Getting started
Add-Ons
Cloudflare Tunnel

Cloudflare Tunnel

Overview

The Cloudflare add-on attaches a Cloudflare Tunnel sidecar container to your app’s default (internet-facing) process. This lets Cloudflare proxy traffic to your application without exposing it directly to the internet — no public IP or open inbound firewall ports required.

Once the tunnel is running, configure your Cloudflare dashboard to route traffic to localhost, and Cloudflare will handle all ingress traffic to your application.

Sidecar Containers

A sidecar container is an additional container that runs alongside your main application container within the same task.

Both containers share the same network namespace and can communicate via localhost. They also share the same lifecycle — they start and stop together.

Cloudflare load balances across all the containers of your app, however many there are.

Purpose and Benefits

  • No Public Inbound Ports: Traffic reaches your app exclusively through the encrypted Cloudflare Tunnel — no inbound security group rules needed
  • Cloudflare Network: Benefit from Cloudflare’s global CDN, DDoS protection, and Web Application Firewall (WAF)
  • Simple Setup: One command attaches the tunnel sidecar; no load balancer or certificate management required
  • Zero-Trust Ready: Combine with Cloudflare Access to gate your application behind identity-aware policies

How It Works 

Internet → Cloudflare Edge → Cloudflare Tunnel (sidecar) → localhost (your app)
  1. Tunnel Sidecar: A cloudflared container runs alongside your application container in the same ECS task
  2. Outbound Connection: The sidecar establishes an outbound-only connection to the Cloudflare network using your tunnel_token
  3. Traffic Proxying: Cloudflare routes incoming requests through the tunnel to localhost inside the task
  4. Response: Your application handles the request and responds back through the same tunnel

Setting Up the Tunnel in Cloudflare

  1. Go to Networks → Connectors → Create a tunnel
  2. Choose type Docker, then copy the command line containing --token xxx
  3. Copy that token and create the add-on in Tapitalee with it, either through the command line or the Tapitalee UI

Then add Published Application Routes to the tunnel:

  • Set Public Hostname to your app’s domain name
  • Set Service to localhost

CLI Usage

Create Cloudflare Tunnel 

tapit create cloudflare tunnel_token=TOKEN

Required Parameters

ParameterDescription
tunnel_tokenYour Cloudflare Tunnel token, obtained from the Cloudflare Zero Trust dashboard

List and Show 

# List all addons (including Cloudflare)
tapit list addons

# Show Cloudflare addon details
tapit show addon name=cloudflare

Delete Cloudflare Tunnel 

tapit delete addon name=cloudflare
SecureProxy (SSL Termination)Datadog