Using a Cloudflare Argo Tunnel with load balancing

A Cloudflare Argo Tunnel establishes outbound connections from Cloudflare data centers to the Liquid Web infrastructure. Data can safely pass across these encrypted tunnels from the origin server to Cloudflare's edge nodes, enhancing the application's security and speed while shielding the infrastructure from direct internet exposure.

When configured properly, a Cloudflare Argo Tunnel service creates secure link with Cloudflare's global network and our Liquid Web on-premises infrastructure, data centers, and CDN system, thus extending the security, DDoS protection, and CDN services to the origin servers

Main takeaways presented in this article

As we begin to explore the ins and outs of Cloudflare Argo Tunnels, here are the main takeaways the reader will gain from the content provided in this post:

• Knowing more about the benefits of an Clouflare Argo Tunnel and load balancing on their own merits before we combine the two solutions
• The specifics of integrating loading balancing solution with a Cloudflare Argo Tunnel
• Understanding how the Argo Smart Routing functionality works
• Use case — implementing a Cloudflare Argo Tunnel with load balancing for a WordPress website
• Monitoring a Cloudflare Argo Tunnel with load balancing solution
• How to update a Cloudflare Argo Tunnel with load balancing solution
• How to uninstall a Cloudflare Argo Tunnel with load balancing solution

What is a Cloudflare Argo Tunnel?

The Cloudflare Argo Tunnel helps you securely connect your resources to Cloudflare without a publicly routable IP address. Instead of sending traffic to an external IP using a tunnel, a small daemon in your infrastructure called "Cloudflared" establishes outbound-only connections to Cloudflare's extensive global network. Accordingly, SSH servers, HTTP web servers, remote desktops, and other protocols can also be securely connected via a Cloudflare Argo Tunnel. In this manner, your origin server won't be exposed to attacks that bypass Cloudflare.

Benefits of a Cloudflare Argo Tunnel

Cloudflare proxies requests to your DNS records across the anycast network and origin's external IP addresses, thus protecting your origin servers. However, if attackers find those IP addresses, they may bypass Cloudflare protection using those external IP addresses. When using a Clouflare Argo Tunnel, you can securely connect your origin to Cloudflare without an external IP address.

You don't send traffic to an external IP when using Cloudflare Argo Tunnel. Instead, a small daemon operates within your infrastructure to establish connections to Cloudflare's edge that are solely outbound. The Cloudflare Argo Tunnel allows you to easily implement infrastructure under a Zero Trust structure by making sure that Cloudflare's security checks are applied to every request made to your resources.

Earlier, a DNS record in your account matched your Cloudflare Argo Tunnel connection. Once requests to that hostname have passed through Cloudflare's network, their edge forwards them to the origin via the Cloudflare Argo Tunnel. There's no need to penetrate your infrastructure's firewall because these connections are outbound only. Attacks that circumvent Cloudflare won't affect your sources' ability to deliver traffic.

When establishing a tunnel connection, you can use the Cloudflare dashboard to point DNS records for any hostname in your account or load balancer pools. Additionally, you can use Cloudflare Argo Tunnel connections without storing service tokens and certificates on your servers.

What is load balancing?

The process of effectively dividing incoming network traffic among a collection of backend server — also referred to as a server farm or server pool — is called load balancing. Millions of users must be processed concurrently by modern apps, and each user must receive accurate text, videos, photographs, and other data quickly and reliably.

Most apps have many resource servers with duplicate data to accommodate such vast traffic. A load balancer will be positioned between the user and the server group to guarantee that all resource servers are used equally. It functions as an invisible facilitator.

Benefits of load balancing

The load balancer efficiently routes and manages internet traffic between application servers and their users. It consequently enhances an application's performance, security, scalability, and availability. The main benefits include those described in the following sections.

Application stability

Applications may experience increased downtime due to server issues or maintenance, rendering them inaccessible to users. By rerouting client traffic to available servers and automatically identifying server issues, load balancers improve the fault tolerance of your systems. Thus, load balancers help to manage and upgrade application servers without causing any application outages.

Security

Your internet applications will benefit from an additional layer of protection thanks to the built-in security capabilities of load balancers. When an attacker overwhelms an application server with millions of simultaneous requests, causing server failure, load balancers act as a helpful weapon for combating distributed denial of service attacks.

Load balancers help monitor and block suspicious contents and automatically reroute attack traffic to several backend servers, thus reducing impact. They also direct traffic through an array of network firewalls. Your internet applications will benefit from an additional layer of protection thanks to the built-in security capabilities of load balancers.

When an attacker overwhelms an application server with millions of simultaneous requests, causing server failure, load balancers act as a helpful weapon for combating distributed denial of service attacks. Load balancers help monitor and block suspicious contents and automatically reroute attack traffic to several backend servers, thus reducing impact, and also directs traffic through an array of network firewalls, providing extra security.

Scalability

Load balancers are valuable for effectively distributing network traffic among several servers. Load balancing allows your apps to process thousands of client requests since it avoids traffic snarls at any particular server. It also predicts application traffic to allow for the addition or removal of servers as needed and increases system redundancy to enable confident scaling.

Performance

Load balancers enhance application performance by speeding up application response times and reducing network latency. They carry out several vital duties, including evenly distributing the load among servers to enhance the performance of your application.

Integrating loading balancing solution with a Cloudflare Argo Tunnel

You can expose your web server to the internet using a Cloudflare Argo Tunnel without setting up dedicated routes or opening routes in your firewall. One Cloudflare Argo Tunnel may be sufficient if you operate an essential service as a proof of concept or for local development. On the other hand, you nearly always want numerous instances of your service running on different servers, availability zones, or even other countries for real-world deployments.

You may now transparently balance traffic between as many Cloudflare Argo Tunnel instances as you want to deploy using Cloudflare's distributed load-balancing feature. When paired with geo-routing capabilities, this increases global performance and failure tolerance.

When a tunnel is created, Cloudflare uses the tunnel's UUID to create a cfargotunnel.com subdomain. In the Cloudflare dashboard, you may manage .cfargotunnel.com as an origin target. Unlike publicly routable IP addresses, the subdomain will only proxy traffic for a DNS record or load balancer pool within the same Cloudflare account. Your subdomain UUID cannot be used as a proxy for traffic to another address if someone finds it and sets up a DNS record in another account or system.

We can integrate a Cloudflare Argo Tunnel straight from Cloudflare into an already-existing load balancer pool using the following command:

cloudflare tunnel route lb <tunnel name/uuid> <hostname> <load balancer pool>

Regarding the values above, here is what they represent:

• <tunnel name/uuid> — the tunnel's name or UUID.
• <hostname> — the load balancer's DNS hostname, like lb.example.com.
• <load balancer pool> — the pool that operates as the tunnel subdomain.
  

This command creates an LB DNS record that refers the given hostname to the .cfargotunnel.com subdomain of your tunnel. Traffic will flow only once the tunnel is operational. The cert.pem file must be installed on your computer to use Cloudflared to build DNS records.

Understanding how Argo Smart Routing works

Argo Smart Routing provides the most effective traffic routing network path while also detecting real-time network problems. A global network of servers processes the content request made by a user when they attempt to visit your website. Based on real-time knowledge about network conditions, such as latency or congestion, Argo Smart Routing determines the best path for that request.

Argo Smart Routing uses sophisticated algorithms to determine the shortest and most effective path while accounting for variables like user location, traffic, and server accessibility. Users far from your origin server will likely see these benefits.

The steps to enable Argo Smart Routing are as follows:

1. Access your Cloudflare Dashboard using your credentials.
2. Select your domain and account.
3. Navigate to the Traffic > Argo Smart Routing area.
4. Set the toggle for Argo Smart Routing to On.
5. Next, supply your billing details:

• Enter your billing details if you don't already have a billing profile.
• Verify your billing details if you have a billing profile.

WordPress website implementation — reviewing a use case for a Cloudflare Argo Tunnel with load balancing

Let's review an example WordPress-focused implementation of a Cloudflare Argo Tunnel and the details involved in the next sections.

Prerequisites

Here are the prerequisites to have established:

• Ubuntu server with LAMP installed.
• Login account for Cloudflare and add your WordPress domain.
• Having switched the nameservers of your domain to Cloudflare nameservers.

Access your Liquid Web server

You may access your enterprise server and install WordPress on your domain. Make sure ports 22, 443, and 80 are open. Create a new user and enable SSH access for the user.

Update your system

Update you system as necessary prior to proceeding with the installation. This is a best practice that should occur before the installation of any major software on your server.

Install all software components for the Cloudflare Argo Tunnel with load balancing solution

Connect your domain to the server using Cloudflare DNS, install the SSL certificate, and enable strict encryption. Now, install and configure the Cloudflared package:

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -O /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared
cloudflared update

After the installation, you can get a certificate in Cloudflared by using the tunnel login command:

/usr/local/bin/cloudflared tunnel login

Next add the Cloudflare Argo Tunnel via the Cloudflare Dashboard using following steps:

1. Log in to your Cloudflare account using the Cloudlfare Dashboard login page.
2. Navigate to Tunnels under Networks.
3. Click Create a Tunnel.
4. After selecting Cloudflared as the connectivity type, click Next.
5. Give your tunnel a name. It is helpful to use a name that reflects the kind of resources you wish to connect to.
6. Click Save Tunnel.
7. The next step is to install and launch Cloudflared. To accomplish this, ensure your machine's operating system is displayed in the environment you choose under the Choose an Environment option. Then, Copy the command from the box and paste it into a terminal window.
8. Execute the command.
9. Following the completion of the command, your connector will appear in the Zero Trust area.
10. Choose the Next option to finish the installation process.
    

Test all software components for the Cloudflare Argo Tunnel with load balancing solution

To link to your WordPress application through your tunnel, follow these steps:

1. Select a domain and provide any path or subdomain information required on the Public Hostnames tab.
2. Name the service you want to use, such as https://localhost:8000.
3. Enter additional parameters to add to your tunnel configuration in the Additional Application Settings area.
4. Click Save Tunnel.
5. You will be taken to the Tunnels page after saving the tunnel. Look if your new tunnel and its active connector are listed as expected.
   

After configuring Cloudflare tunnels and their corresponding virtual networks (VNets), you can specify the VNets for every origin when creating or editing a pool. By doing this, Cloudflare load balancers can safely access the private IP sources through the appropriate tunnel.

Make the load balancing monitor based on your requirements. Establish the origin pool with your private origin IP addresses and associated virtual networks specified. As you create the load balancer, include the load-balancing method you want to use together with the pool and monitor that you specified earlier.

We can check if the Cloudflare Argo Tunnel is running by using the following command:

 sudo ps -aux | grep tunnel

How to monitor the Cloudflare Argo Tunnel with load balancing solution

There are various ways to monitor a Cloudflare Argo Tunnel. See the next three sections for more details.

Tunnel logs

Every interaction between a Cloudflare instance and its global network and any correspondence between Cloudflare and your origin server is captured in tunnel logs. You can use these logs to look into performance or connectivity problems while using a Cloudflare Argo Tunnel. You can stream real-time logs from any client computer or set up your server to retain persistent logs.

When the tunnel is launched, you can activate logging:

cloudflared tunnel --loglevel debug run <UUID>

Tunnel notifications

Administrators can be notified when the deployment, health, or status of Cloudflare Argo Tunnels in an account change. Email, webhooks, and third-party services are available methods for notifying recipients. You may set up tunnel notifications using the Cloudflare Dashboard.

Tunnel metrics

The throughput and resource consumption of a Cloudflare Argo Tunnel are displayed using tunnel metrics. An HTTP server that delivers metrics in Prometheus format can be configured by Cloudflared to spin up a Prometheus metrics endpoint when a tunnel is being operated. After that, metrics data from the Cloudflared server can be scraped using the Prometheus tools on a remote computer.

How to update the Cloudflare Argo Tunnel with load balancing solution

By integrating Cloudflare's load balancing solution with your Cloudflare Argo Tunnel setup, you can upgrade Cloudflared without experiencing any downtime:

1. Create a new tunnel and install a fresh instance of Cloudflared.
2. Set up the instance so that traffic is sent to the same locally accessible service as your Cloudflared instance that is currently running.
3. As Priority 2, add the address of the newly created Cloudflared instance to your load balancer pool.
4. Change the Priority such that the new instance is given Priority 1, then keep an eye on it to make sure traffic is getting through
5. After verification, you can eliminate the previous version from the pool of load balancers.

How to uninstall the Cloudflare Argo Tunnel with load balancing solution

Tunnels with the specified names or Universally Unique Identifiers (UUIDs) can be deleted using the Cloudflared Tunnel remove tool. If a tunnel has connections open, it cannot be closed. To completely remove the tunnel, use the -f flag:

cloudflared tunnel delete <TUNNEL>

Wrapping up

When configuring Cloudflare load balancing, traffic can be distributed among multiple origin servers or data centers. Therefore, we can use load balancing along with a Cloudflare Argo Tunnel to ensure incoming traffic is distributed fairly among the application's healthy instances. If any origin servers go down, load balancing can automatically divert traffic to the healthy origin servers.

Cloudflare's global network is built for speed and reliability. When we employ a Cloudflare Argo Tunnel with load balancing, the traffic benefits from Cloudflare's network optimization, which could result in faster application response times for consumers. You can sign up for our Virtual Private Server (VPS) hosting plan at Liquid Web and start configuring your tunnel.