A few months ago, we announced that we wanted to make Zero Trust security accessible to everyone, regardless of size, scale, or resources. Argo Tunnel, our secure method of connecting resources directly to Cloudflare, is the next piece of the puzzle.
Argo Tunnel creates a secure, outbound-only connection between your services and Cloudflare by deploying a lightweight connector in your environment. With this model, your team does not need to go through the hassle of poking holes in your firewall or validating that traffic originated from Cloudflare IPs.
In the past, Argo Tunnel has been priced based on bandwidth consumption as part of Argo Smart Routing, Cloudflare’s traffic acceleration feature. Starting today, we’re excited to announce that any organization can use the secure, outbound-only connection feature of the product at no cost. You can still add the paid Argo Smart Routing feature to accelerate traffic.
As part of that change (and to reduce confusion), we’re also renaming the product to Cloudflare Tunnel. To get started, sign up today.
If you’re interested in how and why we’re doing this, keep scrolling.
A Private Link to the Public Internet
In 2018, Cloudflare introduced Argo Tunnel, a private, secure connection between your origin and Cloudflare. Traditionally, from the moment an Internet property is deployed, developers spend an exhaustive amount of time and energy locking it down through access control lists, rotating ip addresses, or clunky solutions like GRE tunnels.
We built Tunnel to help alleviate that burden.
With Tunnel, users can create a private link from their origin server directly to Cloudflare without a publicly routable IP address. Instead, this private connection is established by running a lightweight daemon, cloudflared, on your origin, which creates a secure, outbound-only connection. This means that only traffic that routes through Cloudflare can reach your origin.
Building our Tunnel
Originally, we built Tunnel to solve a straightforward problem. It was unnecessarily difficult to connect a server to the Internet. Instead of implementing other legacy models, we wanted to create a frictionless way to establish a private connection directly to Cloudflare. This was of particular interest to us as we also wanted to solve what was a key pain point for many of our own customers, too.
Since 2010, Cloudflare has onboarded new users by having them complete two steps: 1) add their Internet property and 2) change their nameservers. The second step is important because once you change your nameservers, requests made to your resources first hit Cloudflare’s network. Cloudflare is then able to use this as an opportunity to block unwanted or malicious traffic instead of would-be attackers hitting your origin IP addresses directly. This is commonly referred to as a reverse proxy model.
But what happens if an attacker discovers that origin IP address? Couldn’t they just bypass Cloudflare altogether? That’s where Tunnel comes into play. Tunnel secures your origin by making outbound-only connections to Cloudflare. This removes legacy model requirements of poking ingress rules into your machine often leaving your infrastructure vulnerable to attack. More importantly, you can actually enhance the security controls of your origin by enforcing Zero Trust rules through Cloudflare which validate each request to your resource.
With that, suppose you are working on a local development environment for a new web application and want to securely share updates with a friend or collaborator. You would first install cloudflared to connect your origin to Cloudflare. Then, you would create your Tunnel and generate a hostname in the Cloudflare dashboard using your Tunnel UUID so that users can reach your resource and run your Tunnel. You can also add a Zero Trust policy with Cloudflare Access to your DNS record so that only friends and collaborators can view your resource.
Reinforcing our Tunnel
Over the past few months, we’ve also been working to enhance stability and persistence. In order to improve stability, we removed internal dependencies which caused Tunnel to require both our Control and Data Planes to be online and available for Tunnel reconnects.
By removing these upstream dependencies, Tunnels are able to gracefully reinitiate connections without requiring that both services be available simultaneously. We also migrated to Cloudflare’s edge load balancer, Unimog, which increased the average life of a given Tunnel from minutes to days. When these connections support longer uptimes and have less reliance on internal dependencies, they become well positioned for greater stability around the globe.
We also wanted to focus efforts on persistence. Previously, if cloudflared needed to restart for any reason, we treated each restart as a new Tunnel. This meant creating a new DNS record as well as establishing a connection to Cloudflare.
In our latest feature release, we introduced the concept of Named Tunnels. With Named Tunnels, users can assign a Tunnel with a permanent name which then creates a direct relationship with your Tunnel UUID. This model allows these two identifiers to become persistent records which can enable autonomous reconnection. Now in the event your Named Tunnel does need to restart, your cloudflared instance can reference this UUID address to reconnect rather than starting each restart from the ground up.
What can you do with Tunnel right now?
At Cloudflare, our mission is to help build a better Internet, and we’re excited to take another step towards that mission by opening up Tunnel for everyone. We can’t wait to see how you’ll take advantage of the enhanced stability, persistence, and Zero Trust security that come with Tunnel.
With Tunnel, we’ve seen the possibilities are as creative as you are. So, instead of telling you how to use Tunnel, here are a couple easy ways to get started: