDR](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
 
-To configure Zero Trust policies and connect as a user, refer to [Connect private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
+If you would like to route to a private application using its hostname instead of its IP, refer to [Connect a private hostname](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname/).
 
 ## 3. View your tunnel
 

@@ -0,0 +1,68 @@
+---
+pcx_content_type: how-to
+title: Connect an IP/CIDR
+sidebar:
+  order: 3
+---
+
+import { Render } from "~/components";
+
+This guide covers how to enable secure remote access to private IP addresses using `cloudflared` and WARP. You can connect an entire private network, a subnet, or an application defined by a static IP.
+
+## 1. Connect the server to Cloudflare
+
+To connect your infrastructure with Cloudflare Tunnel:
+
+<Render file="tunnel/connect-private-network" product="cloudflare-one" />
+
+2. In the **CIDR** tab for the tunnel, enter the IP/CIDR range that you wish to route through the tunnel (for example `10.0.0.0/8`).
+
+## 2. Set up the client
+
+<Render file="tunnel/warp-to-tunnel-client" product="cloudflare-one" />
+
+## 3. Route private network IPs through WARP
+
+<Render file="tunnel/warp-to-tunnel-route-ips" product="cloudflare-one" params={{ one: "private network"}}/>
+
+## 4. (Recommended) Filter network traffic with Gateway
+
+<Render file="tunnel/filter-network-traffic" product="cloudflare-one" />
+
+### Enable the Gateway proxy
+
+<Render file="tunnel/enable-gateway-proxy" product="cloudflare-one" />
+
+### Zero Trust policies
+
+<Render file="tunnel/catch-all-policy" product="cloudflare-one"/>
+
+If you have applications clearly defined by IPs or hostnames, we recommend [creating an Access application](/cloudflare-one/applications/non-http/self-hosted-private-app/) and managing user access alongside your SaaS and other web apps. Alternatively, if you prefer to secure a private network using a traditional firewall model, you can build Gateway network and DNS policies for IP ranges and domains.
+
+For more information on building Gateway policies, refer to [Secure your first application](/learning-paths/replace-vpn/build-policies/create-policy/) and [Common network policies](/cloudflare-one/policies/gateway/network-policies/common-policies/#restrict-access-to-private-networks).
+
+## 5. Connect as a user
+
+End users can now reach HTTP or TCP-based services on your network by visiting any IP address in the range you have specified.
+
+To allow users to reach the service using its private hostname instead of its IP, refer to [Private DNS](/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns/).
+
+### Troubleshooting
+
+#### Device configuration
+
+To check that their device is properly configured, the user can visit `https://help.teams.cloudflare.com/` to ensure that:
+
+- The page returns **Your network is fully protected**.
+- In **HTTP filtering**, both **WARP** and **Gateway Proxy** are enabled.
+- The **Team name** matches the Zero Trust organization from which you created the tunnel.
+
+#### Router configuration
+
+Check the local IP address of the device and ensure that it does not fall within the IP/CIDR range of your private network. For example, some home routers will make DHCP assignments in the `10.0.0.0/24` range, which overlaps with the `10.0.0.0/8` range used by most corporate private networks. When a user's home network shares the same IP addresses as the routes in your tunnel, their device will be unable to connect to your application.
+
+To resolve the IP conflict, you can either:
+
+- Reconfigure the user's router to use a non-overlapping IP range. Compatible routers typically use `192.168.1.0/24`, `192.168.0.0/24` or `172.16.0.0/24`.
+- Tighten the IP range in your Split Tunnel configuration to exclude the `10.0.0.0/24` range. This will only work if your private network does not have any hosts within `10.0.0.0/24`.
+- Change the IP/CIDR of your private network so that it does not overlap with a range commonly used by home networks.