When will zero trust / cloudflare tunnel going global?

I had the impression that Cloudflare tunnels are global. Imaging my surprise when I see the latency of the tunnel in 3 digit milliseconds! One of the answers in August showed that Cloudflare tunnel is US only at the time. Please make it global, preferably automatic based on the e2e latency, a la R2 and workers. I always thought region agnostic end user experience is one of the best differentiators of Cloudflare products!

Can any one from Cloudflare shed some lights on the timeline of rolling out ZT/tunnel to EU/MENA/APAC?

Thanks in advance!

My cloudflared connects to AU based servers (I’m in AU) …

Interesting. Care to share your latency numbers?

Where do you connect to Cloudflare? Care to show what https://www.cloudflare.com/cdn-cgi/trace shows?

Cloudflare connects to 2 locations via anycast, so it’s up to your ISP to route you well.

Just as a side note, Workers is global, R2 isn’t yet fully global, it’s still just in a few locations.

Thanks for responding matteo! Just tested with a few curls from my laptop and the colo bounced around:

fl=376f23
h=www.cloudflare.com
ip=2.50.149.78
ts=1670968601.658
visit_scheme=https
uag=curl/7.79.1
colo=LHR (also got AMS, HKG, CDG, anything but DXB, where it should be)
sliver=none
http=http/2
loc=AE
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
kex=X25519

Thanks for the heads up regarding R2. Thought it went global when GA is announced. Can you share the current locations of R2?

Yeah, that’ll be an ISP issue, unfortunately… your provider is routing you very badly. Either change it, or contact them, I don’t think Cloudflare can do a thing.

Unfortunately I can’t, don’t know much and can’t share as it’s all speculative (it’d be probably bad info regardless). It can be cached globally and normally large files are very much less latency sensitive.

I connect to both BNE and SYD (I’m in BNE) - 8ms to BNE, 20ms to SYD …

I tried the cdn trace url at 3 places in AE: an airport (DXB), a hotel, and a university in Abu Dhabi. All behave the same: loc bouncing around with anything but DXB with 100-200ms latency.

OTOH, ping 1.1.1.1 latency is consistently low (10-20ms), which implies that anycast for DNS is working as expected, which seems to indicate an issue for cdn/tunnel location algo in AE?

Ok, let me expand a bit on this.

Anycast DNS will work for sure, that I am sure of, but each range will get announced and each range can be directed wherever you want.

The fact that 1.1.1.1 works doesn’t guarantee a completely different range will.

A good thing might actually be to see traces for 1.1.1.1 and to region1.v2.argotunnel.com and region2.v2.argotunnel.com.
Do check you have the latest release of cloudflared to be sure to use the new more expanded IP ranges and, if you have IPv6, do traces with IPv6 as well, adding 2606:4700:4700::1111 for the DNS resolver.

This is interesting:
curl https://1.1.1.1/cdn-cgi/trace consistently returns DXB as expected.
curl http://region1.v2.argotunnel.com/cdn-cgi/trace bounced around the world.
curl http://region2.v2.argotunnel.com/cdn-cgi/trace consistently returns the correct DXB!

Shouldn’t the resolver pick the lower latency one, which is region2?

cloudflared is the latest version: 2022.12.1. IPv6 is not yet an option for us here. It seems egregious that pinging the public hostname of the tunnel from the origin server goes around the world and takes 100-200ms.