When you need this
You need to send event data from an internal VPC, private cloud, or on-premise system to TrackLayer without exposing any inbound ports to the public internet.
Your security policies prohibit direct internet access to internal services, requiring an outbound-only connection for data transmission.
You are running TrackLayer on a hybrid or multi-cloud architecture and need a unified, secure way to ingest data from various private sources.
Prerequisites
A Cloudflare Zero Trust account (free tier works for basic setup).
Docker or systemd on a host inside your VPC where `cloudflared` will run.
Outbound port 443 allowed from the `cloudflared` host to Cloudflare's network.
A DNS zone for the tunnel's CNAME record (e.g., trackingvpc.yourcorp.internal).
A TrackLayer enterprise plan OR Scale tier with the Private Ingestion add-on.
Step-by-step setup
Sign up for Cloudflare Zero Trust
If you don't already have one, create a Cloudflare account and enable Cloudflare Zero Trust from the dashboard. This is where you will manage your tunnels.
Create your tunnel
Install `cloudflared` on your local machine (or a control host) and create a new tunnel. This command will generate a UUID and a credential file.
cloudflared tunnel create trackingvpcRun cloudflared as a service in your VPC
Deploy `cloudflared` inside your private VPC using Docker Compose or systemd. Ensure it starts automatically and uses the token generated during tunnel creation. Replace $CF_TUNNEL_TOKEN with your actual token.
services:
cloudflared:
image: cloudflare/cloudflared:latest
restart: unless-stopped
command: tunnel --no-autoupdate run --token $CF_TUNNEL_TOKENConfigure tunnel routes
Map your internal service's hostname and port to the tunnel. This tells Cloudflare where to forward requests coming through the tunnel. Replace trackingvpc.yourcorp.internal and internal-origin:8080 with your actual values.
cloudflared tunnel route dns trackingvpc trackingvpc.yourcorp.internal
cloudflared tunnel ingress set trackingvpc "Host: trackingvpc.yourcorp.internal" "service: http://internal-origin:8080"
cloudflared tunnel ingress set trackingvpc "service: http_status:404"Register tunnel with TrackLayer
In the TrackLayer dashboard, navigate to /data-sources, click 'Add New Source', and select 'Private Tunnel'. Enter the necessary tunnel details, including the Cloudflare Tunnel ID and the internal hostname.
Test event flow
Send a test event (e.g., a POST request) from an external source to the public endpoint that resolves to your Cloudflare Tunnel. Verify that the event successfully appears in the TrackLayer /events live stream.
curl -X POST -H "Content-Type: application/json"
-d '{"event": "test_private_ingestion", "properties": {"status": "success"}}'
https://trackingvpc.yourcorp.internal/tracklayer-endpointSet up health-check alert
Configure an alert in TrackLayer or your monitoring system. For example, if 0 events are received from this tunnel for more than 15 minutes, trigger an alert via Slack or email to investigate potential connectivity issues.
cloudflared hardening
- Run `cloudflared` as a non-root user with minimal permissions.
- Rotate tunnel tokens quarterly or whenever there's a change in personnel or security posture.
- Monitor CPU and memory usage of the `cloudflared` process to detect abnormal behavior or resource exhaustion.
- Enable `connector-tag` metrics for enhanced observability within Cloudflare Zero Trust dashboard.
- Keep the `cloudflared` version current by regularly updating your Docker image or systemd package to benefit from security patches and performance improvements.
Failover strategy
For high availability (HA), deploy multiple `cloudflared` replicas across different hosts or availability zones within your VPC. Cloudflare Tunnel automatically handles load balancing and failover between active `cloudflared` instances for the same tunnel.
Ensure your `cloudflared` deployment uses 'cluster mode' (which is the default when multiple instances run with the same tunnel credentials) to provide redundancy and prevent single points of failure. If one `cloudflared` instance goes down, traffic is automatically routed to an active replica.
Troubleshooting
Tunnel won't connect
Verify outbound 443 connectivity from the `cloudflared` host to Cloudflare's network. Check firewall rules, proxy settings, and ensure the tunnel token is correct and not expired.
Intermittent drops/packet loss
Examine `cloudflared` logs for errors, high CPU/memory usage, or network congestion on the host. Ensure sufficient bandwidth and stable network connectivity between the `cloudflared` instance and your internal origin.
Events arriving out of order
While Cloudflare Tunnel generally preserves order within a single stream, external factors can cause reordering. Implement event sequencing or deduplication logic within TrackLayer or your event processing pipeline if strict ordering is critical.
Latency > 500ms
Check network latency between your `cloudflared` host and both the internal origin and Cloudflare's nearest data center. Optimize host resources and verify the proximity of your `cloudflared` deployment to the Cloudflare edge.
Token rotation breaks production
Implement a controlled token rotation process. Generate a new token, update `cloudflared` instances sequentially, and thoroughly test in a staging environment before deploying to production.
Wrong route gets traffic
Review your `cloudflared` ingress rules. Ensure hostnames and service mappings are precise. Use `cloudflared tunnel ingress show <TUNNEL_NAME>` to inspect active rules.
Monitoring
- connector_uptime: Monitor the uptime of `cloudflared` instances to ensure continuous connectivity.
- events_per_second_through_tunnel: Track the volume of events flowing through the tunnel to identify data ingestion bottlenecks or unexpected traffic patterns.
- error_rate: Monitor the error rate reported by `cloudflared` and TrackLayer for the private tunnel source to quickly detect and troubleshoot issues.
- tunnel_latency_p95: Keep an eye on the 95th percentile latency of events traversing the tunnel to ensure performance remains within acceptable limits.
Upgrade path
- When you need to connect more internal services or need advanced routing capabilities within your VPC, consider switching from Cloudflare Tunnel to the WARP Connector for more granular control and a broader set of network features.
- If your entire organization requires a unified, secure access solution for all internal applications and resources, moving from WARP Connector to Magic WAN provides a comprehensive network-as-a-service solution.
- For highly custom requirements, specialized network architectures, or complex compliance needs, contact Cloudflare Sales for a tailored solution that integrates deeply with your existing infrastructure.
Common questions
Is Cloudflare Tunnel free?
Cloudflare Zero Trust offers a free tier that includes Cloudflare Tunnel, which is sufficient for getting started with basic private ingestion setups. Higher usage or advanced features may require a paid plan.
Do I need a public IP for my origin server?
No, that's the primary benefit of Cloudflare Tunnel. Your origin server can reside entirely within a private network without a public IP address. `cloudflared` establishes outbound-only connections.
What if my `cloudflared` instance goes down?
For production environments, it's critical to deploy multiple `cloudflared` instances across different hosts or availability zones. Cloudflare Tunnel provides automatic failover among active `cloudflared` replicas.
Can I use an existing Cloudflare zone?
Yes, you can use an existing Cloudflare DNS zone to configure CNAME records that point to your tunnel. This allows you to manage DNS within your existing Cloudflare setup.
How do I secure the tunnel token?
Treat the tunnel token as a sensitive secret. Store it securely using environment variables, a secrets management service (e.g., Vault, AWS Secrets Manager), or an orchestration secret volume. Never hardcode it or commit it to version control.
Does this affect my website's DNS?
Only the DNS records specifically configured for the tunnel will be affected. Your main website's DNS records remain separate. For private origins, you'd typically use internal DNS or specific external records for the tunnel hostname.
Related implementation guides
Cloudflare Tunnel documentation
Official guide to setting up and managing Cloudflare Tunnels.
Read guide →Securing `cloudflared` deployments
Best practices for hardening your `cloudflared` instances.
Read guide →TrackLayer Data Sources overview
Learn about various data ingestion methods supported by TrackLayer.
Read guide →