Is it possible to permission tunnels with access groups?

Hey folks, I’m trying to figure out if it’s possible to configure access groups around access to tunnels. As best I can tell, tunnels are open to all Cloudflare WARP users in our organization, which is not ideal.

Is there any way to permission access to the tunnels?


Ya you can in cloudflare for teams. It depends if it’s http application or non http application

Yes. Traffic from WARP → Tunnel goes through our Secure Web Gateway. So you can define Network rules there (see that will limit who can access which IP (e.g. ranges) based on Identity (of the WARP device) and many others.

Thank you so much Nuno! One more question: can destination IP be a CIDR range? When I look at the docs I see examples of ranges being used, but entering one into a field I get invalid IP.

Yes, CIDR range works.


When I try to do that it tells me invalid IP. Any ideas?

That’s really odd. I did save that policy and it works.

I suppose you’ll have to open a ticket with support showing that problem so they can assist.

Does your CIDR range have zeros that match the netmask? In another part of the dashboard, I entered an IPv6 with a netmask, but I didn’t zero out the correct blocks and it said “Invalid”.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.