[ZT] Load Balancing traffic to Cloudflare Tunnel endpoints #25578
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
|
This PR requires additional review attention because it affects the following areas: RedirectsThis PR changes current filenames or deletes current files. Make sure you have redirects set up to cover the following paths:
|
ranbel
changed the title
ranbel
commented
Oct 10, 2025
...docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/public-load-balancers.mdx
Outdated
Show resolved
Hide resolved
ranbel
requested review from
a team,
haleycode and
securitypedant
as code owners
chungthuang
reviewed
Oct 13, 2025
|
|
||
| 1. To create a remotely-managed tunnel, follow the [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). | ||
| 2. On the **Tunnels** page, select your newly created tunnel. The **Connectors** section shows all of the `cloudflared` instances for that tunnel. | ||
| 3. Select **Configure**. |
There was a problem hiding this comment.
Do we want to mention that the replicas will have the same config? We can't apply custom config per replica.
chungthuang
reviewed
Oct 13, 2025
.../cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/index.mdx
Outdated
Show resolved
Hide resolved
chungthuang
reviewed
Oct 13, 2025
.../cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/index.mdx
Outdated
Show resolved
Hide resolved
chungthuang
reviewed
Oct 13, 2025
...docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/public-load-balancers.mdx
Outdated
Show resolved
Hide resolved
chungthuang
reviewed
Oct 13, 2025
...docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/public-load-balancers.mdx
Show resolved
Hide resolved
chungthuang
reviewed
Oct 13, 2025
...docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/public-load-balancers.mdx
Outdated
Show resolved
Hide resolved
chungthuang
reviewed
Oct 13, 2025
|
|
||
| If you notice traffic imbalances across endpoints in different locations, you may have to adjust your load balancer setup. | ||
|
|
||
| `cloudflared` connections give preference to tunnels that terminate in the same Cloudflare data center. This behavior can impact how connections are weighted and traffic is distributed. |
There was a problem hiding this comment.
We might want to be clear that we prefer to serve eyeball using cloudflared connections that are in the same data center.
There was a problem hiding this comment.
attempted to clarify this here: 959a9fc
chungthuang
reviewed
Oct 13, 2025
src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx
Outdated
Show resolved
Hide resolved
chungthuang
reviewed
Oct 13, 2025
| To create a new tunnel: | ||
|
|
||
| <Render file="tunnel/create-tunnel" product="cloudflare-one" /> | ||
| 9. Go to the **CIDR** tab. |
There was a problem hiding this comment.
Can we update https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/ to better explain how to setup IP/CIDR?
There was a problem hiding this comment.
Hey @chungthuang would you mind elaborating on what should change? Are you referring to adding VNET details?
DevinCarr
reviewed
Oct 16, 2025
| /> | ||
| When you create a tunnel, Cloudflare generates a subdomain of `cfargotunnel.com` with the UUID of the created tunnel. You can treat `<UUID>.cfargotunnel.com` as if it were an origin target in the Cloudflare dashboard. | ||
|
|
||
| Unlike publicly routable IP addresses, `<UUID.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. If someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. |
There was a problem hiding this comment.
Suggested change
| Unlike publicly routable IP addresses, `<UUID.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. If someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. | |
| Unlike publicly routable IP addresses, `<UUID>.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. If someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. |
DevinCarr
reviewed
Oct 16, 2025
| /> | ||
| When you create a tunnel, Cloudflare generates a subdomain of `cfargotunnel.com` with the UUID of the created tunnel. You can treat `<UUID>.cfargotunnel.com` as if it were an origin target in the Cloudflare dashboard. | ||
|
|
||
| Unlike publicly routable IP addresses, `<UUID.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. If someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. |
There was a problem hiding this comment.
Suggested change
| Unlike publicly routable IP addresses, `<UUID.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. If someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. | |
| Unlike publicly routable IP addresses, `<UUID.cfargotunnel.com` will only proxy traffic for a DNS record in the same Cloudflare account. The Tunnel UUID is not secret information; if someone discovers your subdomain UUID, they will not be able to create a DNS record in another account or system to proxy traffic to the address. |
chungthuang
reviewed
Oct 16, 2025
| | `cloudflared tunnel create <NAME or UUID>` | Creates a tunnel, registers it with the Cloudflare edge and generates a credential file to run this tunnel. | | ||
| | `cloudflared tunnel route` | Routes traffic through a tunnel. | | ||
| | `cloudflared tunnel route lb <NAME or UUID> <load balancer name> <load balancer pool>` | Creates a Load Balancer with a pool that points to the tunnel. | | ||
| | `cloudflared tunnel route lb <NAME or UUID> <hostname> <load balancer pool>` | Adds a tunnel as an endpoint in a [load balancer pool](/cloudflare-one/connections/connect-networks/routing-to-tunnel/public-load-balancers/). A new load balancer and pool will be created if necessary. <ul> <li> `<hostname>`: the public-facing hostname of the load balancer, for example `lb.example.com` </li> <li> `<load balancer pool>`: the name of the [pool](/load-balancing/pools/create-pool/#create-a-pool) that will contain the tunnel endpoint </li> </ul> To load balance traffic to a [published application](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-published-applications), you will also need to specify the application hostname in the [endpoint host header](/load-balancing/additional-options/override-http-host-headers/). | |
There was a problem hiding this comment.
Can we clarify that specifying the application hostname in the endpoint host header has to be done via the UI or LB API, not through cloudflared command?
chungthuang
reviewed
Oct 16, 2025
There was a problem hiding this comment.
@nikitacano I think we can deprecate this page? No one should be using legacy tunnels anymore.
chungthuang
reviewed
Oct 16, 2025
|
|
||
| ### Optional Cloudflare settings | ||
|
|
||
| The application will default to the Cloudflare settings for the load balancer hostname, including [cache rules](/cache/how-to/cache-rules/) and [firewall policies](/firewall/). You can change the settings for your hostname in the [Cloudflare dashboard](https://dash.cloudflare.com/). |
There was a problem hiding this comment.
change the settings for your hostname
@nikitacano I think this will only be effective if the published application hostname CNAME to the load balancer hostname?
chungthuang
reviewed
Oct 16, 2025
|
|
||
| ### One app per load balancer | ||
|
|
||
| For this example, assume we have a web application that runs on servers in two different data centers. We want to connect the application to Cloudflare so that users can access the application from anywhere in the world. Additionally, we want Cloudflare to load balance between the servers such that if the primary server fails, the secondary server receives all traffic. |
There was a problem hiding this comment.
Can we clarify that in the LB pool config, one has to be the fallback pool?
chungthuang
reviewed
Oct 16, 2025
|
|
||
| When an end user sends a request to your application, Cloudflare routes their traffic using [Anycast routing](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) and their request typically goes to the nearest Cloudflare data center. Cloudflare Tunnel will prefer to serve the request using `cloudflared` connections in the same data center. This behavior can impact how connections are weighted and traffic is distributed. | ||
|
|
||
| The solution depends on the type of tunnel being used. If running [legacy tunnels](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels/), put your origins in different pools. If running [`cloudflared` replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) (using a shared UUID), switch to separate Cloudflare tunnels as distinct origins. |
There was a problem hiding this comment.
Legacy tunnel has been deprecated. Using different tunnels is the only way now.
chungthuang
reviewed
Oct 16, 2025
| 3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**. | ||
| 4. Select **Manage**. Depending on the mode: | ||
|
|
||
| - **Exclude mode**: Delete the IP range that contains your load balancer IP. For example, if your load balancer has a Cloudflare-assigned CGNAT IP, delete `100.64.0.0/10`. We recommend [adding back the IPs](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used by your load balancer. |
There was a problem hiding this comment.
Maybe we can use another private IP range to avoid confusion for CGNAT?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PCX-16753