Cloudflare tunnel (or application) instead of whitelist individual ip

I have an app that is behind a firewall with ip allowlisting. Let’s call this
This currently allows access only to a bunch of IPs. I can add IPs to the list, but I can’t change much else on this firewall.

One such IP address that is allowed is (example)
Currently, we use openvpn to allow users to connect to this, then tunnel traffic to

I’m interested to use Cloudflare Access for this instead - if at all possible.

  • If accessing from an already allowlisted IP address
    (ie: from within office network) just pass-through

  • If accessing from a non-allowlisted IP, show the cloudflare login - so I can use my existing IDP (Microsoft AAD) Once user has logged in (if they are on the allowed list of users) let them access

I can get most of the way here using Access → Applications
However, due to the firewall on, I still need to be on a allowlisted IP.

Could I use Tunnels for this instead?
Would I need to use a different hostname? for example, or could I still use