ZTNA Tunnel Security Explained

I am looking for a document/white paper/web page that explains the technical details around the security used by the outbound connection from cloudflared tunnels back to Cloudflare. Everything I find just says it ‘creates outbound-only connections to Cloudflare’s edge’ without any further details.

As ZTNA is promoting Private Tunnel back to private resources for ZNTA users, I like the Auth integration, user policies and device posture integration, but I’d like to understand more fundamentally the following before creating tunnels into Cloudflare;

*What encryption this is built on, methods used, cyphers etc.
*How this is segmented and secured from other customers, the internet and Cloudflare themselves
*How traffic is routed, is this via the nearest Cloudflare Edge server, back to some other core servers, somehow p2p with ZTNA devcies etc
*Is there any way to create a preference for what datacentre cloudflared goes back to rather than just ‘the nearest one’ to help meet any company compliance or regulatory requirements

Thanks for any input!

cloudflared is a fully open-source utility so you will be able to find this sort of information at GitHub - cloudflare/cloudflared: Cloudflare Tunnel client (formerly Argo Tunnel) - I’m not aware of any white paper that describes it in the detail that you’re after.

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ports-and-ips/ touches on it briefly but only enough information as needed for firewall rules.

Thanks for your input, though it doesn’t really answer my questions - there is an implied implicit trust here with Cloudflare, but no actual details around the security as per my list above.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.