中文版：配合Cloudflare Tunnel使用Cloudflare Load Balancer – Frank’s Weblog
Cloudflare Load Balancer is a global load balancing product provided by Cloudflare. It can connect to origin servers in traditional ways by DNS name or IP addresses, it also can be integrated with Cloudflare Tunnel to create a seamless and secure network infrastructure.
Using Cloudflare Tunnel with Cloudflare Load Balancer is more complicated as we need to configure the DNS name and host header to make sure the routing and monitoring work correctly.
In this post, we will use an example to demonstrate how to use Cloudflare Load Balancer with Cloudflare Tunnel.
Before getting started, make sure you understand how Host header in HTTP protocol works, here’s some references:
What is HTTP “Host” header? – Stack Overflow
Host names – IBM Documentation
一个谜之CORS Bug的调试过程 – Frank’s Weblog
We’ll use following configuration: The website domain of the site and the hostname configured in the application are both
example.com[*], there are two origins connected via Cloudflare Tunnel:
[*]: Assume the application is served by nginx, the
server_name of this nginx is
Install Cloudflare Tunnel
See official document for installation guide: Via the dashboard · Cloudflare Zero Trust docs
If you are running Cloudflare Tunnel from Kubernetes, see Deploy Cloudflare Tunnel on Kubernetes – Frank’s Weblog.
Configure Cloudflare Tunnel
cloudflared client is connected, a tunnel will be created automatically. An UUID will be assigned to the tunnel as the tunnel ID. In this example, I created two tunnels, one named
primary, tunnel ID
aa57***ba18; the other one named
replica, tunnel ID
The content below only demonstrates the configuration for
primary tunnel, the configuration for the other tunnel is similar.
Create “Public hostname” for the tunnel.
Configure its hostname to
origin0.example.com, set HTTP Host Header to
Repeat the steps above to the same to the tunnel that hosts
When creating the public hostname, a DNS record points to
(UUID).cfargotunnel.com will be automatically created for the subdomain
origin0.example.com. Since the origins will be behind the load balancers, we won’t need these public records. To ensure security, you can remove them from DNS records.
Load Balancer and Origin Pool
After finished configurations above, create an Load Balancer and an origin pool. Configure the origin address as
(UUID).cfargotunnel.com and configure the “Header value” as the hostname configured in Public hostname, in this case
This setting is somehow against the intuition.
(UUID).cfargotunnel.com is the network address of this Tunnel, it allows Cloudflare Load Balancer to find the right host in the internet. In the previous step, we configured the Public Hostname to
origin0.example.com, this is the virtual address of this Public Hostname. Here we need to configure the Host to the same value to ensure Tunnel can forward the request to the corresponding “Public Hostname”. When request reaches the Public Hostname, since we set the HTTP Host Header to
example.com in the HTTP Settings, the Tunnel will use
example.com as the HTTP Host header to forward the request to upstream, in this case, it’s
To allow Pool Monitors to monitor the tunnel origins, configure the value of the
Host header to
example.com in “Advanced health check settings”.
Monitor and Health Check are two different features. Health Check(Traffic -> Health Checks)is a paid feature and not related with Load Balancer. See official document for how to use Health Check: Overview · Cloudflare Health Checks docs
Tunnel Replication is Not Load Balancing
Tunnel replication is often confused with load balancing, but it’s NOT load balancing.
A Cloudflare Tunnel can have multiple connectors(see image below). Each connector points to the same tunnel. This ensures that origins can be reached if one of the connectors goes down. We refer to these unique connectors/cloudflared clients as replicas.
Replicas can be located on different servers, even different geographic regions, but replicas do not offer any traffic steering, which Load Balancer does. When a request arrives to Cloudflare, the network will pick any connection available to the origin. If a connection fails, Cloudflare will retry others, but there is no guarantee about which connection is chosen.
Here is a summary of the configuration values of every Cloudflare component through the life of a packet.
 Virtual hosting – IBM Documentation
 Load balancers · Cloudflare Zero Trust docs
 Tunnel availability and failover · Cloudflare Zero Trust docs
Leave a Reply