Egress through Cloudflare Tunnel
Feature availability
| WARP modes | Zero Trust plans ↗ |
|---|---|
| Gateway with WARP | Enterprise |
| System | Availability | Minimum WARP version |
|---|---|---|
| Windows | ✅ | 2025.4.929.0 |
| macOS | ✅ | 2025.4.929.0 |
| Linux | ✅ | 2025.4.929.0 |
| iOS | ✅ | 1.10 |
| Android | ✅ | 2.4 |
| ChromeOS | ✅ | 2.4 |
Cloudflare Tunnel can be used for source IP anchoring when you want to use existing egress IPs instead of purchasing Cloudflare dedicated egress IPs. Some third-party websites may have an Access Control List (ACL) that only allow connections from certain source IPs. If you already a non-Cloudflare IP on their allowlist (such an egress IP provided by an ISP or a cloud provider like AWS), you can configure cloudflared to anchor user traffic to the same IPs that you use today.
For example, assume that your organization's banking service, app.bank.com, expects user traffic to come from an AWS IP. You can install cloudflared in your AWS environment and add a public hostname route pointing to app.bank.com. When users connect to app.bank.com using the WARP client, Gateway will apply your network policies and route the filtered traffic down the corresponding Cloudflare Tunnel to AWS. The traffic can then egress to the public Internet using your AWS egress IP.
flowchart LR
subgraph aws["AWS VPC"]
cloudflared["cloudflared"]
end
subgraph cloudflare[Cloudflare]
gateway["Gateway"]
end
subgraph internet[Internet]
resolver[1.1.1.1]
app[Application]
end
warp["WARP
clients"]--"app.bank.com"-->gateway--"Network traffic"-->cloudflared
gateway<-.DNS lookup.->resolver
aws--AWS egress IP -->app
To learn more about how Gateway applies hostname-based policies, refer to the Cloudflare blog.
-
User traffic is on-ramped to Gateway using one of the following methods:
On-ramp method Compatibility WARP ✅ PAC files ✅ Browser Isolation ✅ Magic WAN ❌ WARP Connector ❌
Connect your private network to Cloudflare using cloudflared. For example, if you want traffic to egress from AWS, connect the private CIDR block of your AWS VPC.
To route a public hostname through Cloudflare Tunnel:
-
In Zero Trust ↗, go to Networks > Routes > Hostname routes.
-
Select Create hostname route.
-
In Hostname, enter the public hostname that represents the application (for example,
app.bank.com). The hostname should be accessible from the public Internet. -
For Tunnel, select the Cloudflare Tunnel that is being used to connect the private network to Cloudflare.
-
Select Create route.
If your traffic is onboarded using WARP, ensure that traffic to the following IP addresses route through the WARP tunnel to Gateway:
- Initial resolved IP CGNAT range:
- IPv4:
100.80.0.0/16 - IPv6:
2606:4700:0cf1:4000::/64
- IPv4:
- Private network CIDR block
When users connect to a public hostname route, Gateway will assign an initial resolved IP to the DNS query. The initial resolved IP is required because Gateway's network engine operates at L3/L4 and can only see IPs (not hostnames) when processing the connection. If a packet's destination IP falls within the initial resolved IP CGNAT range, Gateway knows that the IP maps to a public hostname route and sends the traffic down the corresponding Cloudflare Tunnel.
To route initial resolved IPs through WARP:
In your WARP device profile, configure your Split Tunnel depending on the mode:
- Remove the route to the IP address
100.64.0.0/10from your Split Tunnel exclude list. - Add routes to exclude the following IP addresses:
100.64.0.0/12100.81.0.0/16100.82.0.0/15100.84.0.0/14100.88.0.0/13100.96.0.0/11
- Add the required Zero Trust domains or IP addresses to your Split Tunnel include list.
- Add routes to include the following IP addresses:
- IPv4:
100.80.0.0/16 - IPv6:
2606:4700:0cf1:4000::/64
- IPv4:
To route your private network's CIDR block through WARP, refer to Connect a private network.
You can build Gateway network policies to filter HTTPS traffic to your public hostname on port 443. For example, suppose that you want to block all WARP users from accessing app.bank.com except for a specific set of users or groups. Additionally, those authorized users should only access app.bank.com using your AWS egress IP. You can accomplish this using two policies: the first allows specific users to reach app.bank.com, and the second blocks all other port 443 traffic to app.bank.com.
-
Allow company employees
Selector Operator Value Logic Action SNI in app.bank.comAnd Allow User Email matches regex .*@example.com -
Block everyone else on port 443
Selector Operator Value Action SNI in app.bank.comBlock
Gateway does not currently support hostname-based filtering for traffic on non-443 ports. To block traffic to app.bank.com on all ports, you will need to use the Destination IP selector and specify the public IP space of app.bank.com.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark