WAF and zero trust tunnel at the same time? Does that work for a website?

Justr to verify I understood correctly.

I moved DNS of a website to Cloudflare (i.e. www.somesite.com ponting to WAN IP and secured it with some WAF rules, including Cloudflare managed rules.

When I want to disable the WAN IP and instead access the same website at its internal IP at I need to use a Zero trust tunnel.
I have to do the follwowing:
1 - Setup a tunnel, install cloudflared (i.e. on
2 - Delete the DNS entry for ww.somesite.com on Cloudflare DNS
3 - Create (in zero trust section) an application www.somesite.com (self-hosted)

Is that it?

When creating the application without having the A record www.somesite.com deleted before, the Webgui will complain that the DNS entry already exists. That is why I think i have to delete it first in step 2.

What I am not sure at all, is if the already created WAF rules still would apply.
The basic question is if cloudflare zero trust tunnel and WAF rules work together.

Does it?
Am I on the right track?



Sounds reasonable. There’s a guide on getting started with tunnels here: Create a remotely-managed tunnel (dashboard) · Cloudflare Zero Trust docs
You’d create a new Public Hostname under the tunnel and specify the local service to connect to from the tunnel connector, and it’d automatically create the DNS Records required.

Keep in mind you’re not creating an application (used for securing items behind ZT), but instead a Public Hostname off the tunnel.

Yes, Tunnels are just a special way to connect to your origin. All your WAF/Firewall rules will still apply as normal for http/https services.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.