gRPC
gRPC is a Remote Procedure Call (RPC) framework that allows client applications to call methods on a remote server as if they were running on the same local machine. You can connect gRPC servers and clients to Cloudflare’s global network, making it easier to build applications that use services across different data centers and environments.
Cloudflare Tunnel supports gRPC traffic via private subnet routing. Public hostname deployments are not currently supported.
In this example, we will connect a gRPC server to Cloudflare using the
cloudflared daemon, secure
the server with Gateway policies, and open a gRPC channel to the server using
the Cloudflare WARP client.
-
To set up a gRPC Python application, follow this quick start guide ↗.
-
Start the server:
~/grpc/examples/python/helloworld $ python3 greeter_server.pyWARNING: All log messages before absl::InitializeLog() is called are written to STDERRI0000 00:00:1721770418.373806 3677 config.cc:230] gRPC experiments enabled: call_status_override_on_cancellation, event_engine_dns, event_engine_listener, http2_stats_fix, monitoring_experiment, pick_first_new, trace_record_callops, work_serializer_clears_time_cacheServer started, listening on 50051To establish a secure, outbound-only connection to Cloudflare:
-
Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.
-
In the Private Networks tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP).
By default, WARP excludes traffic bound for RFC 1918 space ↗, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.
-
First, check whether your Split Tunnels mode is set to Exclude or Include mode.
-
If you are using Include mode, add your network’s IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.
-
If you are using Exclude mode:
- Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of
172.31.0.0/16, delete172.16.0.0/12. - Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for
172.16.0.0/13,172.24.0.0/14,172.28.0.0/15, and172.30.0.0/16. This ensures that only traffic to172.31.0.0/16routes through WARP.
- Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of
By tightening the private IP range included in WARP, you reduce the risk of breaking a user’s access to local resources.
You can configure Gateway network policies to either block or allow access to the gRPC server. The following example consists of two policies: the first allows gRPC connections from devices that pass device posture checks, and the second blocks all other traffic. Make sure that the Allow policy has higher priority.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Destination Port | is | 50051 | And | Allow |
| Destination IP | is | 172.31.0.133 | And | |
| Passed Device Posture Checks | is | macOS firewall (Firewall) | And | |
| Passed Device Posture Checks | is | macOS disk encryption (Disk encryption) |
| Selector | Operator | Value | Action |
|---|---|---|---|
| Destination IP | in | 172.31.0.0/16 | Block |
For more details on setting up the Gateway proxy, refer to Filter network traffic with Gateway.
gRPC clients can connect to the server by installing Cloudflare WARP on the device and enrolling in your Zero Trust organization. When the client makes a request to a private IP exposed through Cloudflare Tunnel, WARP routes the connection through Cloudflare’s network to the corresponding tunnel.
To set up the gRPC client:
- Deploy the WARP client on your device in Gateway with WARP mode.
- Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
- Install gRPC on the device by following this quick start guide ↗.
- Modify
greeter.pyto point to the private IP of your gRPC server. This is the same private IP configured in your Cloudflare Tunnel routes. For example,
def run(): # NOTE(gRPC Python Team): .close() is possible on a channel and should be # used in circumstances in which the with statement does not fit the needs # of the code. print("Will try to greet world ...") with grpc.insecure_channel("172.31.0.133:50051") as channel: stub = helloworld_pb2_grpc.GreeterStub(channel) response = stub.SayHello(helloworld_pb2.HelloRequest(name="you")) print("Greeter client received: " + response.message)- On the client device, ensure that WARP is
Connected. - Run the gRPC client application:
~/grpc/examples/python/helloworld $ python3 greeter_client.pyWill try to greet world ...WARNING: All log messages before absl::InitializeLog() is called are written to STDERRI0000 00:00:1721771484.489711 4414247 config.cc:230] gRPC experiments enabled: call_status_override_on_cancellation, event_engine_dns, event_engine_listener, http2_stats_fix, monitoring_experiment, pick_first_new, trace_record_callops, work_serializer_clears_time_cacheGreeter client received: Hello, you!You can view Tunnel logs to validate that requests are coming into the tunnel and reaching the gRPC server as intended.