« All posts

Cloudflare routes public traffic to private apps securely

Cloudflare's new Application Services for Private Origins brings WAF, bot management and caching to private origins without exposing public IPs.

Cloudflare has launched Application Services for Private Origins in closed beta for Enterprise customers, letting public traffic reach private applications securely without exposing origins to the internet. WAF, bot management, rate limiting, caching, traffic acceleration and Workers can now protect origins sitting on private IPs, without requiring public IP exposure, firewall exceptions, or cloudflared running on the origin itself.

The feature extends Cloudflare's private networking routing layer—already used for Tunnel, WAN, Mesh and Zero Trust—directly into the application services stack. A new use_private_routing flag on DNS records tells Cloudflare's proxy to reach the destination through existing private connectivity (IPsec, GRE, CNI, or Mesh) instead of the public internet. Private ranges like RFC 1918, CGNAT, and Unique Local IPv6 get this routing enabled automatically.

The model isn't limited to HTTP: Spectrum can now front TCP/UDP services on private IPs via a virtual_network_id parameter, and Workers VPC bindings share the same underlying layer. This gives engineering teams a unified way to secure internal APIs, AI agent backends, MCP servers, and other non-public systems—reducing the operational overhead of maintaining separate networking stacks for public and private traffic.