Back to Help

Reach an internal service with a Cloudflare Tunnel

Give your AI employee a secure way to reach an internal service — an ERP or database behind your firewall — through a Cloudflare Tunnel, without exposing anything else.

Cloudflare Tunnel docs

Why we ask for this

Your AI employee runs in an isolated cloud container that, by default, can only reach the public internet — it has no route into your office or private cloud. An ERP or database sitting behind your firewall is invisible to it.

A Cloudflare Tunnel solves this without opening your firewall. The cloudflared agent makes an outbound connection to Cloudflare and exposes only the single service you point it at, behind a stable public hostname. There are no inbound ports to open and nothing else on your network is reachable — only the one service you chose.

This is an alternative to a full VPN like Tailscale: instead of joining your AI employee to your whole private network, you expose exactly one service through one hostname. It is a smaller, more contained surface when you only need to reach a single system. The hostname is held as an encrypted secret and you can tear down the tunnel from cloudflared or the Cloudflare dashboard at any time to cut access instantly.

How to create the tunnel

  1. 1Install cloudflared on a machine that can already reach the internal service (the same network as your ERP or database).
  2. 2Authenticate it with your Cloudflare account by running "cloudflared tunnel login".
  3. 3Create a tunnel with "cloudflared tunnel create <name>" — this generates a tunnel ID and credentials file.
  4. 4Route the tunnel to your internal service, for example by mapping a hostname to its local address (such as http://localhost:3000 or a private IP and port).
  5. 5Run the tunnel so it stays connected, then copy the public hostname Cloudflare assigns (for example https://erp.your-tunnel.cfargotunnel.com, or a custom hostname on your domain).
  6. 6Paste that public hostname into this field so your AI employee can reach the service through it.

Tunnel vs VPN

A VPN (such as Tailscale) connects your AI employee to your entire private network, which is convenient when it needs to reach many internal machines. A Cloudflare Tunnel does the opposite — it exposes just one service through one public hostname, and leaves everything else unreachable.

Choose the tunnel when you only need to reach a single system, such as one ERP or one database, and prefer to keep the rest of your network completely closed off.

Help & Knowledge Base