This page lists the default account limits for rules, applications, fields, and other features. These limits may be increased on Enterprise accounts. To request a limit increase, contact your account team.
List examples
Use a pre-existing Access group.
The request will need to present the headers for any service token created for this account.
Allow access based on the "amr" identifier.
Allow members of an Azure Group. The ID is the group UUID (id
) in Azure.
The request will need to present a valid certificate with an expected common name.
Allow a specific country.
Allow an entire email domain.
Allow a specific email address.
Allow anyone to log in.
Allow members of a specific GitHub organization.
Allow members of a specific G Suite group.
You can use the Cloudflare Access API to create policies, including individual rule blocks inside of group or policy bodies. For example, this policy allows all Cloudflare email account users to reach the application with the exception of one account:
Allow an IP range.
The request will need to present a valid certificate.
Allow members of an Okta Group.
Allow users with specific SAML attributes.
The request will need to present the correct service token headers.
Terraform is a tool for building, changing, and versioning infrastructure, and provides components and documentation for building Cloudflare resources. Listed below are examples to help you get started with building Access with Terraform. For a more generalized guide on configuring Cloudflare and Terraform, visit our Getting Started with Terraform and Cloudflare blog post.
Block users in a group from accessing a site.
Block specific users from accessing a site.
You can use the Cloudflare Gateway API to create DNS, network, and HTTP policies, including policies with multiple traffic, identity, and device posture conditions.
Override one hostname with another.
This section covers a few common use cases with the API and Terraform to manage Cloudflare Zero Trust. For more information, refer to our API documentation and Terraform reference guide.
The administrators managing policies and groups in Cloudflare Access might be different from the users responsible for configuring WAF custom rules or other Cloudflare settings. Cloudflare Access supports scoped API tokens so that team members and automated systems can manage settings specific to Access without having permission to modify other configurations in Cloudflare.
With the Access App Launcher, users can open all applications that they have access to from a single dashboard.
You can display a custom block page when users fail to authenticate to an Access application. Each application can have a different block page.
With Cloudflare Zero Trust, you can show applications on the App Launcher even if those applications are not secured behind Access. This way, users can access all the applications they need to work, all in one place — regardless of whether those applications are protected by Access.
Cloudflare dashboard SSO application
By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. Users can only log in to the application if they meet the criteria you want to introduce.
This guide covers how to configure Adobe Acrobat Sign as a SAML application in Cloudflare Zero Trust.
Cloudflare Area 1 is an email security platform that protects your organization’s inbox from phishing, spam, and other malicious messages. This guide covers how to configure Area 1 as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Asana as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Atlassian Cloud as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure AWS as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Braintree as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Coupa as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Digicert as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Docusign as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Dropbox as a SAML application in Cloudflare Zero Trust.
This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the OpenID Connect (OIDC) authentication protocol.
This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol.
This guide covers how to configure GitHub Enterprise Cloud as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Google Cloud as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Google Workspace as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Grafana Cloud as an OIDC application in Cloudflare Zero Trust.
This guide covers how to configure Grafana as an OIDC application in Cloudflare Zero Trust.
This guide covers how to configure Greenhouse Recruiting as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Hubspot as a SAML application in Cloudflare Zero Trust.
Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies.
This guide covers how to configure Ironclad as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Jamf Pro as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Miro as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure PagerDuty as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Pingboard as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Salesforce as an OpenID Connect (OIDC) application in Cloudflare Zero Trust.
This guide covers how to configure Salesforce as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure ServiceNow as an OIDC application in Cloudflare Zero Trust.
This guide covers how to configure ServiceNow as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Slack as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Smartsheet as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure SparkPost or SparkPost EU as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Tableau Cloud as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Workday as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Zendesk as a SAML application in Cloudflare Zero Trust.
This guide covers how to configure Zoom as a SAML application in Cloudflare Zero Trust.
Cloudflare Access allows you to securely publish internal tools and applications to the Internet by providing an authentication layer between the end user and your origin server. You can use signals from your existing identity providers (IdPs), device posture providers, and other rules to control who can access your application.
Cloudflare Zero Trust can secure self-hosted and SaaS applications with Zero Trust rules.
You can customize the login page that is displayed to end users when they go to an Access application.
Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to resources over arbitrary TCP without being on a virtual private network (VPN).
With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the WARP client. This method requires you to onboard a domain to Cloudflare and install cloudflared on both the server and the user’s device.
You can secure non-HTTP applications by connecting your private network to Cloudflare. Users reach the application by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.
You can use Cloudflare Data Loss Prevention (DLP) to discover if files stored in your SaaS application contain sensitive data. To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then enable those profiles in a CASB integration.
For the Confluence Cloud integration to function, Cloudflare CASB requires the following permissions via an OAuth 2.0 app:
For the Jira Cloud integration to function, Cloudflare CASB requires the following permissions via an OAuth 2.0 app:
For the Box integration to function, Cloudflare CASB requires the following Box permissions via an OAuth 2.0 app:
For the Dropbox integration to function, Cloudflare CASB requires the following Dropbox permissions via an OAuth 2.0 app:
For the GitHub integration to function, Cloudflare CASB requires the following GitHub API permissions:
Refer to Google Workspace integration permissions for information on which API permissions to enable.
Refer to Google Workspace integration permissions for information on which API permissions to enable.
Refer to Google Workspace integration permissions for information on which API permissions to enable.
Refer to Google Workspace integration permissions for information on which API permissions to enable.
This integration covers the following Google Workspace products:
You can integrate the following SaaS applications with Cloudflare CASB:
Refer to Microsoft 365 integration permissions for information on which API permissions to enable.
This integration covers the following Microsoft 365 products:
Refer to Microsoft 365 integration permissions for information on which API permissions to enable.
Refer to Microsoft 365 integration permissions for information on which API permissions to enable.
Refer to Microsoft 365 integration permissions for information on which API permissions to enable.
For the Salesforce integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App:
For the ServiceNow integration to function, Cloudflare CASB requires the following permissions:
For the Slack integration to function, Cloudflare CASB requires the following Slack API permissions:
Cloudflare’s API-driven Cloud Access Security Broker (CASB) scans SaaS applications for misconfigurations, unauthorized user activity, shadow IT .tippy-box { background-color: var(--sl-color-bg); color: var(--sl-color-white); }
.tippy-box[data-placement^="top"] > .tippy-arrow::before {
border-top-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="bottom"] > .tippy-arrow::before {
border-bottom-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="left"] > .tippy-arrow::before {
border-left-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="right"] > .tippy-arrow::before {
border-right-color: var(--sl-color-bg);
}
, and other data security issues that can occur after a user has successfully logged in.
Findings are security issues detected within SaaS applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Zero Trust and immediately start taking action on the issues found.
Cloudflare CASB detects when integrations are unhealthy or outdated.
Review recent changes to Cloudflare Access.
Review recent changes to Cloudflare Browser Isolation.
Review recent changes to Cloudflare CASB.
Review recent changes to Digital Experience Monitoring.
Review recent changes to Cloudflare DLP.
Review recent changes to Cloudflare Gateway.
Review recent changes to Cloudflare One.
Review recent changes to Cloudflare Zero Trust user risk scoring.
Review recent changes to the Zero Trust WARP client.
With Cloudflare Gateway, you can filter DNS over HTTPS (DoH) requests by DNS location or by user without needing to install the WARP client on your devices.
By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.
DNS resolver IPs and hostnames
When you create a DNS location, Gateway assigns IPv4/IPv6 addresses and DoT/DoH hostnames to that location. These are the IP addresses and hostnames you send your DNS queries to for Gateway to resolve.
DNS locations are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes, or data centers.
If you are unable to install the WARP client on your devices (for example, Windows Server does not support the WARP client), you can use agentless options to enable a subset of Zero Trust features.
You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file.
Configure devices to send DNS queries to Cloudflare, or proxy all traffic leaving the device through Cloudflare’s network.
A device profile defines WARP client settings for a specific set of devices in your organization. You can create multiple profiles and apply different settings based on the user’s identity, the device’s location, and other criteria.
You can configure WARP client settings to work alongside existing infrastructure and provide users with differential access to resources.
Cloudflare WARP allows you to selectively apply WARP client settings if the device is connected to a secure network location such as an office.
When the WARP client is deployed on a device, Cloudflare processes all DNS requests and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS requests or network traffic from WARP.
By default, Cloudflare Zero Trust excludes common top-level domains, used for local resolution, from being sent to Gateway for processing. These top-level domains are resolved by the local DNS resolver configured for the device on its primary interface.
Split Tunnels can be configured to exclude or include IP addresses or domains from going through WARP. This feature is commonly used to run WARP alongside a VPN (in Exclude mode) or to provide access to a specific private network (in Include mode).
This guide explains how the Cloudflare WARP client interacts with a device’s operating system to route traffic in Gateway with WARP mode.
Enable Device Information Only
Device Information Only mode allows you to enforce device posture rules when a user connects to your self-hosted Access application. This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.
You can deploy the WARP client in different modes to control the types of traffic sent to Cloudflare Gateway. The WARP mode determines which Zero Trust features are available on the device.
Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your Access applications or as part of your Gateway policies.
Captive portals are used by public Wi-Fi networks (such as airports, coffee shops, and hotels) to make a user agree to their Terms of Service or provide payment before allowing access to the Internet. When a user connects to the Wi-Fi, the captive portal blocks all HTTPS traffic until the user completes a captive portal login flow in their browser. This prevents the WARP client from connecting to Cloudflare. At the same time, WARP creates firewall rules on the device to send all traffic to Cloudflare. The user is therefore unable to access the captive portal login screen unless they temporarily disable WARP.
WARP settings define the WARP client modes and permissions available to end users.
Device enrollment permissions determine which users can connect new devices to your organization’s Cloudflare Zero Trust instance.
If your organization uses a firewall or other policies to restrict or intercept Internet traffic, you may need to exempt the following IP addresses and domains to allow the WARP client to connect.
Depending on how your organization is structured, you can deploy WARP in one of two ways:
If you plan to direct your users to manually download and configure the WARP client, users will need to connect the client to your organization’s Cloudflare Zero Trust instance.
Organizations can deploy WARP automatically to their fleet of devices in a single operation. The WARP client is compatible with the vast majority of managed deployment workflows, including mobility management solutions such as Intune or JAMF, or by executing an .msi file on desktop machines.
Each client supports the following set of parameters as part of their deployment, regardless of the deployment mechanism.
This will push the app along with the configurations to the selected devices.
Cloudflare Zero Trust integrates with Cloudflare Technology Partner tools to help you deploy the WARP client to bigger fleets of devices. Thanks to these collaborations, you can distribute the WARP client application to end-user devices and remotely set up advanced configurations in real time.
Download the Cloudflare_WARP_<VERSION>.msi installer.
Learn how to deploy Cloudflare WARP using Jamf.
Learn how to deploy Cloudflare WARP using JumpCloud.
Kandji deploys Cloudflare WARP as a custom app. For an overview of how Kandji deploys custom apps, refer to their knowledge base article.
Switch between Zero Trust organizations
In Cloudflare WARP, users can switch between multiple Zero Trust organizations (or other MDM parameters) that administrators specify in an MDM file. Common use cases include:
Connect WARP before Windows login
With Cloudflare Zero Trust, you can use an on-premise Active Directory (or similar) server to validate a remote user’s Windows login credentials. Before the user enters their Windows login information for the first time, the WARP client establishes a connection using a service token. This initial connection is not associated with a user identity. Once the user completes the Windows login, WARP switches to an identity-based session and applies the user registration to all future logins.
The Cloudflare WARP client can run alongside most legacy third-party VPNs. Because the WARP client and third-party VPN client both enforce firewall, routing, and DNS rules on your local device, the two products will compete with each other for control over IP and DNS traffic. To ensure compatibility make sure that:
Users can connect to Cloudflare Zero Trust services through an agent that runs on their device. Cloudflare previously bundled that functionality into the WARP client, an application that also provides privacy-focused DNS and VPN services for consumers (known as 1.1.1.1 w/ WARP). Supporting both enterprise and consumer functionality in the same application allowed us to build Zero Trust upon the same foundation used by millions of consumers across the globe, but has limited the pace at which changes could be released. As a result, we are launching a dedicated Cloudflare One Agent that replaces the WARP client for Zero Trust deployments.
You can download the WARP client from Zero Trust. To do that, go to Settings > Downloads and scroll down to Download the WARP client.
This guide covers best practices for updating the WARP client.
The Cloudflare WARP client allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s global network, where Cloudflare Gateway can apply advanced web filtering. The WARP client also makes it possible to apply advanced Zero Trust policies that check for a device’s health before it connects to corporate applications.
The following procedures will uninstall the WARP client from your device. If you used the WARP client to deploy a root certificate, the certificate will also be removed.
This is a high-level, step-by-step walkthrough on how to get started with WARP in your organization. From downloading the client to sending the first queries to Cloudflare’s edge, here is a guide on how to do it for the first time.
This page lists the error codes that can appear in the WARP client GUI. If you do not see your error below, refer to common issues or contact Cloudflare Support.
This section covers the most common issues you might encounter as you deploy the WARP client in your organization, or turn on new features that interact with the client. If you do not see your issue listed below, refer to the troubleshooting FAQ or contact Cloudflare Support.
Below, you will find information on devices, software, and configurations that are incompatible with Cloudflare WARP.
The WARP client provides diagnostic logs that you can use to troubleshoot connectivity issues on a device.
Configure WARP to use a custom root certificate instead of the Cloudflare certificate.
Advanced security features such as HTTPS traffic inspection, Data Loss Prevention, anti-virus scanning, and Browser Isolation require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare.
Install certificate using WARP
Automatically deploy a root certificate on desktop devices.
Manually add the Cloudflare certificate to mobile devices and individual applications.
You can install cloudflared as a system service on Linux and Windows, and as a launch agent on macOS. In most cases, we recommend running cloudflared as a service. Running as a service helps ensure the availability of cloudflared to your origin by allowing the program to start at boot and continue running while your origin is online.
You can install cloudflared as a system service on Linux.
You can install cloudflared as a system service on macOS.
You can install cloudflared as a system service on Windows.
The tunnel configuration file allows you to have fine-grained control over how an instance of cloudflared will operate. In your configuration file, you can specify top-level properties for your cloudflared instance as well as configure origin-specific properties. For a full list of configuration options, type cloudflared tunnel help in your terminal.
If you set up your tunnel through the CLI, the tunnel runs as an instance of cloudflared on your machine. You can configure cloudflared properties by modifying command line parameters or by editing the tunnel configuration file.
Tunnel permissions determine who can run and manage a Cloudflare Tunnel. Two files control permissions for a locally-managed tunnel:
This page lists the most commonly used commands for managing local tunnels.
Origin configuration parameters determine how cloudflared proxies traffic to your origin server. You can configure these settings in the dashboard for remotely-managed tunnels, or add them to your configuration file for locally-managed tunnels.
If you created a Cloudflare Tunnel from the dashboard, the tunnel runs as a service on your OS.
This page lists general-purpose configuration options for a Cloudflare Tunnel. You can add these flags to the cloudflared tunnel run command for remotely-managed and locally-managed tunnels. These flags can also be added as key/value pairs to your configuration file.
Tunnel availability and failover
Our lightweight and open-source connector, cloudflared, was built to be highly available without any additional configuration requirements. When you run a tunnel, cloudflared establishes four outbound-only connections between the origin server and the Cloudflare network. These four connections are made to four different servers spread across at least two distinct data centers. This model ensures high availability and mitigates the risk of individual connection failures. This means in event a single connection, server, or data center goes offline, your resources will remain available.
Ansible is a software tool that enables at scale management of infrastructure. Ansible is agentless — all it needs to function is the ability to SSH to the target and Python installed on the target.
This guide covers how to connect an Amazon Web Services (AWS) virtual machine to Cloudflare using our lightweight connector, cloudflared.
The purpose of this guide is to walk through some best practices for accessing private resources on Azure by deploying Cloudflare’s lightweight connector, cloudflared.
This guide covers how to connect a Google Cloud Project (GCP) virtual machine to Cloudflare using our lightweight connector, cloudflared.
Kubernetes is a container orchestration and management tool. Kubernetes is declarative, so you define the end state in a .yml file. A Kubernetes cluster has two components, the master, and the workers. The master is the control plane that the user interacts with to manage the containers. Worker nodes are where the containers are deployed and run. A Kubernetes cluster is connected internally through a private network. Cloudflare Tunnel can be used to expose services running inside the Kubernetes cluster to the public.
Learn how to deploy a Cloudflare Tunnel using Terraform and our lightweight server-side daemon, cloudflared.
Our connector, cloudflared, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server in a data center.
You can implement a positive security model with Cloudflare Tunnel by blocking all ingress traffic and allowing only egress traffic from cloudflared. Only the services specified in your tunnel configuration will be exposed to the outside world.
Originally, a Cloudflare Tunnel connection corresponded to a DNS record in your account. Requests to that hostname hit Cloudflare’s network first and our edge sends those requests over the tunnel to your origin. However, fitting an outbound-only connection into a reverse proxy creates some ergonomic and stability hurdles. The original Cloudflare Tunnel architecture attempted to both manage DNS records and create connections. When connections became disrupted, Tunnel would recreate the entire deployment. Additionally, Argo Tunnel connections could not be treated like regular origin servers in Cloudflare’s control plane and had to be managed directly from the server-side software.
Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS. TryCloudflare will launch a process that generates a random subdomain on trycloudflare.com. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost.
View associated copyrights.
Cloudflare Tunnel requires the installation of a lightweight server-side daemon, cloudflared, to connect your infrastructure to Cloudflare. If you are creating a tunnel through the dashboard, you can simply copy-paste the installation command shown in the dashboard.
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/
Updates will cause cloudflared to restart which will impact traffic currently being served. You can perform zero-downtime upgrades by using Cloudflare’s Load Balancer product or by using multiple cloudflared instances.
Create a locally-managed tunnel (CLI)
Follow this step-by-step guide to get your first tunnel up and running using the CLI.
Create a remotely-managed tunnel (dashboard)
Follow this step-by-step guide to get your first tunnel up and running using Zero Trust.
To create and manage tunnels, you will need to install and authenticate cloudflared .tippy-box { background-color: var(--sl-color-bg); color: var(--sl-color-white); }
.tippy-box[data-placement^="top"] > .tippy-arrow::before {
border-top-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="bottom"] > .tippy-arrow::before {
border-bottom-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="left"] > .tippy-arrow::before {
border-left-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="right"] > .tippy-arrow::before {
border-right-color: var(--sl-color-bg);
}
on your origin server. cloudflared is what connects your server to Cloudflare’s global network.
Review terminology for Cloudflare Tunnels.
Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.
Tunnel logs record all activity between a cloudflared instance and Cloudflare’s global network, as well as all activity between cloudflared and your origin server. These logs allow you to investigate connectivity or performance issues with a Cloudflare Tunnel. You can configure your server to store persistent logs, or you can stream real-time logs from any client machine.
Tunnel metrics show a Cloudflare Tunnel’s throughput and resource usage over time. When you run a tunnel, you can configure cloudflared to spin up a Prometheus metrics endpoint — an HTTP server that exposes metrics in Prometheus format. You can then use the Prometheus toolkit on a remote machine to scrape metrics data from the cloudflared server.
Administrators can receive an alert when Cloudflare Tunnels in an account change their health or deployment status. Notifications can be delivered via email, webhook, and third-party services.
A private network has two primary components: the server and the client. The server’s infrastructure (whether that is a single application, multiple applications, or a network segment) is connected to Cloudflare’s global network by Cloudflare Tunnel. This is done by running the cloudflared daemon on the server.
You can use Cloudflare Local Traffic Management (LTM) to distribute traffic across private endpoints connected via Cloudflare Tunnel. Common use cases include:
By default, the WARP client sends DNS requests to 1.1.1.1, Cloudflare’s public DNS resolver, for resolution. With Cloudflare Tunnel, you can connect an internal DNS resolver to Cloudflare and use it to resolve non-publicly routed domains.
Virtual networks allow you to connect private networks that have overlapping IP ranges without creating conflicts for users or services. For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be “production” and “staging”. However, if the two private networks happened to receive the same RFC 1918 IP assignment, there may be two different resources with the same IP address. By creating two separate virtual networks, you can deterministically route traffic to duplicative private addresses like 10.128.0.1/32 staging and 10.128.0.1/32 production. These virtual networks will appear as user-selectable options within the WARP client GUI.
With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare’s global network. This involves installing a connector on the private network, and then setting up routes which define the IP addresses available in that environment. Unlike public hostname routes, private network routes can expose both HTTP and non-HTTP resources.
Cloudflare WARP Connector is a piece of software 1 that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to:
With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare’s network.
When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat <UUID>.cfargotunnel.com as if it were an origin target in the Cloudflare dashboard.
With Cloudflare Tunnel, you can expose your HTTP resources to the Internet via a public hostname. For example, you can add a route that points docs.example.com to localhost:8080. Anyone can now view your local application by going to docs.example.com in their web browser.
When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat <UUID>.cfargotunnel.com as if it were a Load Balancing endpoint in the Cloudflare dashboard.
This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to the troubleshooting FAQ, view your Tunnel logs, or contact Cloudflare Support.
Follow this troubleshooting procedure when end users running Cloudflare WARP have issues connecting to a private network behind Cloudflare Tunnel.
gRPC is a Remote Procedure Call (RPC) framework that allows client applications to call methods on a remote server as if they were running on the same local machine. You can connect gRPC servers and clients to Cloudflare’s global network, making it easier to build applications that use services across different data centers and environments.
Cloudflare Tunnel creates a secure, outbound-only connection between your services and Cloudflare by deploying a lightweight connector in your environment. Here is how to use tunnels with some specific services:
The Remote Desktop Protocol (RDP) provides a graphical interface for users to connect to a computer remotely. RDP is most commonly used to facilitate simple remote access to machines or workstations which users cannot physically access. However, this also makes RDP connections the frequent subject of attacks, since a misconfiguration can inadvertently allow unauthorized access to the machine.
The Server Message Block (SMB) protocol allows users to read, write, and access shared resources on a network. Due to security risks, firewalls and ISPs usually block public connections to an SMB file share. With Cloudflare Tunnel, you can provide secure and simple SMB access to users outside of your network.
The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server.
Learn how you can connect your applications, devices, and networks to Cloudflare.
Review frequently asked questions about tunnels in Cloudflare Zero Trust.
Below you’ll find answers to the most commonly asked questions on Cloudflare Zero Trust, as well as a troubleshooting section to help you solve common issues and errors you may come across.
Review frequently asked questions about identity and identity providers in Cloudflare Zero Trust.
Review frequently asked questions about devices in Cloudflare Zero Trust.
Review frequently asked questions about Cloudflare Zero Trust.
Getting started with Cloudflare Zero Trust
Review FAQs about getting started with Cloudflare Zero Trust.
Review frequently asked questions about policies in Cloudflare Zero Trust.
Review common troubleshooting scenarios for Cloudflare Zero Trust.
Review definitions for Cloudflare Zero Trust terms.
Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this:
Cross-Origin Resource Sharing (CORS) is a mechanism that uses HTTP headers to grant a web application running on one origin permission to reach selected resources in a different origin. The web application executes a cross-origin HTTP request when it requests a resource that has a different origin from its own, including domain, protocol, or port.
When you protect a site with Cloudflare Access, Cloudflare checks every HTTP request bound for that site to ensure that the request has a valid CF_Authorization cookie. If a request does not include the cookie, Access will block the request.
When Cloudflare sends a request to your origin, the request will include an application token as a Cf-Access-Jwt-Assertion request header and as a CF_Authorization cookie.
These device posture checks can only be enforced for Cloudflare Access applications. They cannot be used in Gateway network policies.
Mutual TLS (mTLS) authentication ensures that traffic is both secure and trusted in both directions between a client and server. It allows requests that do not log in with an identity provider (like IoT devices) to demonstrate that they can reach a given resource. Client certificate authentication is also a second layer of security for team members who both log in with an identity provider (IdP) and present a valid client certificate.
Cloudflare Access can use endpoint data from Tanium™ to determine if a request should be allowed to reach a protected resource. When users attempt to connect to a resource protected by Access with a Tanium rule, Cloudflare Access will validate the user’s identity, and the browser will connect to the Tanium agent before making a decision to grant access.
With Cloudflare Zero Trust, you can configure Zero Trust policies that rely on additional signals from the WARP client or from third-party endpoint security providers. When device posture checks are configured, users can only connect to a protected application or network resource if they have a managed or healthy device.
Cloudflare Zero Trust can integrate with Crowdstrike to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Crowdstrike. Devices are identified by their serial numbers.
Service-to-service integrations allow the WARP client to get device posture data from a third-party API. To use this feature, you must deploy the WARP client to your devices and enable the desired posture checks.
Cloudflare Zero Trust can integrate with Kolide to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Kolide. Devices are identified by their serial numbers.
Cloudflare Zero Trust can integrate with Microsoft to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Microsoft. Devices are identified by their serial numbers.
Cloudflare Zero Trust can integrate with SentinelOne to require that users connect to certain applications from managed devices. Our service-to-service posture check identifies devices based on their serial numbers.
Cloudflare Zero Trust can integrate with Tanium to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Tanium. Devices are identified by their serial numbers.
Cloudflare Zero Trust can integrate with Uptycs to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Uptycs. Devices are identified by their serial numbers.
Cloudflare Zero Trust can integrate with Workspace ONE to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from Workspace ONE. Devices are identified by their serial numbers.
The Application Check device posture attribute checks that a specific application process is running on a device. You can create multiple application checks for each operating system you need to run it on, or if you need to check for multiple applications.
Cloudflare Zero Trust can check if Carbon Black is running on a device to determine if a request should be allowed to reach a protected resource.
The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.
Cloudflare Zero Trust allows you to build Zero Trust rules based on device serial numbers. You can create these rules so that access to applications is granted only to users connecting from company devices.
Cloudflare Zero Trust allows you to build Zero Trust rules based on device UUIDs supplied in an MDM file. You can create these rules so that access to applications is granted only to users connecting from company devices.
The Disk Encryption device posture attribute ensures that disks are encrypted on a device.
The Domain Joined device posture attribute ensures that a user is a member of a specific Windows Active Directory domain.
The File Check device posture attribute checks for the presence of a file on a device. You can create multiple file checks for each operating system you need to run it on, or if you need to check for multiple files.
The Firewall device posture attribute ensures that a firewall is running on a device.
These device posture checks are performed by the Cloudflare WARP client. To use this feature, you must deploy the WARP client to your devices and enable the desired posture checks.
The OS Version device posture attribute checks whether the version of a device’s operating system matches, is greater than or lesser than the configured value.
With Require Gateway, you can allow access to your applications only to devices enrolled in your organization’s instance of Gateway. Unlike Require WARP, which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization’s Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees.
Cloudflare Zero Trust enables you to restrict access to your applications to devices running the Cloudflare WARP client. This allows you to flexibly ensure that a user’s traffic is secure and encrypted before allowing access to a resource protected behind Cloudflare Zero Trust.
Cloudflare Zero Trust can check if SentinelOne is running on a device to determine if a request should be allowed to reach a protected resource.
Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory integrates with Cloudflare Access using Security Assertion Markup Language (SAML .tippy-box { background-color: var(--sl-color-bg); color: var(--sl-color-white); }
.tippy-box[data-placement^="top"] > .tippy-arrow::before {
border-top-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="bottom"] > .tippy-arrow::before {
border-bottom-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="left"] > .tippy-arrow::before {
border-left-color: var(--sl-color-bg);
}
.tippy-box[data-placement^="right"] > .tippy-arrow::before {
border-right-color: var(--sl-color-bg);
}
).
AWS IAM Identity Center provides SSO identity management for users who interact with AWS resources (such as EC2 instances or S3 buckets). You can integrate AWS IAM with Cloudflare Zero Trust as a SAML identity provider, which allows users to authenticate to Zero Trust using their AWS credentials.
Amazon Cognito provides SSO identity management for end users of web and mobile apps. You can integrate Amazon Cognito as an OIDC identity provider for Cloudflare Zero Trust.
You can integrate Microsoft Azure AD® (Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Azure AD credentials.
Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the #1 cause of breaches – privileged access abuse.
Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse.
Cloudflare Zero Trust can integrate with Citrix ADC (formerly Citrix NetScaler ADC) as a SAML IdP. Documentation from Citrix shows you how to configure Citrix ADC as a SAML IdP. These steps are specific to Cloudflare Zero Trust.
Use these steps to set up Facebook as your identity provider.
Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access.
Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list.
Cloudflare Zero Trust allows your team to connect to your applications using their GitHub login. Administrators can build rules for specific individuals or using GitHub organizations. You do not need to have a GitHub organization to use the integration.
You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration allows any user with a Google account to log in (if the Access policy allows them to reach the resource). Unlike the instructions for Google Workspace, the steps below will not allow you to pull group membership information from a Google Workspace account.
You can integrate a Google Workspace (formerly Google Suite) account with Cloudflare Access. Unlike the instructions for generic Google authentication, the steps below will allow you to pull group membership information from your Google Workspace account.
Cloudflare Zero Trust allows you to integrate your organization’s identity providers (IdPs) with Cloudflare Access. Your team can simultaneously use multiple providers, reducing friction when working with partners or contractors.
JumpCloud provides Directory-as-a-Service® to securely connect user identities to systems, apps, files, and networks. Cloudflare Access integrates with JumpCloud using the SAML protocol. This documentation from JumpCloud can help you configure applications within your JumpCloud deployment.
Keycloak is an open source identity and access management solution built by JBoss. If you need a Keycloak lab environment for testing, refer to this example.
Cloudflare Access allows your users to use LinkedIn as their identity provider (IdP).
Cloudflare Zero Trust can integrate SAML with Okta as an identity provider.
Okta provides cloud software that helps companies manage and secure user authentication to modern applications, and helps developers build identity controls into applications, website web services, and devices. You can integrate Okta with Cloudflare Zero Trust and build rules based on user identity and group membership. Cloudflare Zero Trust supports Okta integrations using either the OIDC (default) or SAML protocol.
OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an OIDC identity provider.
OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an SAML identity provider.
The PingFederate® offering from PingIdentity provides SSO identity management. Cloudflare Access supports PingFederate as a SAML identity provider.
The PingOne® cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as an OIDC identity provider.
The PingOne® cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as a SAML identity provider.
In a SAML request flow, Cloudflare Access functions as the service provider (SP) to the identity provider (IdP). Cloudflare Access sends a SAML request to your IdP. The signing certificate that you upload from your SAML provider verifies the response.
Yandex is a web search engine that also offers identity provider (IdP) services.
Cloudflare Zero Trust integrates with your organization’s identity provider to apply Zero Trust and Secure Web Gateway policies. If you work with partners, contractors, or other organizations, you can integrate multiple identity providers simultaneously.
Cloudflare Access can send a one-time PIN (OTP) to approved email addresses as an alternative to integrating an identity provider. You can simultaneously configure OTP login and the identity provider of your choice to allow users to select their own authentication method.
You can provide automated systems with service tokens to authenticate against your Zero Trust policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access.
An Access group is a set of rules that can be configured once and then quickly applied across many Access applications. You can assign an Access group to any Access policy, and all the criteria from the selected group will apply to that application.
Manage users in your Zero Trust organization.
System for Cross-domain Identity Management (SCIM) is an open standard protocol that allows identity providers to synchronize user identity information with cloud applications and services. After configuring SCIM, user identities that you create, edit, or delete in the identity provider are automatically updated across all supported applications. This makes it easier for IT admins to onboard new users, update their groups and permissions, and revoke access in the event of an employee termination or security breach.
Cloudflare Zero Trust subscriptions consist of seats that active users in your account consume. Active users are added to Zero Trust through any authentication event.
A user session determines how long a user can access an Access application without re-authenticating.
Cloudflare Access can replace traditional SSH key models with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate a keypair and commit their public key into an infrastructure management tool, like Salt, or otherwise upload it to an administrator. These keys can remain unchanged for months or years.
View implementation guides for Cloudflare Zero Trust.
Cloudflare Zero Trust replaces legacy security perimeters with our global network, making the Internet faster and safer for teams around the world. Refer to our reference architecture to learn how to evolve your network and security architecture to our SASE platform.
The Shadow IT Discovery page provides visibility into the SaaS applications and private network origins your end users are visiting. This information allows you to create identity and device-driven Zero Trust policies to secure your users and data.
To see the top Allowed and Blocked requests across all of your DNS locations, go to Analytics > Gateway. You can filter the data by selecting a specific location and/or time.
The Analytics section of Zero Trust provides a summary of your Access application and Gateway DNS traffic.
With DEX, you can monitor your users’ devices and connection status.
Digital Experience Monitoring provides visibility into device, network, and application performance across your Zero Trust organization. This information enables you to understand the state of your WARP client deployment and quickly resolve issues impacting end-user productivity.
Administrators can receive alerts when Cloudflare detects connectivity issues with the WARP client or degraded application performance. Notifications can be delivered via email, webhook, and third-party services.
An HTTP test sends a GET request from an end-user device to a specific web application. You can use the response metrics to troubleshoot connectivity issues. For example, you can check whether the application is inaccessible for all users in your organization, or only certain ones.
With Digital Experience Monitoring (DEX), you can test if your devices can connect to a private or public endpoint through the WARP client. This tool allows you to monitor availability for a given application and investigate performance issues reported by your end users. DEX tests will only run when the WARP client is turned on, whereas fleet status metrics are always available.
A traceroute test measures the network path of an IP packet from an end-user device to a server. You can use the test results to troubleshoot network issues. For example, increased latency may indicate a problem with connectivity along the network path.
You can use the results of a DEX test to monitor availability and performance for a specific application.
Cloudflare Zero Trust gives you comprehensive and in-depth visibility into your network. Whether you need data on network usage, on security threats blocked by Cloudflare Zero Trust, or on how many users have logged in to your applications this month, Zero Trust provides you with the right tools for the job.
Use Access audit logs to review authentication events and HTTP requests to protected URI paths.
Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted SSH command logs for sessions proxied by Gateway.
Cloudflare Gateway gives you multiple ways to safely handle your employees’ personally identifiable information (PII). You can choose to exclude PII from activity logging, or you can choose to redact PII from everyone except for designated administrators.
Review detailed logs for your Zero Trust organization.
With Cloudflare’s Logpush service, you can configure the automatic export of Zero Trust logs to third-party storage destinations or to security information and event management (SIEM) tools. Once exported, your team can analyze and audit the data as needed.
Cloudflare Gateway logs DNS query information in RData, a Base64-encoded binary format. The following resource record fields are available for each query:
Posture logs show the device posture check results reported by the WARP client.
Audit logs for Tunnel are available in the account section of the Cloudflare dashboard which you can find by selecting your name or email in the upper right-hand corner of the dashboard. The following actions are logged:
User logs show a list of all users who have authenticated to Cloudflare Zero Trust. For each user who has logged in, you can view their enrolled devices, login history, seat usage, and identity used for policy enforcement.
Zero Trust risk scoring detects user activity and behaviors that could introduce risk to your organization’s systems and data. Risk scores add user and entity behavior analytics (UEBA) to the Zero Trust platform.
Application paths define the URLs protected by an Access policy. When adding a self-hosted web application to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths.
With Cloudflare Access, you can create Allow or Block policies which evaluate the user based on custom criteria. This is done by adding an External Evaluation rule to your policy. The External Evaluation selector requires two values:
Cloudflare Access determines who can reach your application by applying the Access policies you configure.
Isolate self-hosted application
With Access policies, you can require users to open self-hosted applications in a secure remote browser. Because the remote browser is directly integrated into our Secure Web Gateway platform, HTTP policies can be applied to isolated applications without needing to install the WARP client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data.
With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key.
Access policies are properties of applications. When setting up an Access application, you will be prompted to create at least one policy for the application. You can go back and create, edit, or delete policies at any time.
Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for who is accessing their resources, but also for why they are requesting access.
With Cloudflare Access, you can require that users obtain approval before they can access a specific application. The administrator will receive an email notification to approve or deny the request. Unlike a typical Allow policy, the user will have to request access at the end of each session. This allows you to define the users who should have persistent access and those who must request temporary access.
Browser Isolation has a built-in screen reader which enables people with visual impairments to browse isolated pages.
Browser Isolation supports running native Chromium Web Extensions in the remote browser.
Cloudflare Browser Isolation complements the Secure Web Gateway and Zero Trust Network Access solutions by executing active webpage content in a secure isolated browser. Executing active content remotely from the endpoint protects users from zero-day attacks and malware. In addition to protecting endpoints, Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway HTTP and DNS policies.
With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content.
Below, you will find information regarding the current limitations for Browser Isolation.
Browser Isolation with firewall
If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow Browser Isolation to connect.
Clientless Web Isolation allows users to securely browse high risk or sensitive websites in a remote browser without having to install the Cloudflare WARP client on their device.
Browser Isolation is enabled through Secure Web Gateway HTTP policies. By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies.
With Cloudflare Zero Trust, you can isolate HTTP traffic from on-ramps such as proxy endpoints or Magic WAN. Since these on-ramps do not require users to log in to Cloudflare WARP, identity-based policies are not supported.
Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in a custom dataset. Sensitive data can be hashed before reaching Cloudflare and redacted from matches in payload logs.
The following in-line DLP policies are commonly used to secure data in uploaded and downloaded files.
You can scan HTTP traffic for sensitive data through Secure Web Gateway policies. To perform DLP filtering, first configure a DLP profile with the data patterns you want to detect, and then build a Gateway HTTP policy to allow or block the sensitive data from leaving your organization. Gateway will parse and scan your HTTP traffic for strings matching the keywords or regular expressions (regexes) specified in the DLP profile.
Log the payload of matched rules
Data Loss Prevention allows you to log the data that triggered a specific DLP policy. This data is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP rules. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 20 bytes of additional context on both sides of the match.
This page lists the advanced settings available when configuring a predefined or custom DLP profile.
A DLP profile is a collection of regular expressions (also known as detection entries) that define the data patterns you want to detect. Cloudflare DLP provides predefined profiles for common detections, or you can build custom DLP profiles specific to your data, organization, and risk tolerance.
Cloudflare DLP integration profiles enable data loss prevention support for third-party data classification providers. Data classification information is retrieved from the third-party platform and populated into a DLP Profile. You can then enable detection entries in the profile and create a DLP policy to allow or block matching data.
Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure advanced settings for predefined profiles.
Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code.
Gateway allows you to create DNS, Network, and HTTP policies based on applications and app types. You can select individual applications or groups of app types to filter specific traffic on your network.
Gateway responds to any domain blocked at the DNS level with 0.0.0.0 for IPv4 queries or :: for IPv6 queries, and does not return that blocked domain’s IP address. As a result, the browser will show a browser default error page, and users will not be able to reach that website. This may cause confusion and lead some users to think that their Internet connection is not working.
The following policies are commonly used to secure DNS traffic.
When a user makes a DNS request to Gateway, Gateway matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Override policy, the user’s client receives the DNS resolution and initiates an HTTP connection.
Cloudflare Gateway allows you to configure any DNS policy to activate or deactivate on a regular time interval.
This section covers how to validate your Gateway DNS configuration.
Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by Cloudflare Radar.
Dedicated egress IPs are static IP addresses that can be used to allowlist traffic from your organization. These IPs are unique to your account and are not used by any other customers routing traffic through Cloudflare’s network. Each dedicated egress IP consists of an IPv4 address and an IPv6 range that are assigned to a specific Cloudflare data center. At minimum, Cloudflare will provision your account with two dedicated egress IPs corresponding to data centers in two different cities.
When your users connect to the Internet through Cloudflare Gateway, by default their traffic is assigned a source IP address that is shared across all Cloudflare WARP users. Enterprise users can purchase dedicated egress IPs to ensure that egress traffic from your organization is assigned a unique, static IP. These source IPs are dedicated to your account and can be used within allowlists on upstream services.
Cloudflare Zero Trust applies a set of global policies to all accounts.
Cloudflare Gateway protects users as they browse the Internet. When users download or upload a file to an origin on the Internet, that file could potentially contain malicious code that may cause their device to perform undesired behavior.
The following policies are commonly used to secure HTTP traffic.
Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires traffic to be proxied over UDP.
HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and optionally UDP) traffic sent over ports 80 and 443.
With Gateway tenant control, you can allow your users access to corporate SaaS applications while blocking access to personal applications. This helps prevent the loss of sensitive or confidential data from a corporate network.
Cloudflare Gateway can perform SSL/TLS decryption in order to inspect HTTPS traffic for malware and other security risks. When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a user-side certificate.
Gateway does not inspect or log WebSocket traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as network session information. To filter your WebSocket traffic, create a policy with the 101 HTTP response code.
With Cloudflare Zero Trust, you can create Secure Web Gateway policies that filter outbound traffic down to the user identity level. To do that, you can build DNS, HTTP or Network policies using a set of identity-based selectors. These selectors require you to deploy the Zero Trust WARP client in Gateway with WARP mode.
Cloudflare Gateway, our comprehensive Secure Web Gateway, allows you to set up policies to inspect DNS, Network, HTTP, and Egress traffic.
Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.
Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit.
This section covers best practices for setting up DNS, HTTP, and network filtering policies.
Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access.
With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating Gateway policies or Access policies. This allows you to quickly create rules that match and take actions against several items at once.
The following policies are commonly used to secure network traffic.
With Cloudflare Zero Trust, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare Zero Trust integrates with your identity provider, it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they access that resource from.
Gateway supports the detection, logging, and filtering of network protocols using packet attributes.
Cloudflare Zero Trust supports SSH proxying and command logging using Secure Web Gateway and the WARP client.
With Cloudflare Gateway, you can enable and configure any combination of DNS, network, and HTTP policies.
You can forward HTTP and network traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, GRE tunnel, or IPsec tunnel.
By default, Gateway sends DNS requests to 1.1.1.1, Cloudflare’s public DNS resolver, for resolution. Enterprise users can instead create Gateway policies to route DNS queries to custom resolvers.
A policy is a set of rules that regulate network activity, such as who logs in to your applications or which websites your users can reach.
When creating a Cloudflare Zero Trust account, you will be given the Super Administrator role. As a Super Administrator, you can invite members to join your Zero Trust account and assign them different roles. There is no limit to the number of members which can be added to a given account. Any members with the proper permissions will be able to make configuration changes while actively logged into Zero Trust (unless read-only mode is enabled).
This guide covers the recommended steps to start securing your users and devices with Cloudflare Zero Trust.
Create custom headers for Cloudflare Access-protected origins with Workers
This tutorial covers how to use a Cloudflare Worker to add custom HTTP headers to traffic, and how to send those custom headers to your origin services protected by Cloudflare Access.
Use Azure AD Conditional Access policies in Cloudflare Access
With Azure Active Directory (AD)‘s Conditional Access, administrators can enforce policies on applications and users directly in Azure AD. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users.
Azure Active Directory (AD) calculates a user’s risk level based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Azure AD risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk.
Connect through Cloudflare Access using a CLI
Cloudflare’s cloudflared command-line tool allows you to interact with endpoints protected by Cloudflare Access. You can use cloudflared to interact with a protected application’s API.
Access a web application via its private hostname without WARP
With Cloudflare Browser Isolation and resolver policies, users can connect to private web-based applications via their private hostnames without needing to install the WARP client. By the end of this tutorial, users who pass your Gateway DNS and network policies will be able to access your private application at https://<your-team-name>.cloudflareaccess.com/browser/https://internalrecord.com.
Validate the Access token with FastAPI
This tutorial covers how to validate that the Access JWT is on requests made to FastAPI apps.
You can use Cloudflare Access to add Zero Trust rules to a self-hosted instance of GitLab. Combined with Cloudflare Tunnel, users can connect through HTTP and SSH and authenticate with your team’s identity provider.
Monitor Cloudflare Tunnel with Grafana
Grafana is a dashboard tool that visualizes data stored in other databases. You can use Grafana to convert your tunnel metrics into actionable insights.
View tutorials for Cloudflare Zero Trust.
Integrate Microsoft MCAS with Cloudflare Zero Trust
Many security teams rely on Microsoft MCAS (Microsoft Cloud App Security), Microsoft’s CASB solution, to identify and block threats on the Internet, as well as allow or block access to cloud applications. This tutorial covers how to integrate MCAS with Cloudflare Zero Trust, and create Gateway HTTP policies to ensure visibility and control over data.
Connect through Cloudflare Access using kubectl
You can connect to machines over kubectl using Cloudflare’s Zero Trust platform.
Protect access to Microsoft 365 with dedicated egress IPs
This tutorial covers how to secure access to your Microsoft 365 applications with Cloudflare Gateway dedicated egress IPs.
Use cloudflared to expose a Kubernetes app to the Internet
You can use Cloudflare Tunnel to connect applications and servers to Cloudflare’s network. Tunnel relies on a piece of software, cloudflared, to create those connections.
Migrate to Named Tunnels with Load Balancer
Cloudflare Tunnel is available in two deployment modes: “Legacy” Tunnel and “Named” Tunnel. Named Tunnel mode improves maintainability and stability by distinguishing between routing and configuration.
You can build Zero Trust rules to secure connections to MongoDB deployments using Cloudflare Access and Cloudflare Tunnel. Cloudflare Tunnel requires a lightweight daemon, cloudflared, running alongisde the deployment and as on the client side.
Access and secure a MySQL database using Cloudflare Tunnel and network policies
Using Cloudflare Tunnel’s private networks, users can connect to arbitrary non-browser based TCP/UDP applications, like databases. You can set up network policies that implement zero trust controls to define who and what can access those applications using the WARP client.
Many identity providers, like Okta, support multiple multifactor authentication (MFA) options simultaneously. For example, Okta will allow you to login with your password and a temporary code generated in an app or a U2F hard key like a Yubikey.
Use Cloudflare R2 as a Zero Trust log destination
This tutorial covers how to build a Cloudflare R2 bucket to store logs, and how to connect the bucket to the Zero Trust Logpush service to store logs persistently and export them into other tools.
Protect access to Amazon S3 buckets with Cloudflare Zero Trust
This tutorial demonstrates how to secure access to Amazon S3 buckets with Cloudflare Zero Trust so that data in these buckets is not publicly exposed on the Internet. You can combine Cloudflare Access and AWS VPC endpoints. Enterprise may also use Cloudflare Gateway egress policies with dedicated egress IPs.
Use virtual networks to change user egress IPs
This tutorial gives administrators an easy way to allow their users to change their egress IP address between any of your assigned dedicated egress IP addresses. Your users can choose which egress IP to use by switching virtual networks directly from in the WARP client.
Render a VNC client in browser
Cloudflare can render a Virtual Network Computer (VNC) terminal in your browser without any client software or configuration required.