Understanding tunnels, networks and WARP


I want to build a multi-cloud environment, and for the question’s sake, I simplified the use case.

Let’s assume, that have these different cloud resources:

  • VPC A: resource that everything uses (SMTP)
  • VPC B: production environment
  • VPC C: test environment

I want to connect:

  • VPC A <—> B
  • VPC A <—> C
  • but not B and C

Now I have three tunnels. I added the CIDR of the tunnel’s private network (VPC A has only it’s own network, like “”). I see on the dashboard that every tunnel is healthy. I set up the device policies, and with Split Tunnels, I added these CIDRs. With the WARP client, I can connect to any resource.

I saw the documentation, for example:
Tunnel Virtual Networks · Cloudflare Zero Trust docs this article, but it only makes a network that can be reached by the WARP.

Could you help me understand how should I connect the resources AND restrict the access?

  • How can I connect the VPCs like I mentioned above? I want to use a resource in VPC A from VPC B, by calling the resource IP in VPC A.
  • How can I restrict the WARP access of these networks? I want Josh to reach only VPC A + C (because he is a tester) but I want Michael to reach VPC A + B + C, because he is a superadmin. Michael can switch between the networks, but can’t reach all the resources altogether.

Could you tell me how I can achieve this?
Thank you!

Well, for the others looking for a solution:
I managed to achieve this network with ZeroTier (or Tailscale). Now I think I should use the Docker “cloudflared” service only for tunneling the entry point to the load balancers and not for building a whole complex multicloud zero-trust network. Am I right?

I made a ticket with nearly the same questions to Cloudflare support on this topic, and I got the answers from a senior tech support engineer.


We apologize for any inconvenience that this may be causing.

  • How can I manage the access of the created network of tunnels to my Zero Trust WARP users? For example, I want Mr. X (a WARP user) to reach network A, but I don’t want him to reach network B.

A: You will need to make use of Network Policies and create rules such as who can access which networks.

  • How can I connect different VPCs to the same network while allowing them to reach each other? For example, my database is in VPC-A (no public IP), and my workers are in VPC-B (no public IP). The two VPCs have a healthy tunnel to Cloudflare. And I want my workers in VPC-B to reach the database in VPC-A.

A: Today the primary onramp for clients is WARP. This traffic is meant specifically for onramp. For networks there is Cloudflared to connect private networks to the Zero Trust team. The later though doesn’t account for traffic flowing from a network to another network or client. Adding WARP to machines that need to connect is one option, otherwise you can explore MagicWAN.

  • Is this whole Zero Trust solution stable and production-ready? I want the following approach: tunnel’s public CNAME entry point [asd.mydomain.com] points to the …cfargotunnel.com, which points to my server (no public IP) inside a VPC, routed by the Dockerized “cloudflared” microservice. Should I use this method in a production environment? Is it ready for high traffic?

A: The use of Cloudflared for Public Hostnames, is already used by many big production environments. We suggest to slowly introduce Cloudflared tunnels to your organization, testing along the way, to ensure your organization’s web traffic also works as expected in cominbation with Cloudflared tunnels.

The last question, I’d suggest testing it. Test it with some not production routes, slowly introducing it to more heavy demanding endpoints.

Please do let us know if you have any additional questions, comments or concerns.


Dean Sundquist
Senior Technical Support Engineer Cloudflare

Thank you very much for posting this! We stopped deploying another VPN solution and planned to use Cloudflare Tunnels instead. I spent days trying to figure out how to get traffic from one site on our private network to reach another site using Tunnels. It didn’t occur to me that “We’re excited to give any team the ability to run their internal network on Cloudflare’s global edge” (from the blog post below) was vaporware. Lesson learned.

Start building your own private network on Cloudflare today

Well, as I see it, it’s a perfect solution to simply replace VPN if you have only one private network, but I guess Cloudflared is not meant for site-to-site routing, or at least the guide does not exist yet for this.

I am not sure that we can’t make it work somehow, but I did not want to force it. So I finally built the connection with ZeroTier with this guide below, and I am using Cloudflared only for getting to the entry point of my app (to the load balancer).

ZeroTier guide to site-to-site routing:


There is a missing piece of information in this guide, but Tailscale has a similar article, and this covers all:

I shared these URLs here because, with these guides, maybe one can set up the following if they really want:

  • Set up Cloudflare WARP client settings in the Dashboard, to search the private networks over the Cloudlare network (add the CIDRs to the clients).

  • Set up one VM (in each private network) for Cloudflared for the tunnel to work.

  • Set up the same VM or another VM (in each private network) to run a console WARP client, and “MASCARADE” the route between the private and the Cloudflare network.

These are just ideas I did not try. Please take a note here if anyone made this work. Thanks!