Cloudflare Tunnel Users: Identifying Essential UDP Ports for AWS ACL Configuration

We have been using Cloudflare Tunnel to facilitate SSH connections to our AWS EC2 instances. Initially, our VPC’s Network ACLs were configured to allow all inbound traffic, and the setup was functioning correctly.

Recently, we made a change to the Network ACLs to allow only HTTP, HTTPS, and MySQL/Aurora (port 3306) traffic. Following this change, the SSH connection over the Cloudflare Tunnel stopped working.

To troubleshoot, we tried opening multiple ports to identify if any specific ones would restore our SSH functionality. We found that when we permit all UDP traffic in the ACLs, the SSH over Cloudflare Tunnel works again.

We would like to narrow down the open UDP ports for security purposes. Therefore, our question is: Does Cloudflare Tunnel operate on any specific UDP ports? We aim to allow only the necessary UDP ports and block the rest.

Attached is an image of our current Network ACL settings for reference.

We appreciate any insights or guidance you can provide.

The specific ports are outlined here

Thank you all for your input. We’ve tried opening port 7844 as suggested, but unfortunately, the issue persists. I’ve attached a screenshots of our error message after adding this rule. If there are any other suggestions or if anything seems amiss in our setup, please let us know.

Your expertise is much appreciated!

In your post you showed the inbound rules, are there any outbound rules as well?

The first screenshot was indeed of the inbound rules. I’m now attaching the outbound rules for your reference as well.

Port 7844 udp needs to be added to the outbound rules. Not the inbound.

If that still isn’t working, try getting the logs from the cloudflared service showing what the failure is.

We’ve tested by setting port 7844 UDP in the outbound rules, but it didn’t resolve the issue. We’re attaching the logs screenshot for review. Interestingly, we’ve noticed that each connection attempt appears to select a random TCP port — as illustrated in the logs with ports 57460, 45188, and 49908 during separate requests. Your further guidance would be much appreciated.

Just following up on my earlier messages about connectivity issues with Cloudflare Tunnel. Despite setting outbound UDP port 7784 and observing random TCP port usage, we’re still facing the same problems. Any further advice would be greatly appreciated!

Thank you!