Expose to CF Workers privately

I’d like advice on what would be the best approach to expose an internal service (cephFS) through CF Tunnel to a CF Worker in a way that we don’t need to expose the entire service to the public WWW.

Any way to make a worker access the tunnel directly, maybe through an “internal-network”?

  1. Make the CNAME that points to the uuid.cfargotunnel.com grey-cloud (DNS Only) and it’ll work for Workers but nothing else - but this means it’ll work for other peoples Workers.

  2. Add Cloudflare Access on it & create a Service Token that your Worker can include in the headers, so no-one can actually get past the Access login page other than your Worker.

2 is better.