Cloudflare Tunnel

This guide walks you through setting up a Cloudflare Tunnel to connect your private services to the internet without a publicly routable IP address.

Note

For a complete API reference, see the Tunnel Provider.

1. Create a Tunnel

   Add a Tunnel resource to your alchemy.run.ts file:

   import alchemy from "alchemy";
   import { Tunnel } from "alchemy/cloudflare";
   
   const app = await alchemy("my-app");
   
   // Create a tunnel with ingress rules
   const tunnel = await Tunnel("web-app", {
     name: "web-app-tunnel",
     ingress: [
       {
         hostname: "app.example.com",
         service: "http://localhost:3000",
       },
       {
         service: "http_status:404", // catch-all rule (required)
       },
     ],
   });
   
   // Display the tunnel token
   console.log("Tunnel created!");
   console.log("Token:", tunnel.token.unencrypted);
   
   await app.finalize();

   Tip

   DNS records are automatically created for hostnames in your ingress rules. Make sure your domain is already added to Cloudflare.

2. Deploy the Tunnel configuration

   Deploy your tunnel configuration to Cloudflare:

   bun

   bun alchemy deploy

   npm

   npx alchemy deploy

   pnpm

   pnpm alchemy deploy

   yarn

   yarn alchemy deploy

   Save the token that’s displayed - you’ll need it to run cloudflared.

3. Install cloudflared

   Install the cloudflared connector on your origin server:

   macOS

   brew install cloudflared

   Windows

   winget install --id Cloudflare.cloudflared

   Linux

   Download the latest release from the official releases page.

   Docker

   docker pull cloudflare/cloudflared:latest

   For detailed installation instructions for your platform, see the official Cloudflare documentation.

4. Run the Tunnel

   Start cloudflared with the token from step 2:

   Linux/macOS

   # Run as a service (recommended)
   sudo cloudflared service install <TUNNEL_TOKEN>
   
   # Or run in foreground for testing
   cloudflared tunnel run --token <TUNNEL_TOKEN>

   Windows

   # Run as a service (as administrator)
   cloudflared.exe service install <TUNNEL_TOKEN>
   
   # Or run in foreground for testing
   cloudflared.exe tunnel run --token <TUNNEL_TOKEN>

   Docker

   docker run -d \
     --name cloudflared-tunnel \
     --restart unless-stopped \
     cloudflare/cloudflared:latest \
     tunnel --no-autoupdate run --token <TUNNEL_TOKEN>

5. Start your local service

   Make sure your application is running on the port specified in the ingress rules:

   # Example: Start a simple HTTP server on port 3000
   npx http-server -p 3000
   
   # Or run your application
   # node app.js
   # python -m http.server 3000
   # etc.

6. Test your tunnel

   Visit your configured hostname to verify the tunnel is working:

   curl https://app.example.com

   You should see the response from your local service!

Next Steps

Now that you have a basic tunnel running, explore these advanced features:

• Multiple services - Route different hostnames and paths to different services
• Private network access - Enable WARP routing for secure connectivity
• Origin configuration - Customize timeouts, TLS settings, and more
• Access policies - Add authentication and authorization to your tunnel

See the Tunnel Provider Reference for complete documentation on all available options.

Learn More

• Tunnel Provider Reference - Complete API documentation
• Cloudflare Tunnel Documentation - Official Cloudflare docs
• Zero Trust Access Policies - Secure your tunnel with access controls