AWS
This guide covers how to connect an Amazon Web Services (AWS) virtual machine to Cloudflare using our lightweight connector, cloudflared.
We will deploy:
- An EC2 virtual machine that runs a basic HTTP server.
- A Cloudflare Tunnel that allows users to connect to the service via either a public hostname or a private IP address.
To complete the following procedure, you will need to:
- Add a website to Cloudflare
- Deploy the WARP client on an end-user device
- 
From the AWS console, go to Compute > EC2 > Instances 
- 
Select Launch instance. 
- 
Name your VM instance. In this example we will name it http-test-server.
- 
For *Amazon Machine Image (AMI) choose your desired operating system and specifications. For this example, we will use Ubuntu Server 24.04 LTS (HVM), SSD Volume Type. 
- 
For Instance type:, you can select t2.micro which is available on the free tier. 
- 
In Key pair (login), create a new key pair to use for SSH. You will need to download the .pemfile onto your local machine.
- 
In Network settings, select Create security group. 
- 
Turn on the following Security Group rules: - Allow SSH traffic from My IP to prevent the instance from being publicly accessible.
- Allow HTTPS traffic from the internet
- Allow HTTP traffic from the internet
 
- 
Select Launch instance. 
- 
Once the instance is up and running, go to the Instances summary page and copy its Public IPv4 DNS hostname (for example, ec2-44-202-59-16.compute-1.amazonaws.com).
- 
To log in to the instance over SSH, open a terminal and run the following commands: 
cd Downloadschmod 400 "YourKeyPair.pem"ssh -i "YourKeyPair.pem" ubuntu@ec2-44-202-59-16.compute-1.amazonaws.com- 
Run sudo suto gain full admin rights to the instance.
- 
For testing purposes, you can deploy a basic Apache web server on port 80:
$ apt update
$ apt -y install apache2
$ cat <<EOF > /var/www/html/index.html<html><body><h1>Hello Cloudflare!</h1><p>This page was created for a Cloudflare demo.</p></body></html>EOF- To verify that the Apache server is running, open a browser and go to http://ec2-44-202-59-16.compute-1.amazonaws.com(make sure to connect overhttp, nothttps). You should see the Hello Cloudflare! test page.
Next, we will create a Cloudflare Tunnel in Zero Trust and run the tunnel on the AWS instance.
- 
Log in to Zero Trust ↗ and go to Networks > Tunnels. 
- 
Select Create a tunnel. 
- 
Choose Cloudflared for the connector type and select Next. 
- 
Enter a name for your tunnel (for example, aws-tunnel).
- 
Select Save tunnel. 
- 
Under Choose your environment, select Debian. Copy the command shown in the dashboard and run it on your AWS instance. 
- 
Once the command has finished running, your connector will appear in Zero Trust. 
- 
Select Next. 
Public hostname routes allow anyone on the Internet to connect to HTTP resources hosted on your virtual private cloud (VPC). To add a public hostname route for your Cloudflare Tunnel:
- In the Public Hostname tab, enter a hostname for the application (for example, hellocloudflare.<your-domain>.com).
- Under Service, enter http://localhost:80.
- Select Save hostname.
- To test, open a browser and go to http://hellocloudflare.<your-domain>.com. You should see the Hello Cloudflare! test page.
You can optionally create an Access application to control who can access the service.
Private network routes allow users to connect to your virtual private cloud (VPC) using the WARP client. To add a private network route for your Cloudflare Tunnel:
- 
In the Private Network tab, enter the Private IPv4 address of your AWS instance (for example, 172.31.19.0). You can expand the IP range later if necessary.
- 
In your Split Tunnel configuration, make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete 172.16.0.0/12. We recommend re-adding the IPs that are not explicitly used by your AWS instance.To determine which IP addresses to re-add, subtract your AWS instance IPs from 172.16.0.0/12:Add the results back to your Split Tunnel Exclude mode list. 
- 
To test on a user device: - Log in to the WARP client.
- Open a terminal window and connect to the service using its private IP:
 Terminal window $ curl 172.31.19.0<html><body><h1>Hello Cloudflare!</h1><p>This page was created for a Cloudflare demo.</p></body></html>
You can optionally create Gateway network policies to control who can access the instance via its private IP.
To secure your AWS instance, you can configure your Security Group rules ↗ to deny all inbound traffic and allow only outbound traffic to the Cloudflare Tunnel IP addresses. All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules.
After configuring your Security Group rules, verify that you can still access the service through Cloudflare Tunnel via its public hostname or private IP. The service should no longer be accessible from outside Cloudflare Tunnel -- for example, if you go to http://ec2-44-202-59-16.compute-1.amazonaws.com the test page should no longer load.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark