Virtual networks
Feature availability
| WARP modes | Zero Trust plans |
|---|---|
| All plans |
| System | Availability |
|---|---|
| Windows | ✅ |
| macOS | ✅ |
| Linux | ✅ |
| iOS | ✅ |
| Android | ✅ |
| ChromeOS | ✅ |
10.128.0.1/32 staging and 10.128.0.1/32 production. These virtual networks will appear as user-selectable options within the WARP client GUI. Use cases
Here are a few scenarios where virtual networks may prove useful:
- Manage production and staging environments that use the same address space.
- Manage acquisitions or mergers between organizations that use the same address space.
- Allow IT professional services to access their customer’s network for various administration and management purposes.
- Allow developers or homelab users to deterministically route traffic through their home network to enforce additional security controls.
- Guarantee additional segmentation (beyond just policy enforcement) between networks and resources for security reasons, while keeping all configuration within a single Cloudflare account.
Prerequisites
- Install
cloudflaredon each private network. - Deploy the WARP client on user devices.
Create a virtual network
The following example demonstrates how to add two overlapping IP routes to Cloudflare (10.128.0.1/32 staging and 10.128.0.1/32 production).
To route overlapping IPs over virtual networks:
- First, create two unique virtual networks:
- In Zero Trust, go to Settings > WARP Client.
- Find the Virtual networks setting and select Manage.
- Select Create virtual network.
- Name your virtual network
staging-vnetand select Save. - Repeat Steps 1a-1d to create another virtual network called
production-vnet.
- Next, create a Cloudflare Tunnel for each private network:
- Go to Networks > Tunnels.
- Select Create a tunnel.
- Name your tunnel
Staging tunneland select Save tunnel. - Install the connector within your staging environment.
- In the Private Network tab, add
10.128.0.1/32. - Select Additional settings. Under Virtual networks, select staging-vnet.
- Save the tunnel.
- Repeat Steps 2a-2g to create another tunnel called
Production tunnel. Be sure to install the connector within your production environment and assign the route to production-vnet.
We now have two overlapping IP addresses routed over staging-vnet and production-vnet respectively. You can use the Cloudflare WARP client to switch between virtual networks.
To route overlapping IPs over virtual networks:
Create a tunnel for each private network:
Within your staging environment, authenticate
cloudflared:$ cloudflared loginCreate a tunnel to connect your staging network to Cloudflare.
$ cloudflared tunnel create staging-tunnelWithin your production environment, authenticate
cloudflared:$ cloudflared loginCreate a tunnel to connect your production network to Cloudflare.
$ cloudflared tunnel create production-tunnel
The following steps may be executed from any cloudflared instance.
Create two unique virtual networks.
$ cloudflared tunnel vnet add staging-vnet$ cloudflared tunnel vnet add production-vnetBefore moving on, run the following command to verify that your newly created virtual networks are listed correctly:
$ cloudflared tunnel vnet list
Configure your tunnels with the IP/CIDR range of your private networks, and assign the tunnels to their respective virtual networks.
$ cloudflared tunnel route ip add --vnet staging-vnet 10.128.0.3/32 staging-tunnel$ cloudflared tunnel route ip add --vnet production-vnet 10.128.0.3/32 production-tunnel
Verify that the IP routes are listed correctly:
$ cloudflared tunnel route ip list
We now have two overlapping IP addresses routed over staging-vnet and production-vnet respectively.
Within your staging environment, create a configuration file for
staging-tunnel. The configuration file will be structured as follows:tunnel: <Tunnel-UUID>credentials-file: /root/.cloudflared/credentials-file.jsonwarp-routing:enabled: trueRun your tunnel.
$ cloudflared tunnel run staging-tunnelWithin your production environment, repeat Steps 6 and 7 for
production-tunnel.
You can use now the Cloudflare WARP client to switch between virtual networks.
Delete a virtual network
To delete a virtual network:
In Zero Trust, go to Networks > Tunnels and ensure that no IP routes are assigned to the virtual network you are trying to delete. If your virtual network is in use, delete the route or reassign it to a different virtual network.
Next, go to Settings > WARP Client.
Find the Virtual networks setting and select Manage.
Select the three-dot menu for your virtual network and select Delete.
You can optionally delete the tunnel associated with your virtual network.
To delete a virtual network:
Delete all IP routes in the virtual network. For example,
$ cloudflared tunnel route ip delete --vnet staging-vnet 10.128.0.3/32(Optional) Delete the tunnel associated with the virtual network.
$ cloudflared tunnel delete staging-tunnelDelete the virtual network.
$ cloudflared tunnel vnet delete staging-vnet
You can verify that the virtual network was successfully deleted by typing cloudflared tunnel vnet list.
Connect to a virtual network
Windows, macOS, and Linux
- Open the WARP client.
- Go to Settings > Gateway with WARP > Virtual Networks.
- Choose the virtual network you want to connect to, for example
staging-vnet.
When you visit 10.128.0.3/32, WARP will route your request to the staging environment.
iOS, Android, and ChromeOS
- Launch the Cloudflare One Agent app.
- Go to Advanced > Connection options > Virtual networks.
- Choose the virtual network you want to connect to, for example
staging-vnet.
When you visit 10.128.0.3/32, WARP will route your request to the staging environment.