Tunnel with firewall

Users can implement a positive security model with Cloudflare Tunnel by restricting traffic originating from cloudflared. The parameters below can be configured for egress traffic inside of a firewall.

Destinations and ports

Global region (default)

Destination	Port	Protocols
`region1.v2.argotunnel.com`	7844	TCP/UDP (`http2`/`quic`)
`region2.v2.argotunnel.com`	7844	TCP/UDP (`http2`/`quic`)
`api.cloudflare.com`	443	TCP (HTTPS)
`update.argotunnel.com`	443	TCP (HTTPS)

Opening port 443 for connections to update.argotunnel.com is optional. Failure to do so will prompt a log error, but cloudflared will still run correctly.

US region

If you set the region parameter to US, region1.v2.argotunnel.com and region2.v2.argotunnel.com are replaced with the following:

Destination	Port	Protocols
`us-region1.v2.argotunnel.com`	7844	TCP/UDP (`http2`/`quic`)
`us-region2.v2.argotunnel.com`	7844	TCP/UDP (`http2`/`quic`)

Test connectivity with dig

To test your connectivity to Cloudflare, you can use the dig command to query the hostnames listed above. Note that cloudflared defaults to connecting with IPv4.


$ dig A region1.v2.argotunnel.com...;; ANSWER SECTION:region1.v2.argotunnel.com. 86400 IN	A	198.41.192.167region1.v2.argotunnel.com. 86400 IN	A	198.41.192.67region1.v2.argotunnel.com. 86400 IN	A	198.41.192.57region1.v2.argotunnel.com. 86400 IN	A	198.41.192.107region1.v2.argotunnel.com. 86400 IN	A	198.41.192.27region1.v2.argotunnel.com. 86400 IN	A	198.41.192.7region1.v2.argotunnel.com. 86400 IN	A	198.41.192.227region1.v2.argotunnel.com. 86400 IN	A	198.41.192.47region1.v2.argotunnel.com. 86400 IN	A	198.41.192.37region1.v2.argotunnel.com. 86400 IN	A	198.41.192.77...


$ dig AAAA region1.v2.argotunnel.com...;; ANSWER SECTION:region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::1region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::2region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::3region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::4region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::5region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::6region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::7region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::8region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::9region1.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a0::10...


$ dig A region2.v2.argotunnel.com...;; ANSWER SECTION:region2.v2.argotunnel.com. 86400 IN	A	198.41.200.13region2.v2.argotunnel.com. 86400 IN	A	198.41.200.193region2.v2.argotunnel.com. 86400 IN	A	198.41.200.33region2.v2.argotunnel.com. 86400 IN	A	198.41.200.233region2.v2.argotunnel.com. 86400 IN	A	198.41.200.53region2.v2.argotunnel.com. 86400 IN	A	198.41.200.63region2.v2.argotunnel.com. 86400 IN	A	198.41.200.113region2.v2.argotunnel.com. 86400 IN	A	198.41.200.73region2.v2.argotunnel.com. 86400 IN	A	198.41.200.43region2.v2.argotunnel.com. 86400 IN	A	198.41.200.23...


$ dig AAAA region2.v2.argotunnel.com...;; ANSWER SECTION:region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::1region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::2region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::3region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::4region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::5region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::6region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::7region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::8region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::9region2.v2.argotunnel.com. 86400 IN	AAAA	2606:4700:a8::10...


$ dig api.cloudflare.com...;; ANSWER SECTION:api.cloudflare.com.     41      IN      A       104.19.193.29api.cloudflare.com.     41      IN      A       104.19.192.29...


$ dig update.argotunnel.com...;; ANSWER SECTION:update.argotunnel.com.	190	IN	A	104.18.32.167update.argotunnel.com.	190	IN	A	172.64.155.89...

Test connectivity with PowerShell

On Windows, you can use PowerShell commands if dig is not available.

To test DNS:


PS C:\Windows\system32> Resolve-DnsName -Name _v2-origintunneld._tcp.argotunnel.com SRV
Name                                     Type   TTL   Section    NameTarget                     Priority Weight Port----                                     ----   ---   -------    ----------                     -------- ------ ----_v2-origintunneld._tcp.argotunnel.com       SRV    112   Answer     region2.v2.argotunnel.com         2        1      7844_v2-origintunneld._tcp.argotunnel.com       SRV    112   Answer     region1.v2.argotunnel.com         1        1      7844

To test ports:


PS C:\Cloudflared\bin> tnc region1.v2.argotunnel.com -port 443
ComputerName     : region1.v2.argotunnel.comRemoteAddress    : 198.41.192.227RemotePort       : 443InterfaceAlias   : EthernetSourceAddress    : 10.0.2.15TcpTestSucceeded : True


PS C:\Cloudflared\bin> tnc region1.v2.argotunnel.com -port 7844
ComputerName     : region1.v2.argotunnel.comRemoteAddress    : 198.41.192.227RemotePort       : 7844InterfaceAlias   : EthernetSourceAddress    : 10.0.2.15TcpTestSucceeded : True

Tunnel with firewall

​​ Destinations and ports

​​ Global region (default)

​​ US region

​​ Test connectivity with dig

​​ Test connectivity with PowerShell

Destinations and ports

Global region (default)

US region

Test connectivity with dig

Test connectivity with PowerShell