Use Cloudflare Load Balancer with Cloudflare Tunnel

中文版:配合Cloudflare Tunnel使用Cloudflare Load Balancer – Frank’s Weblog

Cloudflare Load Balancer is a global load balancing product provided by Cloudflare. It can connect to origin servers in traditional ways by DNS name or IP addresses, it also can be integrated with Cloudflare Tunnel to create a seamless and secure network infrastructure.

Using Cloudflare Tunnel with Cloudflare Load Balancer is more complicated as we need to configure the DNS name and host header to make sure the routing and monitoring work correctly.

In this post, we will use an example to demonstrate how to use Cloudflare Load Balancer with Cloudflare Tunnel.

Before getting started, make sure you understand how Host header in HTTP protocol works, here’s some references:

What is HTTP “Host” header? – Stack Overflow

Host names – IBM Documentation

一个谜之CORS Bug的调试过程 – Frank’s Weblog


We’ll use following configuration: The website domain of the site and the hostname configured in the application are both[*], there are two origins connected via Cloudflare Tunnel: and

[*]: Assume the application is served by nginx, the server_name of this nginx is

Install Cloudflare Tunnel

See official document for installation guide: Via the dashboard · Cloudflare Zero Trust docs

If you are running Cloudflare Tunnel from Kubernetes, see Deploy Cloudflare Tunnel on Kubernetes – Frank’s Weblog.

Configure Cloudflare Tunnel

After a cloudflared client is connected, a tunnel will be created automatically. An UUID will be assigned to the tunnel as the tunnel ID. In this example, I created two tunnels, one named primary, tunnel ID aa57***ba18; the other one named replica, tunnel ID ad8c***47f5.

The content below only demonstrates the configuration for primary tunnel, the configuration for the other tunnel is similar.

Create “Public hostname” for the tunnel.

Configure its hostname to, set HTTP Host Header to

Repeat the steps above to the same to the tunnel that hosts

When creating the public hostname, a DNS record points to (UUID) will be automatically created for the subdomain Since the origins will be behind the load balancers, we won’t need these public records. To ensure security, you can remove them from DNS records.

Load Balancer and Origin Pool

After finished configurations above, create an Load Balancer and an origin pool. Configure the origin address as (UUID) and configure the “Header value” as the hostname configured in Public hostname, in this case

This setting is somehow against the intuition. (UUID) is the network address of this Tunnel, it allows Cloudflare Load Balancer to find the right host in the internet. In the previous step, we configured the Public Hostname to, this is the virtual address[1] of this Public Hostname. Here we need to configure the Host to the same value to ensure Tunnel can forward the request to the corresponding “Public Hostname”. When request reaches the Public Hostname, since we set the HTTP Host Header to in the HTTP Settings, the Tunnel will use as the HTTP Host header to forward the request to upstream, in this case, it’s http://nginx:80.

Pool Monitor

To allow Pool Monitors to monitor the tunnel origins, configure the value of the Host header to in “Advanced health check settings”[2].

Health Check

Monitor and Health Check are two different features. Health Check(Traffic -> Health Checks)is a paid feature and not related with Load Balancer. See official document for how to use Health Check: Overview · Cloudflare Health Checks docs

Tunnel Replication is Not Load Balancing

Tunnel replication[3] is often confused with load balancing, but it’s NOT load balancing.

A Cloudflare Tunnel can have multiple connectors(see image below). Each connector points to the same tunnel. This ensures that origins can be reached if one of the connectors goes down. We refer to these unique connectors/cloudflared clients as replicas.

Multiple connectors in same tunnel

Replicas can be located on different servers, even different geographic regions, but replicas do not offer any traffic steering, which Load Balancer does. When a request arrives to Cloudflare, the network will pick any connection available to the origin. If a connection fails, Cloudflare will retry others, but there is no guarantee about which connection is chosen.


Here is a summary of the configuration values of every Cloudflare component through the life of a packet.


[1] Virtual hosting – IBM Documentation

[2] Load balancers · Cloudflare Zero Trust docs

[3] Tunnel availability and failover · Cloudflare Zero Trust docs





发表回复/Leave a Reply

您的电子邮箱地址不会被公开。/Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.