Key points
- The published hostname's DNS must live in Cloudflare (full-zone setup on the free plan; subdomain-only "partial" setup is Business-tier).
- TLS is terminated at Cloudflare's edge (free certs).
- Token-based ("remote-managed") tunnels: the connector runs with a token; the public-hostname → local-service mapping is configured in the Cloudflare Zero Trust dashboard.
Details
Because traffic is outbound-established, a tunnel coexists with a deny-all-ingress firewall.
Contrast with Tailscale Funnel, which does the same job on a *.ts.net hostname without a
custom domain.
Related
Sources
Compiled from
wiki/concepts/Cloudflare-Tunnel.md · git is the source of truth