Tunnel Virtual Networks
Cloudflare Tunnel supports the creation and configuration of virtual networks. Tunnel Virtual Networks allow you to manage different private networks which have overlapping IP ranges.
For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be “production” and “staging”. However, if the two private networks happened to receive the same RFC 1918 IP assignment, there may be two different resources with the same IP address. By creating two separate virtual networks, you can deterministically route traffic to duplicative private addresses like 10.128.0.1/32
staging and 10.128.0.1/32
production. End users would then select which network to connect to by accessing their WARP client settings.
Prerequisites
- Install
cloudflared
on each private network.
To connect your devices to Cloudflare:
- Deploy the WARP client on your devices in Gateway with WARP mode. The Cloudflare certificate is only required if you want to display a custom block page or filter HTTPS traffic.
- Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
Route IPs over virtual networks
The following example demonstrates how to add two overlapping IP routes to Cloudflare.
-
Create a tunnel for each private network:
-
Within your staging environment, authenticate
cloudflared
:$ cloudflared login -
Create a tunnel to connect your staging network to Cloudflare.
$ cloudflared tunnel create staging-tunnel -
Within your production environment, authenticate
cloudflared
:$ cloudflared login -
Create a tunnel to connect your production network to Cloudflare.
$ cloudflared tunnel create production-tunnel
-
The following steps may be executed from any cloudflared
instance.
-
Create two unique virtual networks.
$ cloudflared tunnel vnet add staging-vnet$ cloudflared tunnel vnet add production-vnet -
Before moving on, run the following command to verify that your newly created virtual networks are listed correctly:
$ cloudflared tunnel vnet list
-
Configure your tunnels with the IP/CIDR range of your private networks, and assign the tunnels to their respective virtual networks.
$ cloudflared tunnel route ip add --vnet staging-vnet 10.128.0.3/32 staging-tunnel$ cloudflared tunnel route ip add --vnet production-vnet 10.128.0.3/32 production-tunnel
-
Verify that the IP routes are listed correctly:
$ cloudflared tunnel route ip list
We now have two overlapping IP addresses routed over staging-vnet
and production-vnet
respectively.
Enable virtual networks
-
Within your staging environment, create a configuration file for
staging-tunnel
. The configuration file will be structured as follows:tunnel: <Tunnel-UUID>credentials-file: /root/.cloudflared/credentials-file.jsonwarp-routing:enabled: true -
Run your tunnel.
$ cloudflared tunnel run staging-tunnel -
Within your production environment, repeat Steps 1 and 2 for
production-tunnel
.
You can use now the Cloudflare WARP client to switch between virtual networks.
Connect to a virtual network
-
Open the WARP client on your device.
-
Go to Settings > Gateway with WARP > Virtual Networks.
-
Choose the virtual network you want to connect to, for example
staging-vnet
.
Now when you visit 10.128.0.3/32
, WARP routes your request to the staging environment.
Delete a virtual network
-
Delete all IP routes in the virtual network. For example,
$ cloudflared tunnel route ip delete --vnet staging-vnet 10.128.0.3/32 -
(Optional) Delete the tunnel associated with the virtual network.
$ cloudflared tunnel delete staging-tunnel -
Delete the virtual network.
$ cloudflared tunnel vnet delete staging-vnet
You can verify that the virtual network was successfully deleted by typing cloudflared tunnel vnet list
.