Source from repo

Cloudflare Platform Skill

Comprehensive Cloudflare platform skill covering Workers, D1, R2, KV, AI, Durable Objects, and security.

cloudflareGitHub cloudflareSource repo Original GitHub link Publisher page

Files

321

Skill

n/a

Size

1.4 MB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/tunnel/networking.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown169 linesFree

references/tunnel/networking.md

1# Tunnel Networking
2 
3## Connectivity Requirements
4 
5### Outbound Ports
6 
7Cloudflared requires outbound access on:
8 
9| Port | Protocol | Purpose | Required |
10|------|----------|---------|----------|
11| 7844 | TCP/UDP | Primary tunnel protocol (QUIC) | Yes |
12| 443 | TCP | Fallback (HTTP/2) | Yes |
13 
14**Network path:**
15```
16cloudflared → edge.argotunnel.com:7844 (preferred)
17cloudflared → region.argotunnel.com:443 (fallback)
18```
19 
20### Firewall Rules
21 
22#### Minimal (Production)
23```bash
24# Outbound only
25ALLOW tcp/udp 7844 to *.argotunnel.com
26ALLOW tcp 443 to *.argotunnel.com
27```
28 
29#### Full (Recommended)
30```bash
31# Tunnel connectivity
32ALLOW tcp/udp 7844 to *.argotunnel.com
33ALLOW tcp 443 to *.argotunnel.com
34 
35# API access (for token-based tunnels)
36ALLOW tcp 443 to api.cloudflare.com
37 
38# Updates (optional)
39ALLOW tcp 443 to github.com
40ALLOW tcp 443 to objects.githubusercontent.com
41```
42 
43### IP Ranges
44 
45Cloudflare Anycast IPs (tunnel endpoints):
46```
47# IPv4
48198.41.192.0/24
49198.41.200.0/24
50 
51# IPv6
522606:4700::/32
53```
54 
55**Note:** Use DNS resolution for `*.argotunnel.com` rather than hardcoding IPs. Cloudflare may add edge locations.
56 
57## Pre-Flight Check
58 
59Test connectivity before deploying:
60 
61```bash
62# Test DNS resolution
63dig edge.argotunnel.com +short
64 
65# Test port 7844 (QUIC/UDP)
66nc -zvu edge.argotunnel.com 7844
67 
68# Test port 443 (HTTP/2 fallback)
69nc -zv edge.argotunnel.com 443
70 
71# Test with cloudflared
72cloudflared tunnel --loglevel debug run my-tunnel
73# Look for "Registered tunnel connection"
74```
75 
76### Common Connectivity Errors
77 
78| Error | Cause | Solution |
79|-------|-------|----------|
80| "no such host" | DNS blocked | Allow port 53 UDP/TCP |
81| "context deadline exceeded" | Port 7844 blocked | Allow UDP/TCP 7844 |
82| "TLS handshake timeout" | Port 443 blocked | Allow TCP 443, disable SSL inspection |
83 
84## Protocol Selection
85 
86Cloudflared automatically selects protocol:
87 
88| Protocol | Port | Priority | Use Case |
89|----------|------|----------|----------|
90| QUIC | 7844 UDP | 1st (preferred) | Low latency, best performance |
91| HTTP/2 | 443 TCP | 2nd (fallback) | QUIC blocked by firewall |
92 
93**Force HTTP/2 fallback:**
94```bash
95cloudflared tunnel --protocol http2 run my-tunnel
96```
97 
98**Verify active protocol:**
99```bash
100cloudflared tunnel info my-tunnel
101# Shows "connections" with protocol type
102```
103 
104## Private Network Routing
105 
106### WARP Client Requirements
107 
108Users accessing private IPs via WARP need:
109 
110```bash
111# Outbound (WARP client)
112ALLOW udp 500,4500 to 162.159.*.* (IPsec)
113ALLOW udp 2408 to 162.159.*.* (WireGuard)
114ALLOW tcp 443 to *.cloudflareclient.com
115```
116 
117### Split Tunnel Configuration
118 
119Route only private networks through tunnel:
120 
121```yaml
122# warp-routing config
123warp-routing:
124  enabled: true
125```
126 
127```bash
128# Add specific routes
129cloudflared tunnel route ip add 10.0.0.0/8 my-tunnel
130cloudflared tunnel route ip add 172.16.0.0/12 my-tunnel
131cloudflared tunnel route ip add 192.168.0.0/16 my-tunnel
132```
133 
134WARP users can access these IPs without VPN.
135 
136## Network Diagnostics
137 
138### Connection Diagnostics
139 
140```bash
141# Check edge selection and connection health
142cloudflared tunnel info my-tunnel --output json | jq '.connections[]'
143 
144# Enable metrics endpoint
145cloudflared tunnel --metrics localhost:9090 run my-tunnel
146curl localhost:9090/metrics | grep cloudflared_tunnel
147 
148# Test latency
149curl -w "time_total: %{time_total}\n" -o /dev/null https://myapp.example.com
150```
151 
152## Corporate Network Considerations
153 
154Cloudflared honors proxy environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`).
155 
156If corporate proxy intercepts TLS, add corporate root CA to system trust store.
157 
158## Bandwidth and Rate Limits
159 
160| Limit | Value | Notes |
161|-------|-------|-------|
162| Request size | 100 MB | Single HTTP request |
163| Upload speed | No hard limit | Governed by network/plan |
164| Concurrent connections | 1000 per tunnel | Across all replicas |
165| Requests per second | No limit | Subject to DDoS detection |
166 
167**Large file transfers:**
168Use R2 or Workers with chunked uploads instead of streaming through tunnel.
169

Preparing the source view

Cloudflare Platform Skill

references/tunnel/networking.md