Question of understanding on network connectivity of cloudflared

Just a question of unterstanding.

I have a domain “” setup on Cloudflare DNS.
Let’s say, I install cloudflared locally on a machine with the IP
The machine running cloudflared has access to another network through it’s default gateway at

Question 1:
If I create an application on the above zero trust thunnel, that points i.e. to, would that still work?
(cloudflared and the destination is not on the same network)

Question 2:
If Question 1 answer is yes, I would see HTTPS traffic on the gateway origin from towards and could apply some firewall rules to block all other traffic except that one. Is that correct?

Question 3:
Lets’ say I have a stone-age web application that is not secure anymore (developer not available anymore, old unsupported linux, unsupported PHP, etc… you name it) and I need to have it still running for a while. Suppose I cannot change anything on the oldish web configuration without breaking it, and the website is currently still available on the WAN IP
Could I create an application that points to, using the same tunnel as above?
I would make sure that the machine could reach of course.
Would that scenario work?


(FYI: I’ve added another question on Cloudflare tunnel together with WAF to mitigate the risks… )

Assuming that subnet is accessible from that machine… yes.

Assuming you wanted no other machine on the 10.1 subnet to be able to communicate with that machine… yes.

Yes, but the restrictions on accessing the public IP would be done to whatever the egress IP would be for the machine on when accessing the public Internets.

@cscharff , thanks for the quick answer.
I was not surer, but you confirmed my assumptions.
Of course the FW rules would be set on the egress IP of, you are right.
Many Thanks

1 Like

No worries, I’ve supported a number of applications similar tot he one you described in previous lives. :older_man: :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.