Tunnel with firewall
You can implement a positive security model with Cloudflare Tunnel by blocking all ingress traffic and allowing only egress traffic from cloudflared. Only the services specified in your tunnel configuration will be exposed to the outside world.
Ports
The parameters below can be configured for egress traffic inside of a firewall.
Required for tunnel operation
cloudflared connects to Cloudflare’s global network on port 7844. To use Cloudflare Tunnel, your firewall must allow outbound connections to the following destinations on port 7844 (via UDP if using the quic protocol or TCP if using the http2 protocol).
| Domain | IPv4 | IPv6 | Port | Protocols |
|---|---|---|---|---|
region1.v2.argotunnel.com | 198.41.192.167198.41.192.67198.41.192.57198.41.192.107198.41.192.27198.41.192.7198.41.192.227198.41.192.47198.41.192.37198.41.192.77 | 2606:4700:a0::12606:4700:a0::22606:4700:a0::32606:4700:a0::42606:4700:a0::52606:4700:a0::62606:4700:a0::72606:4700:a0::82606:4700:a0::92606:4700:a0::10 | 7844 | TCP/UDP (http2/quic) |
region2.v2.argotunnel.com | 198.41.200.13198.41.200.193198.41.200.33198.41.200.233198.41.200.53198.41.200.63198.41.200.113198.41.200.73198.41.200.43198.41.200.23 | 2606:4700:a8::12606:4700:a8::22606:4700:a8::32606:4700:a8::42606:4700:a8::52606:4700:a8::62606:4700:a8::72606:4700:a8::82606:4700:a8::92606:4700:a8::10 | 7844 | TCP/UDP (http2/quic) |
cftunnel.com1 | Not applicable | Not applicable | 7844 | TCP/UDP (http2/quic) |
h2.cftunnel.com1 | Not applicable | Not applicable | 7844 | TCP (http2) |
quic.cftunnel.com1 | Not applicable | Not applicable | 7844 | UDP (quic) |
1 This rule is only required for firewalls that enforce SNI.
Optional
Opening port 443 enables some optional features. Failure to allow these connections may prompt a log error, but cloudflared will still run correctly.
| Domain | IPv4 | IPv6 | Port | Protocols | Description |
|---|---|---|---|---|---|
api.cloudflare.com | 104.19.192.29104.19.192.177104.19.192.175104.19.193.29104.19.192.174104.19.192.176 | 2606:4700:300a::6813:c0af2606:4700:300a::6813:c01d2606:4700:300a::6813:c0ae2606:4700:300a::6813:c11d2606:4700:300a::6813:c0b02606:4700:300a::6813:c0b1 | 443 | TCP (HTTPS) | Allows cloudflared to query if software updates are available. |
update.argotunnel.com | 104.18.25.129104.18.24.129 | 2606:4700::6812:18812606:4700::6812:1981 | 443 | TCP (HTTPS) | Allows cloudflared to query if software updates are available. |
github.com | GitHub’s IP addresses | GitHub’s IP addresses | 443 | TCP (HTTPS) | Allows cloudflared to download the latest release and perform a software update. |
<your-team-name>.cloudflareaccess.com | 104.19.194.29104.19.195.29 | 2606:4700:300a::6813:c31d2606:4700:300a::6813:c21d | 443 | TCP (HTTPS) | Allows cloudflared to validate the Access JWT. Only required if the access setting is enabled. |
pqtunnels.cloudflareresearch.com | 104.18.4.64104.18.5.64 | 2606:4700::6812:5402606:4700::6812:440 | 443 | TCP (HTTPS) | Allows cloudflared to report post-quantum key exchange errors to Cloudflare. |
Firewall configuration
Cloud VM firewall
If you host your services on a virtual machine (VM) instance in a cloud provider, you may set up instance-level firewall rules to block all ingress traffic and allow only egress traffic. For example, on Google Cloud Platform (GCP), you may delete all ingress rules, leaving only the relevant egress rules. This is because GCP’s firewall denies ingress traffic unless it matches an explicit rule.
OS firewall
Alternatively, you may use operating system (OS)-level firewall rules to block all ingress traffic and allow only egress traffic. For example, if your server runs on Linux, you may use iptables to set up firewall rules:
Check your current firewall rules.
$ sudo iptables -LAllow
localhostto communicate with itself.$ sudo iptables -A INPUT -i lo -j ACCEPTAllow already established connection and related traffic.
$ sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTAllow new SSH connections.
$ sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPTDrop all other ingress traffic.
$ sudo iptables -A INPUT -j DROPAfter setting the firewall rules, use this command to check the current
iptablessettings:$ sudo iptables -L
Run your tunnel and check that all configured services are still accessible to the outside world via the tunnel, but not via the external IP address of the server.
You can also secure your application with Cloudflare Access.
Test connectivity
Test with dig
To test your connectivity to Cloudflare, you can use the dig command to query the hostnames listed above. Note that cloudflared defaults to connecting with IPv4.
$ dig A region1.v2.argotunnel.com
...;; ANSWER SECTION:region1.v2.argotunnel.com. 86400 IN A 198.41.192.167region1.v2.argotunnel.com. 86400 IN A 198.41.192.67region1.v2.argotunnel.com. 86400 IN A 198.41.192.57region1.v2.argotunnel.com. 86400 IN A 198.41.192.107region1.v2.argotunnel.com. 86400 IN A 198.41.192.27region1.v2.argotunnel.com. 86400 IN A 198.41.192.7region1.v2.argotunnel.com. 86400 IN A 198.41.192.227region1.v2.argotunnel.com. 86400 IN A 198.41.192.47region1.v2.argotunnel.com. 86400 IN A 198.41.192.37region1.v2.argotunnel.com. 86400 IN A 198.41.192.77...$ dig AAAA region1.v2.argotunnel.com
...;; ANSWER SECTION:region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::1region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::2region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::3region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::4region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::5region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::6region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::7region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::8region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::9region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::10...$ dig A region2.v2.argotunnel.com
...;; ANSWER SECTION:region2.v2.argotunnel.com. 86400 IN A 198.41.200.13region2.v2.argotunnel.com. 86400 IN A 198.41.200.193region2.v2.argotunnel.com. 86400 IN A 198.41.200.33region2.v2.argotunnel.com. 86400 IN A 198.41.200.233region2.v2.argotunnel.com. 86400 IN A 198.41.200.53region2.v2.argotunnel.com. 86400 IN A 198.41.200.63region2.v2.argotunnel.com. 86400 IN A 198.41.200.113region2.v2.argotunnel.com. 86400 IN A 198.41.200.73region2.v2.argotunnel.com. 86400 IN A 198.41.200.43region2.v2.argotunnel.com. 86400 IN A 198.41.200.23...$ dig AAAA region2.v2.argotunnel.com
...;; ANSWER SECTION:region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::1region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::2region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::3region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::4region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::5region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::6region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::7region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::8region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::9region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::10... Test with PowerShell
On Windows, you can use PowerShell commands if dig is not available.
To test DNS:
PS C:\Windows\system32> Resolve-DnsName -Name _v2-origintunneld._tcp.argotunnel.com SRV
Name Type TTL Section NameTarget Priority Weight Port---- ---- --- ------- ---------- -------- ------ ----_v2-origintunneld._tcp.argotunnel.com SRV 112 Answer region2.v2.argotunnel.com 2 1 7844_v2-origintunneld._tcp.argotunnel.com SRV 112 Answer region1.v2.argotunnel.com 1 1 7844To test ports:
PS C:\Cloudflared\bin> tnc region1.v2.argotunnel.com -port 443
ComputerName : region1.v2.argotunnel.comRemoteAddress : 198.41.192.227RemotePort : 443InterfaceAlias : EthernetSourceAddress : 10.0.2.15TcpTestSucceeded : TruePS C:\Cloudflared\bin> tnc region1.v2.argotunnel.com -port 7844
ComputerName : region1.v2.argotunnel.comRemoteAddress : 198.41.192.227RemotePort : 7844InterfaceAlias : EthernetSourceAddress : 10.0.2.15TcpTestSucceeded : True