Private networks
With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare's global network. This involves installing a connector on the private network, and then setting up routes which define the IP addresses available in that environment. Unlike published applications, private network routes can expose both HTTP and non-HTTP resources.
To reach private network IPs, end users must connect their device to Cloudflare and enroll in your Zero Trust organization. The most common method is to install the Cloudflare One Client on their device, or you can onboard their network traffic to Cloudflare using our WARP Connector or Cloudflare WAN.
Administrators can optionally set Gateway network policies to control access to services based on user identity and device posture.
Here are the different ways you can connect your private network to Cloudflare:
- Cloudflare Tunnel (
cloudflared) installs on a server in your private network and creates a secure, outbound-only tunnel to Cloudflare.cloudflaredonly proxies traffic initiated from a user to a server. Any service or application running behind the tunnel will use the server's default routing table for server-initiated connectivity. - Cloudflare One Client installs on a user device and can be used to establish peer-to-peer connectivity through Cloudflare's network. Each device is assigned a virtual IP address, allowing enrolled devices to reach services on other enrolled devices.
- WARP Connector installs on a Linux server in your private network to establish site-to-site, bidirectional, and mesh networking connectivity. The WARP Connector acts as a subnet router to relay client-initiated and server-initiated traffic between all devices on a private network and Cloudflare.
- Cloudflare WAN connects entire network locations to Cloudflare using anycast GRE or IPsec tunnels configured on your existing networking equipment.