Deploy cloudflared
in GCP
This guide covers how to connect a Google Cloud Project (GCP) virtual machine to Cloudflare using our lightweight connector, cloudflared
.
We will deploy:
- A Google Cloud Project (GCP) virtual machine that runs a basic HTTP server.
- A Cloudflare Tunnel that allows users to connect to the service via either a public hostname or a private IP address.
Prerequisites
To complete the following procedure, you will need to:
- Add a website to Cloudflare
- Deploy the WARP client on an end-user device
1. Create a VM instance in GCP
In your Google Cloud Console, create a new project.
Go to Compute Engine > VM instances.
Select Create instance.
Name your VM instance. In this example we will name it
http-test-server
.Choose your desired operating system and specifications. For this example, you can use the following settings:
- Machine family: General Purpose
- Series: E2
- Machine type: e2-micro
- Boot disk image: Debian GNU/Linux 12
- Firewalls: Allow HTTP and HTTPS traffic
Under Advanced options > Management > Automation, add the following startup script. This example deploys a basic Apache web server on port
80
.#!/bin/bashapt updateapt -y install apache2cat <<EOF > /var/www/html/index.html<html><body><h1>Hello Cloudflare!</h1><p>This page was created for a Cloudflare demo.</p></body></html>EOFSelect Create.
The operating system automatically starts the Apache HTTP server. To verify that the server is running:
- Copy the External IP for the VM instance.
- Open a browser and go to
http://<EXTERNAL IP>
. You should see the Hello Cloudflare! test page.
To login to the VM instance, open the dropdown next to SSH and select Open in browser window.
2. Create a Cloudflare Tunnel
Next, we will create a Cloudflare Tunnel in Zero Trust and run the tunnel on the GCP VM.
Log in to Zero Trust and go to Networks > Tunnels.
Select Create a tunnel.
Choose Cloudflared for the connector type and select Next.
Enter a name for your tunnel (for example,
gcp-tunnel
).Select Save tunnel.
Under Choose your environment, select Debian. Copy the command shown in the dashboard and run it on your GCP VM.
Once the command has finished running, your connector will appear in Zero Trust.
Select Next.
3. Connect using a public hostname
Public hostname routes allow anyone on the Internet to connect to HTTP resources hosted on your virtual private cloud (VPC). To add a public hostname route for your Cloudflare Tunnel:
- In the Public Hostname tab, enter a hostname for the application (for example,
hellocloudflare.<your-domain>.com
). - Under Service, enter
http://localhost:80
. - Select Save hostname.
- To test, open a browser and go to
http://hellocloudflare.<your-domain>.com
. You should see the Hello Cloudflare! test page.
You can optionally create an Access application to control who can access the service.
4. Connect using a private IP
To configure a private network route for your Cloudflare Tunnel:
In the Private Network tab, enter the Internal IP of your GCP VM instance (for example,
10.0.0.2
). You can expand the IP range later if necessary.In your Split Tunnel configuration, make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete
10.0.0.0/8
. We recommend re-adding the IPs that are not explicitly used by your GCP VM – you can use this calculator to determine which IP addresses to re-add.To test on a user device:
- Log in to the WARP client.
- Open a terminal window and connect to the service using its private IP:
$ curl 10.0.0.2<html><body><h1>Hello Cloudflare!</h1><p>This page was created for a Cloudflare demo.</p></body></html>
You can optionally create Gateway network policies to control who can access the VM via its private IP.
Firewall configuration
To secure your VM instance, you can configure your VPC firewall rules to deny all ingress traffic and allow only egress traffic to the Cloudflare Tunnel IP addresses. Since GCP denies ingress traffic by default, you can delete all ingress rules and leave only the relevant egress rules.
After configuring your VPC firewall rules, verify that you can still access the service through Cloudflare Tunnel via its public hostname or private IP. The service should no longer be accessible from outside Cloudflare Tunnel – for example, if you go to http://<EXTERNAL IP>
the test page should no longer load.