1# Cloudflare Tunnel
2 
3Secure outbound-only connections between infrastructure and Cloudflare's global network.
4 
5## Overview
6 
7Cloudflare Tunnel (formerly Argo Tunnel) enables:
8- **Outbound-only connections** - No inbound ports or firewall changes
9- **Public hostname routing** - Expose local services to internet
10- **Private network access** - Connect internal networks via WARP
11- **Zero Trust integration** - Built-in access policies
12 
13**Architecture**: Tunnel (persistent object) → Replica (`cloudflared` process) → Origin services
14 
15**Terminology:**
16- **Tunnel**: Named persistent object with UUID
17- **Replica**: Individual `cloudflared` process connected to tunnel
18- **Config Source**: Where ingress rules stored (local file vs Cloudflare dashboard)
19- **Connector**: Legacy term for replica
20 
21## Quick Start
22 
23### Local Config
24```bash
25# Install cloudflared
26brew install cloudflared  # macOS
27 
28# Authenticate
29cloudflared tunnel login
30 
31# Create tunnel
32cloudflared tunnel create my-tunnel
33 
34# Route DNS
35cloudflared tunnel route dns my-tunnel app.example.com
36 
37# Run tunnel
38cloudflared tunnel run my-tunnel
39```
40 
41### Dashboard Config (Recommended)
421. **Zero Trust** > **Networks** > **Tunnels** > **Create**
432. Name tunnel, copy token
443. Configure routes in dashboard
454. Run: `cloudflared tunnel --no-autoupdate run --token <TOKEN>`
46 
47## Decision Tree
48 
49**Choose config source:**
50```
51Need centralized config updates?
52├─ Yes → Token-based (dashboard config)
53└─ No → Local config file
54 
55Multiple environments (dev/staging/prod)?
56├─ Yes → Local config (version controlled)
57└─ No → Either works
58 
59Need firewall approval?
60└─ See networking.md first
61```
62 
63## Core Commands
64 
65```bash
66# Tunnel lifecycle
67cloudflared tunnel create <name>
68cloudflared tunnel list
69cloudflared tunnel info <name>
70cloudflared tunnel delete <name>
71 
72# DNS routing
73cloudflared tunnel route dns <tunnel> <hostname>
74cloudflared tunnel route list
75 
76# Private network
77cloudflared tunnel route ip add 10.0.0.0/8 <tunnel>
78 
79# Run tunnel
80cloudflared tunnel run <name>
81```
82 
83## Configuration Example
84 
85```yaml
86# ~/.cloudflared/config.yml
87tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef
88credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json
89 
90ingress:
91  - hostname: app.example.com
92    service: http://localhost:8000
93  - hostname: api.example.com
94    service: https://localhost:8443
95    originRequest:
96      noTLSVerify: true
97  - service: http_status:404
98```
99 
100## Reading Order
101 
102**New to Cloudflare Tunnel:**
1031. This README (overview, quick start)
1042. [networking.md](./networking.md) - Firewall rules, connectivity pre-checks
1053. [configuration.md](./configuration.md) - Config file options, ingress rules
1064. [patterns.md](./patterns.md) - Docker, Kubernetes, production deployment
1075. [gotchas.md](./gotchas.md) - Troubleshooting, best practices
108 
109**Enterprise deployment:**
1101. [networking.md](./networking.md) - Corporate firewall requirements
1112. [gotchas.md](./gotchas.md) - HA setup, security best practices
1123. [patterns.md](./patterns.md) - Kubernetes, rolling updates
113 
114**Programmatic control:**
1151. [api.md](./api.md) - REST API, TypeScript SDK
116 
117## In This Reference
118 
119- [networking.md](./networking.md) - Firewall rules, ports, connectivity pre-checks
120- [configuration.md](./configuration.md) - Config file options, ingress rules, TLS settings
121- [api.md](./api.md) - REST API, TypeScript SDK, token-based tunnels
122- [patterns.md](./patterns.md) - Docker, Kubernetes, Terraform, HA, use cases
123- [gotchas.md](./gotchas.md) - Troubleshooting, limitations, best practices
124 
125## See Also
126 
127- [workers](../workers/) - Workers with Tunnel integration
128- [access](../access/) - Zero Trust access policies
129- [warp](../warp/) - WARP client for private networks
130