Performance & Reliability
CDN DNS Argo Smart Routing Load Balancing Web Optimizations China Network
Video Streaming & Delivery
Cloudflare Stream Stream Delivery
Advanced Security
DDoS Protection WAF Bot Management Rate Limiting SSL / TLS DNSSEC Cloudflare Access Cloudflare Spectrum Argo Tunnel
Insights
Analytics Cloudflare Logs
Cloudflare for Developers
Cloudflare Workers Cloudflare Workers KV BETA Mobile SDK
Domain Registration
Cloudflare Registrar
Cloudflare Marketplace
Cloudflare Apps
Cloudflare for Everyone
1.1.1.1
Performance
Accelerate Internet Applications Accelerate Mobile Experiences Ensure Application Availability
Security
Mitigate DDoS Attacks Prevent Customer Data Breaches Stop Malicious Bot Abuse
Industries
SaaS eCommerce Publishers Public Sector
Partnerships
Partner Program Hosting Provider Referral Reseller / MSP OEM / Technology Workers Partner Program Peering Portal Bandwidth Alliance
Integrations
IBM Cloud WordPress Google Cloud Magento Acquia Rackspace Microsoft Azure Kubernetes WP Engine
Develop
API Guide Developer Hub Developer Fund Documentation
Explore
Case Studies Cloudflare in China Network Map Webinars Product Updates White Papers GDPR
Learn
DDoS Learning Center CDN Learning Center DNS Learning Center Security Learning Center Performance Learning Center Serverless Learning Center SSL Learning Center Bots Learning Center
Connect
Blog Contact Sales Community Support
Contact
Advanced Cloudflare Configuration
Explore Cloudflare API v4 Expose a Secure Local Tunnel Configure with Terraform Documentation
Customize Your Site
Customize Using Workers Altering Headers Conditional Request Routing A/B Testing Browse All Code Snippets
Build Serverless Applications
Deploy Using Workers.dev Get Started with Tutorials Clone Examples on GitHub

Argo Tunnel

Protect Your Web Servers from Direct Attack

From the moment an application is deployed, developers and IT spend time locking it down: configuring ACLs, rotating IP addresses, and using clunky solutions like GRE tunnels.

There’s a simpler and more secure way to protect your applications and web servers from direct attacks: Cloudflare’s Argo Tunnel.

Ensure your server is safe, no matter where it’s running: public cloud, private cloud, Kubernetes cluster, or even a Mac mini under your TV.

Sign up Contact Sales

Already a customer? Get Started

"With Argo, I've been able to reduce the administrative overhead of firewalls, reduce the attack surface, and get the added benefit of higher performance through the tunnel."
Johan Bergström
Co-Founder and CTO at Netwrk

Challenges of Protecting Origin Infrastructure

Your origin IP addresses and open ports are exposed and vulnerable to advanced attackers, even when they’re behind your cloud-based security services. Some common ways to stop these direct DDoS or data breach attempts include: creating ACL’s and whitelisting incoming IP addresses, or establishing GRE tunnels and enabling IP security.

These approaches are painful to setup and maintain, lack fully integrated encryption, and can be slower or more costly.

Securely Connect Origins Directly to Cloudflare

Cloudflare’s lightweight Argo Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center — all without opening any public inbound ports.

After locking down all origin server ports and protocols using your firewall, any request on HTTP/S ports are dropped, including volumetric DDoS attacks. Data breach attempts — such as snooping of data in transit or brute force login attacks — are blocked entirely.

Argo Tunnel lets you quickly secure and encrypt application traffic to any type of infrastructure, freeing you to focus on delivering great applications. Now you can encrypt origin traffic and hide your web server IP addresses so direct attacks can’t happen.

Learn more about the Argo Tunnel story

Protect Web Servers from Direct Attacks

After you deploy the Argo Tunnel daemon and lock down your firewall, only inbound web traffic through Cloudflare’s network ever reaches your application’s origin servers.

Now your web server’s firewall blocks volumetric DDoS attacks and customer data breach attempts.

Secure Access to Internal Applications

Argo Tunnel is the perfect solution for only allowing the right people to access internal applications (including those in development environments) that you’d like to make externally facing.

When Argo Tunnel is combined with Cloudflare Access, users are authenticated by major identity providers, like Gsuite and Okta, without a VPN.

Applications once accessible to anyone through the origin IP are now only accessible by authenticated users through Cloudflare’s network.

Accelerate Origin Traffic with Smart Routing

To use Argo Tunnel, you’ll need to enable your Argo subscription in the Cloudflare dashboard. Argo includes access to: Smart Routing, Tunnel, and Tiered Caching.

Argo Smart Routing improves application performance by routing visitors through the least congested and most reliable paths, using Cloudflare's private network. Smart Routing reduces average origin traffic latency by 35% and connection errors by 27%.

Learn more

Argo Tunnel Walkthrough

Setting up Argo Tunnel to protect origin servers and ports is easy

  • Install Tunnel Daemon
  • Login to Cloudflare
  • Start a Tunnel
  • Confirm Lockdown
$ brew install cloudflare/cloudflare/cloudflared
==> Installing cloudflared from
cloudflare/cloudflare
==> Downloading https://warp.cloudflare.com/
dl/warp-2018.3.0-darwin-amd64.tgz
Install Tunnel Daemon
Using Homebrew, run this command to install Argo Tunnel on Mac OSX. For more installation options, and to download the daemon for Windows, Mac, or Linux, visit the Argo Tunnel documentation. 
$ cloudflared login
Login to Cloudflare
After the Argo Tunnel daemon is installed, associate the client with your Cloudflare host by logging in and selecting the zone which you’d like to add Argo Tunnel. 
$ cloudflared --hostname tunnel.example.com
--url http://localhost:8000

INFO Registered at https://tunnel.example.com
Start a Tunnel
Define a hostname with which you’d like to establish an Argo Tunnel connection. The Argo Tunnel software will automatically create a DNS record, appearing in your Cloudflare dashboard, making setup incredibly easy. 
$ netcat -v -z [Origin IP Address] 80
[Origin IP Address] 80 (http):
Connection refused
$ netcat -v -z [Origin IP Address] 443
[Origin IP Address] 443 (https):
Connection refused
Confirm Lockdown of Ports 80 & 443
By sending a request to the origin server directly using ports 80 and 443, rather than through Cloudflare, we can confirm that the connection is refused and Argo Tunnel has been successfully activated.

Key Features

Argo Smart Routing included

Easy-to-install agent with low performance overhead

Command-line configuration

DDoS Protection

Load-balanced across origin pools (when used with Cloudflare Load Balancer)

Custom tags to identify tunnels

Encrypted tunnels with TLS (origin-side certificates)

Application and protocol-level error logging

Everyone can start using Argo Today

To start using Argo Tunnel, you'll need a Cloudflare plan and an Argo subscription. By enabling Argo in the Cloudflare dashboard, you’ll receive access to Smart Routing, Tiered Caching, and Tunnel.

Sign up Contact Sales

Already a customer? Get Started

Argo for Cloudflare’s Free Plan

+ $5/Month

First 1 GB of transfer free; $0.10 per GB thereafter.

Includes Smart Routing, Tunnel, and Tiered Caching

Argo for Cloudflare’s Pro Plan

+ $5/Month

First 1 GB of transfer free; $0.10 per GB thereafter.

Includes Smart Routing, Tunnel, and Tiered Caching

Argo for Cloudflare’s Business Plan

+ $5/Month

First 1 GB of transfer free; $0.10 per GB thereafter.

Includes Smart Routing, Tunnel, and Tiered Caching

Argo for Cloudflare’s Enterprise Plan

Custom

Custom Pricing

Includes Smart Routing, Tunnel, and Tiered Caching*

* Tiered Caching included by default on all Enterprise plans

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.