Question about best practice topology of cloudflared

Hi anyone kind enough to answer my question:

I think I have configured my Cloudflare remote access unoptimaly, but I’m not sure. I’ve put multiple apps like pihole, nextcloud, home assistant. Under one application, set of policies (using email and PIN to verify) and added subdomains to the application which redirect to my local ips specified in the tunnel settings.

Should these be separate applications under Cloudflare? Or is this just a logical separation that doesn’t make much of a difference other than management?

Also as a side question, how can I set up to have an external and internal ruleset for specific subdomains? (For example, only people with verified Email & PIN can access Pihole right now, but what if I had a website that I’d like to be publically accessible).

Sorry if this question is poorly worded- very new to self-hosted stuff.

Hi there,

The way you have your settings is fine, a single tunnel with multiple hostnames.

Should these be separate applications under Cloudflare? Or is this just a logical separation that doesn’t make much of a difference other than management?
Also as a side question, how can I set up to have an external and internal ruleset for specific subdomains? (For example, only people with verified Email & PIN can access Pihole right now, but what if I had a website that I’d like to be publically accessible).

These 2 questions are linked together. Do you want to have different policies/authentication/settings for different hostnames in the tunnel? If so, it will be logical to create a different application for each hostname, otherwise it’s up to you really.

There’s no wrong answer, only opinions. I prefer to have my applications separated, solely due to the fact that it will allow me much more quickly to identify which application is which and change its settings without interfering with the remaining applications. But again, it’s a matter of personal taste. If your applications all have the same settings, leaving them as they are is fine and only taking out the hostnames you want to treat differently to their own applications.

Take care.