Cloudflare
Tunnel.

A secure outbound connector from on-premise or private network systems to Cloudflare's edge. Expose internal HTTP services, SSH, RDP, or databases without opening inbound firewall ports or managing VPNs.

TechnologyNetworkingOpen TierLast updated · Apr 2026

01 · What it is

Outbound-only connectivity to Cloudflare's network.

Cloudflare Tunnel (formerly Argo Tunnel) runs a lightweight daemon (cloudflared) on your server. The daemon opens outbound connections to Cloudflare's nearest PoPs — no inbound ports needed. Cloudflare then routes traffic from the internet (or from Workers via service bindings) to your internal service through that tunnel.

This is the answer to "how does my Worker talk to my on-premise ERP, database, or legacy API without exposing it to the internet?" The tunnel is encrypted, authenticated, and managed via the Cloudflare dashboard or API.

For South African operations, this is particularly relevant: many enterprise clients have on-premise Sage X3 or SAP instances behind corporate firewalls. A tunnel lets a Worker proxy requests to these systems without a VPN, DMZ, or public IP.

02 · How it works

Install cloudflared, route traffic.

Create and configure a tunnel

Create a tunnel via the dashboard or CLI. Configure which internal services to expose via a config file.

# Create tunnel
cloudflared tunnel create erp-connector

# config.yml
tunnel: abc-123-def
credentials-file: /etc/cloudflared/abc-123-def.json

ingress:
  - hostname: erp.company.com
    service: http://localhost:8080
  - hostname: db-admin.company.com
    service: http://localhost:5432
  - service: http_status:404

Run the daemon

Run cloudflared as a systemd service. It maintains persistent outbound connections to Cloudflare and routes incoming requests to your local services.

# Install and run as service
cloudflared service install
systemctl start cloudflared

# Or run directly
cloudflared tunnel run erp-connector

# Quick expose (no config file needed)
cloudflared tunnel --url http://localhost:3000

Access from Workers

Once the tunnel is running and the hostname is configured in DNS, Workers can fetch from the tunnelled service like any other origin.

// Worker fetches from on-premise ERP via tunnel
export default {
  async fetch(req, env) {
    const erpResponse = await fetch(
      "https://erp.company.com/api/v1/orders",
      { headers: { "Authorization": `Bearer ${env.ERP_TOKEN}` } }
    );
    return erpResponse;
  }
};

03 · Gotchas

Where it bites you.

Daemon availability

If cloudflared goes down, the tunnel goes down

Run cloudflared as a supervised service (systemd, Docker, K8s). Consider running multiple replicas for redundancy.

Auth layer

Tunnel doesn't add authentication by default

Anyone who knows the hostname can reach your service. Pair with Cloudflare Access to add identity-aware access control.

Latency

Traffic routes through Cloudflare's network

Requests go: user → Cloudflare PoP → tunnel → your server. For same-network access, this adds a hop. The trade-off is security for latency.

04 · Decision guide

When it fits. When it doesn't.

✓ Use it when

You need to expose internal services without opening inbound ports. The core use case. No DMZ, no port forwarding, no VPN.
Workers need to reach on-premise systems. ERP APIs, legacy databases, internal tools — tunnel bridges cloud-native and on-premise.
Quick dev/staging access. cloudflared tunnel --url gives you a public URL for a local service in seconds.

✗ Skip it when

Your service is already cloud-hosted with a public endpoint. If your API is on AWS/GCP with proper auth, you don't need a tunnel.
Low-latency same-network access is required. The extra hop through Cloudflare adds latency. For internal-only access, a tunnel is overhead.
You need full VPN functionality. Tunnel is for specific services, not general network-level VPN. For full network access, look at Cloudflare WARP or traditional VPNs.

05 · Connections