Cloudflare Tunnel healthy but app stays unreachable (k8s)

EDIT: To future visitors: Before anyting else, make sure you have the Cloudflare Proxy enabled for the CNAME record that points to your tunnel. Otherwise it will not work!!
Check out alberts answer below for more details!

1. The name of the domain about which you’re posting, your interest; visitor, owner, vendor, etc.

  • We are hosting k8s/GKE on GCP.

  • I just want to get the hello_world app to run for now.

  • Cloudflared has been set up according to the tutorial ( and is running successfully in debug mode with no errors just a warning:

  • The tunnel shows a healthy in the dashboard,

  • CNAME record has been added,

  • Nameservers are set to CF

In another thread from '21( someone suggested Railgun being activated could be the cause but the setting seems to be no longer existing.

here’s the k8s yaml:

apiVersion: apps/v1
kind: Deployment
  name: cloudflared
      app: cloudflared
  replicas: 1 # You could also consider elastic scaling for this deployment
        app: cloudflared
      - name: cloudflared
        image: cloudflare/cloudflared:2023.2.1
        - tunnel
        - --config
        - /etc/cloudflared/config/config.yaml
        - --loglevel 
        - debug
        - run
            path: /ready
            port: 2000
          failureThreshold: 1
          initialDelaySeconds: 10
          periodSeconds: 10
        - name: config
          mountPath: /etc/cloudflared/config
          readOnly: true
        - name: creds
          mountPath: /etc/cloudflared/creds
          readOnly: true
            cpu: 20m
            memory: 50Mi
            cpu: 100m
            memory: 250Mi
      - name: creds
          secretName: cloudflared-tunnel-credentials
      - name: config
          name: cloudflared
          - key: config.yaml
            path: config.yaml
apiVersion: v1
kind: ConfigMap
  name: cloudflared
  config.yaml: |
    tunnel: steiger-dev-tools
    credentials-file: /etc/cloudflared/creds/credentials.json
    no-autoupdate: true
    - hostname:
      service: hello_world
    - service: http_status:404

2. Expected results & actual results? What did you expect to happen and what is actually happening?
I was expecting to be able to access the hello_world example app by opening the CNAME record in the browser but it fails to connect entirely.
Running nc -zv <my.domain> 80 (or 443 or 45857 - the port of the hello world app according to the logs) all return Protocol not available

3. Steps you’ve take to fix it. What CommunityTips, ExpertTips, videos, directions, instructions, and advice you’ve followed to try & fix the issue?

  • I followed the tutorial precisely
  • I searched the net and this forum for answers but to no avail
  • I tried nslookup for the <uuid> domain which did not return a result, but dig did
  • I changed my local DNS server to just to be sure
  • I tried to netcat the domains (see above)
  • I turned on debug logging on cloudflared to see if sth comes up
  • to see if anything is listening at all I did an nmap -6Pn <uuid> which returned
Starting Nmap 7.92 ( ) at 2023-02-16 10:49 CET
Nmap scan report for (fd10:aec2:5dae::)
Host is up.
All 1000 scanned ports on (fd10:aec2:5dae::) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 403.18 seconds

4. Screen shot of the problem.
please see above

5. Specific error message & error code/number you’re seeing.
please see above

6. If you contact Cloudflare Customer Support, please share the ticket number, we’ll share details from your Community post with Support.
I did not contact support

Any help would be greatly appreciated as I’m at my wits end. Thanks!

You need to proxy :orange: the CNAME record on, otherwise it resolves to the internal tunnel hostname, which in turn resolves to an IPv6 ULA.

$ dig +noall +answer AAAA                         	300	IN	CNAME 86400 IN	AAAA fd10:aec2:5dae::

You are seeing the Protocol not available error because you do not have an IPv6 address, but even if you had IPv6 connectivity, the tunnel still would not work since fd10:aec2:5dae:: is a local address in Cloudflare’s network. Tunnels only work when the hostname is proxied :orange:.

1 Like

Hey albert, thank you for the reply. It is really appreciated!

2 questions though:

  • I should have an IPv6 address according to the settings on my local machine, what makes you think I don’t?
  • What exactly do you mean by “proxying the CNAME record”? I created the CNAME record using cloudflared according to the tutorial like so:
cloudflared tunnel route dns --overwrite-dns cd3d9dc5-47f6-46a4-ac64-935ba5d97a50 is already configured to route to your tunnel tunnelID=cd3d9dc5-47f6-46a4-ac64-935ba5d97a50

and when I try to access the hello_world app, I do so using the configured CNAME (I did the nmap scan using first, too)

I assumed Protocol not available indicates IPv6 is not available, but it may be caused by something else.

Proxied :orange: DNS records resolve to Cloudflare IPs. Cloudflare’s servers then terminate the TLS connection, look at the URL to determine where to send the request, and then forward it to your origin (through the tunnel). The DNS record should already be proxied by default if you used cloudflared to create it. Could you please check in the Cloudflare dashboard if the record is proxied :orange:?

1 Like

Ooooh, excuse my stupidity haha. You simply mean the CF proxy … I tend to think to complicated.
Anyways - I got a connection now, phew! Proxying was actually disabled for the entire site as it’s all development resources and I didn’t wanted caching to get in the way.
For some reason I thought Zero Trust and the regular CF dashboard were not that tightly coupled but it does make complete sense now that I think about it.
Thanks a lot for your help again.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.