Concept

Cloudflare Tunnel

A Cloudflare Tunnel runs `cloudflared` on a host, making an **outbound** connection to Cloudflare's edge that publishes a local service at a Cloudflare-managed hostname over HTTPS — with **zero inbound ports** opened on the host.

type conceptstatus activenetworking · cloudflare · ingress · tls

Key points

  • The published hostname's DNS must live in Cloudflare (full-zone setup on the free plan; subdomain-only "partial" setup is Business-tier).
  • TLS is terminated at Cloudflare's edge (free certs).
  • Token-based ("remote-managed") tunnels: the connector runs with a token; the public-hostname → local-service mapping is configured in the Cloudflare Zero Trust dashboard.

Details

Because traffic is outbound-established, a tunnel coexists with a deny-all-ingress firewall. Contrast with Tailscale Funnel, which does the same job on a *.ts.net hostname without a custom domain.

Sources

Compiled from wiki/concepts/Cloudflare-Tunnel.md · git is the source of truth