Limit to the number of defined subdomains for a defined Application

I have a large number of Zero Trust Tunnels defined that can logically be grouped as a small number of Applications using the ability to add a number of Subdomains to an Application.

There seems to be an issue at least with the web GUI where there is a limit of just 5 Subdomain entries for an Application. After adding 5 Subdomains when you mouse over the “add domain” option the mouse pointer is shown as a red circle with a red line through it, which at least in the UK is a no-entry road sign.

So is there a hard 5 entry rule or is this just a GUI limitation? I have not found any docs that detail what to expect or what limits are in place.


It should be noted that the type of Application is Self-Hosted.

bumping this.

I have a usecase for 10+ subdomains and it’s tiresome logging into cloudflare and changing which subdomains are being used in the tunnel application just so I can access another service I have running on my home servers


Yes you can wildcard the whole domain but I have other public use cases (websites, gameservers, file shares, etc) that realistically cannot be behind authentication like this.

Simple solution is getting another domain for <$20 but trying to think of a domain name that isn’t taken is like pulling teeth for me

Hi Hunterhearne,

The issue is more a GUI/admin issue rather than a hard limit. As I’ve about 8 endpoints across 8 systems being able to group them would make things a lot simpler.

For your situation, you can work around the limit by defining 2 or more application names with 5 domain entries assigned to each, or even just 10+ ‘application names’ with one domain entry each.

Such workarounds are how I deal with the issue at the moment, but as our environment grows the limits of the GUI cause our application table to become a real mess and hard to manage as we can not set Policies, Authentication and Settings values against logical groups of applications.

Even more ‘stupidity’ regarding this configuration screen and the total lack of supporting documents to allow it to be used.

It seems that you can use wildcards in the subdomain field, so as long as you use a naming structure that allows the logical grouping of services you can define an application with a single defined application domain that contains a wildcard. This will then cover all the tunnels you publish from a system.

The whole thing does look like someone designed an API first and then a GUI was thrown on top, but it just about works.