Tunnel Virtual Networks
Cloudflare Tunnel supports the creation and configuration of Virtual Networks. Tunnel Virtual Networks allow you to manage different private networks which have overlapping IP ranges.
For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be “production” and “staging”. However, if the two private networks happened to receive the same RFC1918 IP assignment, there may be two different resources with the same IP address. By creating two separate Virtual Networks, you can deterministically route traffic to duplicative private addresses like 10.128.0.1/32
staging and 10.128.0.1/32
production. End users would then select which network to connect to by accessing their WARP client settings.
Prerequisites
Complete these getting started procedures, making sure to install cloudflared
on each private network.
Route IPs over Virtual Networks
The following example demonstrates how to add two overlapping IP routes to Cloudflare.
Create a tunnel for each private network:
Within your staging environment, authenticate
cloudflared
:$ cloudflared loginCreate a tunnel to connect your staging network to Cloudflare.
$ cloudflared tunnel create staging-tunnelWithin your production environment, authenticate
cloudflared
:$ cloudflared loginCreate a tunnel to connect your production network to Cloudflare.
$ cloudflared tunnel create production-tunnel
The following steps may be executed from any cloudflared
instance.
Create two unique Virtual Networks.
$ cloudflared tunnel vnet add staging-vnet$ cloudflared tunnel vnet add production-vnetBefore moving on, run the following command to verify that your newly created Virtual Networks are listed correctly:
$ cloudflared tunnel vnet list
Configure your tunnels with the IP/CIDR range of your private networks, and assign the tunnels to their respective Virtual Networks.
$ cloudflared tunnel route ip add --vnet staging-vnet 10.128.0.3/32 staging-tunnel$ cloudflared tunnel route ip add --vnet production-vnet 10.128.0.3/32 production-tunnel
Verify that the IP routes are listed correctly:
We now have two overlapping IP addresses routed over$ cloudflared tunnel route ip liststaging-vnet
andproduction-vnet
respectively.
Enable Virtual Networks
Within your staging environment, create a configuration file for
staging-tunnel
. The configuration file will be structured as follows:tunnel: <Tunnel-UUID>credentials-file: /root/.cloudflared/credentials-file.jsonwarp-routing:enabled: trueRun your tunnel.
$ cloudflared tunnel run staging-tunnelWithin your production environment, repeat Steps 1 and 2 for
production-tunnel
.
You can use now the Cloudflare WARP client to switch between Virtual Networks.
Connect to a Virtual Network
Open the WARP client on your device.
Click on Settings > Gateway with WARP > Virtual Networks.
Select the Virtual Network you want to connect to, for example
staging-vnet
.
Now when you visit 10.128.0.3/32
, WARP routes your request to the staging environment.
Delete a Virtual Network
Delete all IP routes in the Virtual Network. For example,
$ cloudflared tunnel route ip delete --vnet staging-vnet 10.128.0.3/32(Optional) Delete the tunnel associated with the Virtual Network.
$ cloudflared tunnel delete staging-tunnelDelete the Virtual Network.
$ cloudflared tunnel vnet delete staging-vnet
You can verify that the Virtual Network was successfully deleted by typing cloudflared tunnel vnet list
.