From a665007595ab271887143fcc0032d2b1e935544b Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 17 Oct 2025 14:47:33 -0400 Subject: [PATCH 1/2] Remove legacy Cloudflare Tunnel docs; add redirects and update references --- .../migrate-legacy-tunnels.mdx | 74 ----------- .../tutorials/migrate-lb-tunnel.mdx | 123 ------------------ 2 files changed, 197 deletions(-) delete mode 100644 src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx delete mode 100644 src/content/docs/cloudflare-one/tutorials/migrate-lb-tunnel.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx deleted file mode 100644 index 34861c011fde78..00000000000000 --- a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx +++ /dev/null @@ -1,74 +0,0 @@ ---- -pcx_content_type: how-to -title: Migrate legacy tunnels -sidebar: - order: 4 -head: - - tag: title - content: Migrate legacy tunnels to named tunnels ---- - -Originally, a Cloudflare Tunnel connection corresponded to a DNS record in your account. Requests to that hostname hit Cloudflare's network first and our edge sends those requests over the tunnel to your origin. However, fitting an outbound-only connection into a reverse proxy creates some ergonomic and stability hurdles. The original Cloudflare Tunnel architecture attempted to both manage DNS records and create connections. When connections became disrupted, Tunnel would recreate the entire deployment. Additionally, Argo Tunnel connections could not be treated like regular origin servers in Cloudflare's control plane and had to be managed directly from the server-side software. - -Today, Cloudflare Tunnel's architecture distinguishes between the persistent objects (DNS records, `cloudflared`) and the ephemeral objects (the connections). To do that, it assigns permanent names and UUIDs to tunnels, which makes them more stable and easier to use. Since the name and UUID for a tunnel do not change, your DNS record never needs to be cleaned up or recreated when Cloudflare Tunnel restarts. In the event of a restart, the enrolled instance of `cloudflared` connects back to that UUID address. - -## Check for legacy tunnels - -To check if you still have legacy tunnels: - -1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com/) and select a zone. Legacy Tunnels are associated with a zone and not by account. -2. Go to **Traffic** > **Cloudflare Tunnel**. - -If nothing appears, this indicates there are no legacy tunnels associated with the zone. If legacy tunnels appear, follow the migration instructions below. - -:::note - -Named tunnels will only appear in [Zero Trust](https://one.dash.cloudflare.com/) under **Networks** > **Tunnels**. -::: - -## Migrate legacy tunnels - -To migrate your legacy tunnels to the named tunnels architecture: - -1. [Download](/cloudflare-one/connections/connect-networks/downloads/) the latest version of `cloudflared`. - -2. Obtain a new origin certificate by running `cloudflared login`. While named tunnels are scoped to an account, for legacy reasons the login page requires selecting a zone. - -3. [Create a tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#3-create-a-tunnel-and-give-it-a-name). - - ```sh - cloudflared tunnel create - ``` - -4. [Route traffic](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) to your tunnel to create routes that your tunnel will serve. - - - If your legacy tunnel was serving `tunnel.example.com`, run this command to configure your named tunnel to also serve `tunnel.example.com`. For more information, refer to the [DNS Record routing](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) section. - - ```sh - cloudflared tunnel route dns tunnel.example.com - ``` - - - If you used to run your legacy tunnel with the `--lb-pool` flag, run this command to set up your named tunnel as a load balancer origin. For more information, refer to the [Load Balancers routing](/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb/) section. - - ```sh - cloudflared tunnel route lb - ``` - -5. Next, create a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/) with ingress rules. The ingress rules describe how to dispatch requests to your origins based on hostname and path. For example, if in the past you used to run `cloudflared tunnel --hostname tunnel.example.com --url https://localhost:3000`, you should add an equivalent ingress rule to your configuration file: - - ```yml - ingress: - - hostname: tunnel.example.com - service: https://localhost:3000 - - service: http_status:404 - # Note that the last rule is the catch-all rule and is required. - ``` - -6. [Run your tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#6-run-the-tunnel). - -## Make sure everything works - -Once your migration is done, validate your new named tunnel: - -1. Make sure the resource behind the tunnel is accessible. -2. Run `cloudflared tunnel info ` to confirm that the named tunnel exists. diff --git a/src/content/docs/cloudflare-one/tutorials/migrate-lb-tunnel.mdx b/src/content/docs/cloudflare-one/tutorials/migrate-lb-tunnel.mdx deleted file mode 100644 index b42fe4a6019ffc..00000000000000 --- a/src/content/docs/cloudflare-one/tutorials/migrate-lb-tunnel.mdx +++ /dev/null @@ -1,123 +0,0 @@ ---- -reviewed: 2021-01-12 -category: 🌐 Connections -pcx_content_type: tutorial -title: Migrate to Named Tunnels with Load Balancer -description: >- - Migrate from Legacy Tunnels to Named Tunnels with Cloudflare Zero Trust docs. ---- - -import { Example, GlossaryTooltip } from "~/components"; - -Cloudflare Tunnel is available in two deployment modes: "Legacy" Tunnel and "Named" Tunnel. [Named Tunnel](https://blog.cloudflare.com/argo-tunnels-that-live-forever/) mode improves maintainability and stability by distinguishing between routing and configuration. - -Unlike Legacy mode, Named Tunnels give users the ability to manage routing in the Cloudflare dashboard and to run `cloudflared` once for [multiple services](https://blog.cloudflare.com/many-services-one-cloudflared/). - -If you are using Legacy Tunnel today you can migrate to Named Tunnel deployment in less than 10 minutes. - -**This tutorial covers how to:** - -- Migrate a Legacy Tunnel deployment to Named Tunnel model -- Use Cloudflare Load Balancer to perform a zero downtime migration - -**Time to complete:** - -10 minutes - -See additional documentation for working with [Kubernetes](/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes/). - ---- - -## Legacy Tunnel with Cloudflare Load Balancer - -This tutorial starts by documenting the steps to create a Legacy Tunnel with Cloudflare Load Balancer so that those can be compared to the migration steps. If you would prefer to start the migration now, skip to [Create a Named Tunnel](#create-a-named-tunnel). - -In both modes, the first step is to create a load balancer and endpoint pool. - -1. Go to **Load Balancing** and select **Create load balancer**. - -2. On the **Load Balancer Setup**, select **Public load balancer** - -3. Choose the website to which you want to add this load balancer. - -4. On the **Hostname** page: - - Enter a **Hostname**, which is the DNS name at which the load balancer is available. For more details on record priority, refer to [DNS records for load balancing](/load-balancing/load-balancers/dns-records/). - - Toggle the orange cloud icon to update the [proxy mode](/load-balancing/understand-basics/proxy-modes/), which affects how traffic is routed and which IP addresses are advertised. - - If you want [session-based load balancing](/load-balancing/understand-basics/session-affinity/), toggle the **Session Affinity** switch. - -Next, [create an endpoint pool](/load-balancing/pools/create-pool/#create-a-pool) for the load balancer. A pool is a group of endpoints or origins, whether Cloudflare Tunnel connections or traditional IP addresses, used by the load balancer. - -In Legacy mode, adding a new instance of `cloudflared` into a Load Balancer pool must be done from the command line tool itself. The `cloudflared` agent will start and create 4 separate connections, enrolling each of these into a load balancer pool. - -```sh -cloudflared tunnel --hostname app.widgetcorp.tech --url http://localhost:8000 --lb-pool lisbon-data-center -``` - - -For this example, the load balancer `app.widgetcorp.tech` would have a pool `lisbon-data-center` with endpoints similar to the following: - -| Endpoint Name | Endpoint Address | Weight | -| --------------- | ------------------ | ------ | -| `0-51cc...d004` | `tunnel:snf...aad` | 1 | -| `1-51cc...d004` | `tunnel:10x...x1b` | 1 | -| `2-51cc...d004` | `tunnel:yeq...y15` | 1 | -| `3-51cc...d004` | `tunnel:vn6...7p6` | 1 | - - - -However, the Legacy Tunnel mode has some downsides, including: - -- You cannot manage these connections from the Cloudflare dashboard. -- When `cloudflared` restarts, it will attempt to register these connections as new connections which can lead to service disruption. - -The Named Tunnel, documented below, model provides easier management and greater stability. - -## Create a Named Tunnel - -To migrate to the Named Tunnel model, first [download and authenticate](/cloudflare-one/connections/connect-networks/) `cloudflared`. Install the agent within your environment in a location that can reach the service you plan to connect to Cloudflare. - -To begin, create a Named Tunnel with the following command. - -```sh -cloudflared tunnel create lisbon-app -``` - -This command will create a Tunnel object in your Cloudflare account that is represented by this instance of `cloudflared`. You can point DNS records or LB records to this connection when you run the Tunnel. - -## Create a configuration file - -Next, configure your Tunnel. The example below consists of a web service that is available at port 8000. The ingress rule will send traffic that `cloudflared` receives for the specified hostname to that port. You can also connect [multiple services](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#file-structure-for-public-hostnames) with a single instance of `cloudflared`. - -In the configuration file, you must specify the location of the credentials file generated previously when you created the Tunnel. - -![Example of configuration file that specifies the location of the credentials file](~/assets/images/cloudflare-one/secure-origin-connections/migrate-lb-tunnel/tunnel-config.png) - -Save the configuration file. - -## Run the Tunnel - -You can now run the Tunnel. Running the Tunnel will connect `cloudflared` to Cloudflare's edge in a connection only available to your account. You can use the Tunnel ID value to treat that connection like the IP address of an endpoint or origin, without the risk of someone reaching it directly and bypassing Cloudflare. - -Run the following command, replacing `lisbon-app` with the name of your Tunnel. - -```sh -cloudflared tunnel run lisbon-app -``` - -## Migrate the Load Balancer configuration - -You can now begin migrating your Load Balancer deployment to use the new Named Tunnel. Create a new pool in the load balancer. Add a new endpoint to the list. - -In the **Endpoint Address** field, input the ID of the tunnel followed by `cfargotunnel.com`. - - - -In this example, the endpoint address value would be `6b9b8f72-b655-46fb-b008-a45366e26b48.cfargotunnel.com`. - -| Endpoint Name | Endpoint Address | Weight | -| ------------------------ | ------------------------------------------------------- | ------ | -| `lisbon-data-center-one` | `6b9b8f72-b655-46fb-b008-a45366e26b48.cfargotunnel.com` | 1 | - - - -Wait 1 minute while the new origin is recognized as healthy by Cloudflare Load Balancer. Once healthy, you can begin to disable the Legacy Argo Tunnel endpoints from the legacy Load Balancer pool. From 59c5a9ca265670915e5193b68e6e3a3053ab14f6 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 17 Oct 2025 14:49:29 -0400 Subject: [PATCH 2/2] remove legacy tunnel references --- public/__redirects | 2 ++ src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/public/__redirects b/public/__redirects index 879c686cd5cd9e..df19f8936ea306 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2196,6 +2196,7 @@ /cloudflare-one/connections/connect-networks/install-and-setup/installation/ /cloudflare-one/connections/connect-networks/downloads/update-cloudflared/ 301 /cloudflare-one/connections/connect-networks/do-more-with-tunnels/secure-server/ /cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ 301 /cloudflare-one/connections/connect-networks/do-more-with-tunnels/grafana/ /cloudflare-one/connections/connect-networks/monitor-tunnels/grafana/ 301 +/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels/ /cloudflare-one/connections/connect-networks/ 301 /cloudflare-one/connections/connect-networks/downloads/system-requirements/ /cloudflare-one/connections/connect-networks/deploy-tunnels/system-requirements/ 301 /cloudflare-one/connections/connect-networks/private-net/connect-private-networks/ /cloudflare-one/connections/connect-networks/private-net/cloudflared/ 301 /cloudflare-one/connections/connect-networks/private-net/create-private-networks/ /cloudflare-one/connections/connect-networks/private-net/warp-to-warp/ 301 @@ -2289,6 +2290,7 @@ /cloudflare-one/tutorials/do-not-decrypt/ /cloudflare-one/policies/gateway/http-policies/common-policies/#skip-inspection-for-groups-of-applications 301 /cloudflare-one/tutorials/identity-dns/ /cloudflare-one/policies/gateway/dns-policies/common-policies/#restrict-access-to-specific-groups 301 /cloudflare-one/tutorials/many-cfd-one-tunnel/ /cloudflare-one/connections/connect-networks/deployment-guides/kubernetes/ 301 +/cloudflare-one/tutorials/migrate-lb-tunnel/ /cloudflare-one/connections/connect-networks/ 301 /cloudflare-one/tutorials/multi-origin/ /cloudflare-one/connections/connect-networks/get-started/ 301 /cloudflare-one/tutorials/review-gateway-block/ /cloudflare-one/analytics/logs/gateway-logs/ 301 /cloudflare-one/tutorials/require-swg/ /cloudflare-one/identity/devices/ 301 diff --git a/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx b/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx index 9abe99759d5cb4..d8e4b95b3f9ed7 100644 --- a/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx @@ -67,8 +67,6 @@ To log external visitor IPs, you will need to [configure an alternative method]( Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, we changed the name to Argo Tunnel to match. Once we no longer required users to purchase Argo to create Tunnels, we renamed Argo Tunnel to Cloudflare Tunnel. -For more information about migrating from Argo Tunnel, refer to [Migrate legacy tunnels](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels/). - ## Is it possible to restore a deleted tunnel? No. You cannot undo a tunnel deletion. If the tunnel was locally-managed, its [`config.yaml` file](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#configuration-file) will still be present and you can create a new tunnel with the same configuration. If the tunnel was remotely-managed, both the tunnel and its configuration are permanently deleted.