Cloudflare Tunnel vs Cloud Provider LB

Hello. We are a small startup that want to start and use Cloudflare for DNS management and LoadBalancing traffic to our backend services hosted on GKE. (maybe Cloudflare Access in the future)

We manage our own ingress and use a Layer 4 Regional LB in front of it. At first we thought we will just need to put Cloudflare in front of the existing LB while restricting traffic to it only from Cloudflare; but then we ran into:

So now we might have:

  1. Cloudflare LB → L4 GCE LB → GKE Ingress
  2. Cloudflare LB → Cloudflare Tunnel → GKE Ingress

Could not find any comparison between the two.
What are your recommendations? What is the better approach? Any advice is welcome. Thank you!


By using Cloudflare Tunnel you can:

  • make sure that you don’t have any open inbound port, since we don’t need it (so better security)
  • have performance gains due to the long-lived connections maintained from Cloudflare Edge to the Tunnel (and more with Argo Smart Routing if you enable it)

You can see an example of using Tunnel with a GKE Ingress at argo-tunnel-examples/terraform-gcp-gke-ingress-controller at master · cloudflare/argo-tunnel-examples · GitHub

You can then see an example of using LB with Tunnel (regardless of what it points to) at


So the recommendation is to use the Cloudflare Tunnel in front of any ingress you might have in Kubernetes, regardless where that cluster is. I like that, thanks for your answer! Any plans for an official Cloudflare Tunnel Helm Chart? :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.