diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters.mdx index c2f0681da9ed2c..f78522d83cc068 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters.mdx @@ -125,10 +125,9 @@ Writes the application's process identifier (PID) to this file after the first s ## `post-quantum` -| Syntax | Environment Variable | -| -------------------------------------------------------- | -------------------- | -| `cloudflared tunnel run --post-quantum ` | `TUNNEL_POST_QUANTUM`| - +| Syntax | Environment Variable | +| ------------------------------------------------------ | --------------------- | +| `cloudflared tunnel run --post-quantum ` | `TUNNEL_POST_QUANTUM` | By default, Cloudflare Tunnel connections over [`quic`](#protocol) are encrypted using [post-quantum cryptography (PQC)](/ssl/post-quantum-cryptography/) but will fall back to non-PQ if there are issues connecting. If the `--post-quantum` flag is provided, `quic` connections are only allowed to use PQ key agreements, with no fallback to non-PQ. @@ -152,6 +151,8 @@ The `auto` value will automatically configure the `quic` protocol. If `cloudflar Allows you to choose the regions to which connections are established. Currently the only available value is `us`, which routes all connections through data centers in the United States. Omit or leave empty to connect to the global region. +When the region is set to `us`, `cloudflared` uses different US-specific hostnames and IPs. Refer to [Tunnel with firewall](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#region-us) for details. + ## `retries` | Syntax | Default | Environment Variable | @@ -181,7 +182,6 @@ For remotely-managed tunnels only. Associates the `cloudflared` instance with a specific tunnel. The tunnel's token is shown in the dashboard when you first [create the tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can also retrieve the token using the [API](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/). - ## `token-file` :::note @@ -189,8 +189,8 @@ Associates the `cloudflared` instance with a specific tunnel. The tunnel's token For remotely-managed tunnels only. Requires `2025.4.0` or later. ::: -| Syntax | Environment Variable | -| ----------------------------------------------- | -------------------- | -| `cloudflared tunnel run --token-file ` | `TUNNEL_TOKEN_FILE` | +| Syntax | Environment Variable | +| -------------------------------------------- | -------------------- | +| `cloudflared tunnel run --token-file ` | `TUNNEL_TOKEN_FILE` | Associates the `cloudflared` instance with a specific tunnel using a file which contains the token. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall.mdx index f51a9f5012a995..6efb4a651367fd 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall.mdx @@ -8,6 +8,13 @@ tableOfContents: false You can implement a positive security model with Cloudflare Tunnel by blocking all ingress traffic and allowing only egress traffic from `cloudflared`. Only the services specified in your tunnel configuration will be exposed to the outside world. +How you configure your firewall depends on the firewall type: + +- If your firewall supports domain-based rules (FQDN allowlists), you can allow outbound connections to the hostnames listed below. +- If your firewall requires IP-based rules, allow outbound connections to all listed IP addresses for each domain. + +Ensure port `7844` is allowed for both TCP and UDP protocols (for `http2` and `quic`). + ## Ports The parameters below can be configured for egress traffic inside of a firewall. @@ -16,28 +23,37 @@ The parameters below can be configured for egress traffic inside of a firewall. `cloudflared` connects to Cloudflare's global network on port `7844`. To use Cloudflare Tunnel, your firewall must allow outbound connections to the following destinations on port `7844` (via UDP if using the `quic` protocol or TCP if using the `http2` protocol). -| Domain | IPv4 | IPv6 | Port | Protocols | -| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ------------------------ | -| `region1.v2.argotunnel.com` | `198.41.192.167`
`198.41.192.67`
`198.41.192.57`
`198.41.192.107`
`198.41.192.27`
`198.41.192.7`
`198.41.192.227`
`198.41.192.47`
`198.41.192.37`
`198.41.192.77` | `2606:4700:a0::1`
`2606:4700:a0::2`
`2606:4700:a0::3`
`2606:4700:a0::4`
`2606:4700:a0::5`
`2606:4700:a0::6`
`2606:4700:a0::7`
`2606:4700:a0::8`
`2606:4700:a0::9`
`2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | -| `region2.v2.argotunnel.com` | `198.41.200.13`
`198.41.200.193`
`198.41.200.33`
`198.41.200.233`
`198.41.200.53`
`198.41.200.63`
`198.41.200.113`
`198.41.200.73`
`198.41.200.43`
`198.41.200.23` | `2606:4700:a8::1`
`2606:4700:a8::2`
`2606:4700:a8::3`
`2606:4700:a8::4`
`2606:4700:a8::5`
`2606:4700:a8::6`
`2606:4700:a8::7`
`2606:4700:a8::8`
`2606:4700:a8::9`
`2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | -| `_v2-origintunneld._tcp.argotunnel.com`1 | Not applicable | Not applicable | 7844 | TCP (`http2`) | -| `cftunnel.com`1 | Not applicable | Not applicable | 7844 | TCP/UDP (`http2`/`quic`) | -| `h2.cftunnel.com`1 | Not applicable | Not applicable | 7844 | TCP (`http2`) | -| `quic.cftunnel.com`1 | Not applicable | Not applicable | 7844 | UDP (`quic`) | +| Domain | IPv4 | IPv6 | Port | Protocols | +| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ------------------------ | +| `region1.v2.argotunnel.com` | `198.41.192.167`
`198.41.192.67`
`198.41.192.57`
`198.41.192.107`
`198.41.192.27`
`198.41.192.7`
`198.41.192.227`
`198.41.192.47`
`198.41.192.37`
`198.41.192.77` | `2606:4700:a0::1`
`2606:4700:a0::2`
`2606:4700:a0::3`
`2606:4700:a0::4`
`2606:4700:a0::5`
`2606:4700:a0::6`
`2606:4700:a0::7`
`2606:4700:a0::8`
`2606:4700:a0::9`
`2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | +| `region2.v2.argotunnel.com` | `198.41.200.13`
`198.41.200.193`
`198.41.200.33`
`198.41.200.233`
`198.41.200.53`
`198.41.200.63`
`198.41.200.113`
`198.41.200.73`
`198.41.200.43`
`198.41.200.23` | `2606:4700:a8::1`
`2606:4700:a8::2`
`2606:4700:a8::3`
`2606:4700:a8::4`
`2606:4700:a8::5`
`2606:4700:a8::6`
`2606:4700:a8::7`
`2606:4700:a8::8`
`2606:4700:a8::9`
`2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | +| `_v2-origintunneld._tcp.argotunnel.com`1 | Not applicable | Not applicable | 7844 | TCP (`http2`) | +| `cftunnel.com`1 | Not applicable | Not applicable | 7844 | TCP/UDP (`http2`/`quic`) | +| `h2.cftunnel.com`1 | Not applicable | Not applicable | 7844 | TCP (`http2`) | +| `quic.cftunnel.com`1 | Not applicable | Not applicable | 7844 | UDP (`quic`) | 1 This rule is only required for firewalls that enforce SNI. +### region US + +When using the [US region](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region), ensure your firewall allows outbound connections to these US-region destinations on port `7844` (TCP/UDP) for tunnel operation. + +| Domain | IPv4 addresses | IPv6 addresses | Port | Protocol | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------ | ------------------------ | +| `us-region1.v2.argotunnel.com` | `198.41.218.1`
`198.41.218.2`
`198.41.218.3`
`198.41.218.4`
`198.41.218.5`
`198.41.218.6`
`198.41.218.7`
`198.41.218.8`
`198.41.218.9`
`198.41.218.10` | `2606:4700:a1::1`
`2606:4700:a1::2`
`2606:4700:a1::3`
`2606:4700:a1::4`
`2606:4700:a1::5`
`2606:4700:a1::6`
`2606:4700:a1::7`
`2606:4700:a1::8`
`2606:4700:a1::9`
`2606:4700:a1::10` | `7844` | TCP/UDP (`http2`/`quic`) | +| `us-region2.v2.argotunnel.com` | `198.41.219.1`
`198.41.219.2`
`198.41.219.3`
`198.41.219.4`
`198.41.219.5`
`198.41.219.6`
`198.41.219.7`
`198.41.219.8`
`198.41.219.9`
`198.41.219.10` | `2606:4700:a9::1`
`2606:4700:a9::2`
`2606:4700:a9::3`
`2606:4700:a9::4`
`2606:4700:a9::5`
`2606:4700:a9::6`
`2606:4700:a9::7`
`2606:4700:a9::8`
`2606:4700:a9::9`
`2606:4700:a9::10` | `7844` | TCP/UDP (`http2`/`quic`) | + ### Optional Opening port 443 enables some optional features. Failure to allow these connections may prompt a log error, but `cloudflared` will still run correctly. -| Domain | IPv4 | IPv6 | Port | Protocols | Description | -| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `api.cloudflare.com` | `104.19.192.29`
`104.19.192.177`
`104.19.192.175`
`104.19.193.29`
`104.19.192.174`
`104.19.192.176` | `2606:4700:300a::6813:c0af`
`2606:4700:300a::6813:c01d`
`2606:4700:300a::6813:c0ae`
`2606:4700:300a::6813:c11d`
`2606:4700:300a::6813:c0b0`
`2606:4700:300a::6813:c0b1` | 443 | TCP (HTTPS) | Allows `cloudflared` to query if software updates are available. | -| `update.argotunnel.com` | `104.18.25.129`
`104.18.24.129` | `2606:4700::6812:1881`
`2606:4700::6812:1981` | 443 | TCP (HTTPS) | Allows `cloudflared` to query if software updates are available. | -| `github.com` | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | 443 | TCP (HTTPS) | Allows `cloudflared` to download the latest release and perform a software update. | +| Domain | IPv4 | IPv6 | Port | Protocols | Description | +| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `api.cloudflare.com` | `104.19.192.29`
`104.19.192.177`
`104.19.192.175`
`104.19.193.29`
`104.19.192.174`
`104.19.192.176` | `2606:4700:300a::6813:c0af`
`2606:4700:300a::6813:c01d`
`2606:4700:300a::6813:c0ae`
`2606:4700:300a::6813:c11d`
`2606:4700:300a::6813:c0b0`
`2606:4700:300a::6813:c0b1` | 443 | TCP (HTTPS) | Allows `cloudflared` to query if software updates are available. | +| `update.argotunnel.com` | `104.18.25.129`
`104.18.24.129` | `2606:4700::6812:1881`
`2606:4700::6812:1981` | 443 | TCP (HTTPS) | Allows `cloudflared` to query if software updates are available. | +| `github.com` | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | [GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) | 443 | TCP (HTTPS) | Allows `cloudflared` to download the latest release and perform a software update. | | `.`
`cloudflareaccess.com` | `104.19.194.29`
`104.19.195.29` | `2606:4700:300a::6813:c31d`
`2606:4700:300a::6813:c21d` | 443 | TCP (HTTPS) | Allows `cloudflared` to validate the Access JWT. Only required if the [`access`](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#access) setting is enabled. | -| `pqtunnels.`
`cloudflareresearch.com` | `104.18.4.64`
`104.18.5.64` | `2606:4700::6812:540`
`2606:4700::6812:440` | 443 | TCP (HTTPS) | Allows `cloudflared` to report [post-quantum key exchange](https://blog.cloudflare.com/post-quantum-tunnel/) errors to Cloudflare. | +| `pqtunnels.`
`cloudflareresearch.com` | `104.18.4.64`
`104.18.5.64` | `2606:4700::6812:540`
`2606:4700::6812:440` | 443 | TCP (HTTPS) | Allows `cloudflared` to report [post-quantum key exchange](https://blog.cloudflare.com/post-quantum-tunnel/) errors to Cloudflare. | ## Firewall configuration