Cloudflare Tunnel lets you expose applications on your own custom domains through Cloudflare’s network. Unlike preview domains where Akua manages the domain, here you bring your own Cloudflare account and keep control of Cloudflare-level settings such as access policies, WAF rules, caching, and DNS. Your worker nodes don’t need public IP addresses. A agent on your cluster establishes an outbound connection to Cloudflare’s edge, and Cloudflare routes incoming requests through the tunnel to your apps.Documentation Index
Fetch the complete documentation index at: https://akua-1dce587a.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Why use this
- No public IPs needed:
cloudflaredconnects outbound from your cluster. No firewall rules, no port forwarding, no exposed nodes. - Your domain, your Cloudflare account: full control over DNS, caching, access policies, WAF rules, and tunnel settings.
- Cloudflare edge: TLS termination, DDoS protection, and global edge caching come built-in.
- Works anywhere: behind NAT, corporate firewalls, and private networks, as long as the cluster has outbound internet access.
- Standard routing: uses standard Kubernetes resources, so the same route configuration works whether you’re using Cloudflare Tunnel or another gateway.
How it works
Akua deploys a Gateway API controller to your cluster that bridges Kubernetes routing with Cloudflare Tunnels. When you create a route (either through Akua’s UI or a Helm chart), Akua automatically:- Creates a Cloudflare Tunnel and deploys the
cloudflaredagent. - Publishes the tunnel endpoint metadata for the route.
- Updates Akua’s routing records and the required Cloudflare DNS and certificate state for the hostname.
Setup
Deploy a Cloudflare gateway
From your cluster’s detail page, deploy a Cloudflare Tunnel gateway. This installs the Gateway API controller and creates the base gateway resource on your cluster.
Provide your Cloudflare credentials
Add your Cloudflare API token in the Akua dashboard under your cluster’s settings. You’ll need a token with two permissions:
Credentials are stored centrally in Akua, not on your cluster. You can rotate or update your token from the dashboard at any time without touching the cluster.
| Permission | Scope | Why |
|---|---|---|
| Cloudflare Tunnel: Edit | Account | Create and manage tunnels |
| DNS: Edit | Zone | Manage DNS and hostname verification state for your domains |
Expose your app with a custom hostname
For Docker and GitHub apps, go to Settings > Ports, toggle Expose externally, and enter your custom domain (for example,
app.yourdomain.com).For custom Helm charts, configure the route hostname through the chart’s own values.The controller detects the new route and publishes the tunnel endpoint. Akua updates the public routing record and Cloudflare state for the hostname.Compared to preview domains
Both preview domains and Cloudflare Tunnel use Cloudflare’s network to route traffic to your cluster. The difference is who manages the configuration:| Preview domains | Cloudflare Tunnel | |
|---|---|---|
| Domain | *.cnap.app (auto-generated) | Your own domain |
| Cloudflare account | Akua’s account | Your account |
| DNS | Automatic | Automatic (managed centrally by Akua) |
| TLS | Automatic | Automatic (Cloudflare edge) |
| Tunnel config | Managed by Akua | Managed by Akua with your credentials |
| Cloudflare settings | None (fully managed) | Full control (WAF, caching, access policies) |
Under the hood
Same controller, different credentials. Cloudflare Tunnel and preview domains share the same Gateway API controller on your cluster. The difference is whose Cloudflare account is used. For preview domains, Akua uses its own account. For custom domains, Akua uses the credentials you provide in the dashboard. The controller publishes tunnel endpoint metadata to Akua; Akua then routes to the right Cloudflare account. Akua acts as a proxy. The controller on your cluster never calls the Cloudflare API directly. Instead, it sends tunnel endpoint updates to Akua’s API, and Akua applies the Cloudflare changes using your stored credentials. This means credential rotation happens in the dashboard, with no cluster access needed. It also gives Akua a complete picture of every tunnel and route across all your clusters, which enables reliable cleanup even if a cluster becomes unreachable. One tunnel per gateway. Each gateway resource on your cluster maps to one Cloudflare Tunnel. The controller deploys acloudflared agent that connects to Cloudflare using a scoped tunnel token. Multiple cloudflared replicas can connect to the same tunnel for high availability; Cloudflare load-balances across them automatically.
DNS records are automatic. When Akua sees a custom hostname that should route through a Cloudflare Tunnel, Akua creates or updates the Cloudflare DNS and certificate state from the platform side. The cluster controller does not own per-hostname DNS records; it owns the tunnel endpoint metadata that lets Akua route the hostname to the correct cluster.
Platform-managed public routing. Akua owns the public hostname routing records for preview domains and Akua-managed custom domains. Your cluster remains the source of truth for Kubernetes service routing, while Akua is the source of truth for which public hostname points at which tunnel endpoint.
API
Manage custom domains and Cloudflare credentials programmatically.Custom domains API
Create, verify, and delete custom domains on a workspace.
Cloudflare credentials API
Register and rotate Cloudflare API credentials.
Related topics
Networking overview
Compare all options for exposing apps.
Preview domains
Instant URLs without DNS setup, managed by Akua.
Direct IP
Route directly to worker node IPs.
Domain routing API
Automate custom domains and hostname management.