Ports and IPs
Users can implement a positive security model with Cloudflare Tunnel by restricting traffic originating from cloudflared
. The parameters below can be configured for egress traffic inside of a firewall.
Destination | Port | Protocols |
---|---|---|
region1.v2.argotunnel.com | 7844 | TCP/UDP (h2mux , http2 , and quic ) |
region2.v2.argotunnel.com | 7844 | TCP/UDP (h2mux , http2 , and quic ) |
api.cloudflare.com | 443 | TCP (HTTPS) |
update.argotunnel.com | 443 | TCP (HTTPS) |
Test connectivity with dig
To test your connectivity to Cloudflare, you can use the dig
command to query the hostnames listed above. Note that cloudflared
defaults to connecting with IPv4.
$ dig A region1.v2.argotunnel.com...;; ANSWER SECTION:region1.v2.argotunnel.com. 86400 IN A 198.41.192.167region1.v2.argotunnel.com. 86400 IN A 198.41.192.67region1.v2.argotunnel.com. 86400 IN A 198.41.192.57region1.v2.argotunnel.com. 86400 IN A 198.41.192.107region1.v2.argotunnel.com. 86400 IN A 198.41.192.27region1.v2.argotunnel.com. 86400 IN A 198.41.192.7region1.v2.argotunnel.com. 86400 IN A 198.41.192.227region1.v2.argotunnel.com. 86400 IN A 198.41.192.47region1.v2.argotunnel.com. 86400 IN A 198.41.192.37region1.v2.argotunnel.com. 86400 IN A 198.41.192.77...
$ dig AAAA region1.v2.argotunnel.com...;; ANSWER SECTION:region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::1region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::2region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::3region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::4region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::5region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::6region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::7region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::8region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::9region1.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a0::10...
$ dig A region2.v2.argotunnel.com...;; ANSWER SECTION:region2.v2.argotunnel.com. 86400 IN A 198.41.200.13region2.v2.argotunnel.com. 86400 IN A 198.41.200.193region2.v2.argotunnel.com. 86400 IN A 198.41.200.33region2.v2.argotunnel.com. 86400 IN A 198.41.200.233region2.v2.argotunnel.com. 86400 IN A 198.41.200.53region2.v2.argotunnel.com. 86400 IN A 198.41.200.63region2.v2.argotunnel.com. 86400 IN A 198.41.200.113region2.v2.argotunnel.com. 86400 IN A 198.41.200.73region2.v2.argotunnel.com. 86400 IN A 198.41.200.43region2.v2.argotunnel.com. 86400 IN A 198.41.200.23...
$ dig AAAA region2.v2.argotunnel.com...;; ANSWER SECTION:region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::1region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::2region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::3region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::4region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::5region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::6region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::7region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::8region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::9region2.v2.argotunnel.com. 86400 IN AAAA 2606:4700:a8::10...
$ dig api.cloudflare.com...;; ANSWER SECTION:api.cloudflare.com. 41 IN A 104.19.193.29api.cloudflare.com. 41 IN A 104.19.192.29...
$ dig update.argotunnel.com...;; ANSWER SECTION:update.argotunnel.com. 190 IN A 104.18.32.167update.argotunnel.com. 190 IN A 172.64.155.89...
Test connectivity with PowerShell
On Windows, you can use PowerShell commands if dig
is not available.
To test DNS:
PS C:\Windows\system32> Resolve-DnsName -Name _v2-origintunneld._tcp.argotunnel.com SRV
Name Type TTL Section NameTarget Priority Weight Port
---- ---- --- ------- ---------- -------- ------ ----
_v2-origintunneld._tcp.argotunnel.com SRV 112 Answer region2.v2.argotunnel.com 2 1 7844
_v2-origintunneld._tcp.argotunnel.com SRV 112 Answer region1.v2.argotunnel.com 1 1 7844
To test ports:
PS C:\Cloudflared\bin> tnc region1.v2.argotunnel.com -port 443
ComputerName : region1.v2.argotunnel.com
RemoteAddress : 198.41.192.227
RemotePort : 443
InterfaceAlias : Ethernet
SourceAddress : 10.0.2.15
TcpTestSucceeded : True
PS C:\Cloudflared\bin> tnc region1.v2.argotunnel.com -port 7844
ComputerName : region1.v2.argotunnel.com
RemoteAddress : 198.41.192.227
RemotePort : 7844
InterfaceAlias : Ethernet
SourceAddress : 10.0.2.15
TcpTestSucceeded : True