--- title: Tunnel url: https://www.tines.com/docs/admin/tunnel/ updated: 2026-04-08T19:50:31+00:00 --- *[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Admin](https://www.tines.com/llm/docs/admin.md)* # Tunnel *[View on tines.com](https://www.tines.com/docs/admin/tunnel/)* > **NOTE:** Not seeing this feature? Talk to your tenant admin or [reach out to the Tines team](https://www.tines.com/contact-support/) to learn more. ## Tunnel Setup The Tunnel feature of Tines provides a method to access your systems running on private networks from the Tines cloud environment, securely. Tunnel is deployed as a container service. To enable the Tunnel feature, contact [Tines support](mailto:support@tines.com). Once enabled, visit `https:///admin/tunnel` to obtain the information needed for deploying the container. > **Note:** Tines Tunnel is not supported for self-hosted deployments. ## Deploying a Tunnel
Container requirements
Imagetines/tines-tunnel
Container count1
RAM2 GBper container
Disk2 GBper container
Architecturex86_64
LoggingLog rotation considered.Tines containers write logs to STDOUT/STDERR by default, so customers should capture and rotate these logs to mitigate disk storage and performance issues.
The Tunnel container can be run with Docker. Here we provide an example of configuration using `docker compose` . You can test your tunnel setup using `docker run` but we recommend managing this setup using `docker compose` or a similar orchestration tool. ```bash docker run \ --name tines-tunnel \ --env TINES_TUNNEL_SECRET="secret" \ tines/tines-tunnel:latest ``` First create the `docker-compose.yml` ```yaml version: '3.9' services: tines_tunnel: image: tines/tines-tunnel:latest # Make sure to use the correct image name and tag ports: - "9000:9000" # This maps the container's port 9000 to the host's port 9000 environment: TUNNEL_METRICS_PORT: "9000" TINES_TUNNEL_SECRET: "secret" deploy: mode: replicated replicas: 1 ``` > **NOTE:** Port 9000 is not required, it is used for [health check metrics](https://www.tines.com/docs/admin/tunnel/health-check-metrics/) Next run the container using the following command ```bash docker-compose up -d ``` The Tunnel service will utilize the routing and DNS services of the host it is deployed to. **Using Docker compose secrets:** If you wish to, Tines Tunnel supports the use of Docker secrets to store the Tines Tunnel secret. Firstly, we need to save the `TINES_TUNNEL_SECRET` in a file: ```bash echo "your tunnel secret" > tines_tunnel_secret.txt ``` Then, setup your `docker-compose.yml` like so: ```yaml version: "3.9" services: tines_tunnel: image: tines/tines-tunnel:latest # Make sure to use the correct image name and tag ports: - "9000:9000" # This maps the container's port 9000 to the host's port 9000 secrets: - TINES_TUNNEL_SECRET environment: TUNNEL_METRICS_PORT: "9000" deploy: mode: replicated replicas: 1 secrets: TINES_TUNNEL_SECRET: file: "./tines_tunnel_secret.txt" ``` **Configuration for High Availability:** In addition to the health check configuration via docker compose, you can configure a second instance of tines-tunnel on another server with the `same secret` & docker-compose. **The steps for this are the same as above.** If you want to distribute traffic between the separate server tunnels, you can set up a load balancer (e.g., Nginx, HAProxy) in front of these servers. ### Ensuring Tines Tunnel Container Starts After Server Restart To ensure the Tines Tunnel container automatically starts after a server or service restart, follow the recommendations below for your deployment method. **Docker** ```bash docker run --restart unless-stopped \ --name tines-tunnel \ --env TINES_TUNNEL_SECRET="secret" \ tines/tines-tunnel:latest ``` **Docker compose** Add the restart key to your service definition in `docker-compose.yml` ```yaml version: '3.9' services: tines_tunnel: image: tines/tines-tunnel:latest ports: - "9000:9000" environment: TUNNEL_METRICS_PORT: "9000" TINES_TUNNEL_SECRET: "secret" restart: unless-stopped ``` ## Using a Tunnel HTTP Requests can be sent through the Tunnel by using the *"Use tunnel"* parameter in the configuration of a HTTP Request Action. > **NOTE:** Tunnels don't currently work with NTLM authentication. ![](https://www.datocms-assets.com/55802/1759147646-tunnel.png) AI traffic can also be sent through the Tunnel by using the *"Use tunnel"* parameter when configuring a custom AI provider. ![](https://www.datocms-assets.com/55802/1757071816-tunnel-ai.png) You can also use [command-over-http](https://www.tines.com/docs/admin/command-over-http/) with HTTP requests to make programatic calls to your private network. ## Connectivity Requirements Tunnel uses [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) and requires connectivity to Cloudflare to function properly. ![Diagram of Tines Tunnel (docker container) and how it interacts between your systems.](https://www.datocms-assets.com/55802/1697542895-screenshot-2023-10-17-at-6-40-55-am.png) *An overview of how the tunnel interacts with your network. * No inbound connectivity to the container is required by Tines from the internet or elsewhere. The container will attempt to form a connection with the services below from its deployment location. | DESTINATION | PORT | PROTOCOLS | DIRECTION | Purpose | | --- | --- | --- | --- | --- | | [region1.v2.argotunnel.com](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#required-for-tunnel-operation) | 443,7844 | TCP/HTTPS | Outbound | Establishes a secure tunnel for outbound connections to Cloudflare's network. | | [region2.v2.argotunnel.com](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#required-for-tunnel-operation) | 443,7844 | TCP/HTTPS | Outbound | Establishes a secure tunnel for outbound connections to Cloudflare's network. | | [api.cloudflare.com](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#optional) | 443,7844 | TCP/HTTPS | Outbound | Accesses Cloudflare's API for management tasks (not required for core functionality). | | [update.argotunnel.com](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#optional) | 443,7844 | TCP/HTTPS | Outbound | Checks and downloads updates for the Argo Tunnel service. | | [.tines-tunnel.com](tines-tunnel.com) | 443,7844 | TCP/HTTPS | Outbound | Default tunnel - Facilitates secure, outbound-only connections to Tines services. | | [-.tines-tunnel.com](tines-tunnel.com) | 443,7844 | TCP/HTTPS | Outbound | Note: If you have more than one tunnel, then each new tunnel will be prefixed with the tunnel name. Facilitates secure, outbound-only connections to Tines services. | For more information, see Cloudflare's documentation [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/ports-and-ips/). ## Firewall Rules Ensuring that `cloudflared`, which runs inside the Tines tunnel image, can connect to Cloudflare’s global network on port 7844, your firewall must allow outbound connections to the destinations on port 7844 via TCP to the IPs mentioned by Cloudflare [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/#required-for-tunnel-operation) and are listed below. | DOMAIN | IPv4 | IPv6 | PORT | PROTOCOLS | | --- | --- | --- | --- | --- | | region1.v2.argotunnel.com | `198.41.192.167` `198.41.192.67` `198.41.192.57` `198.41.192.107` `198.41.192.27` `198.41.192.7` `198.41.192.227` `198.41.192.47` `198.41.192.37` `198.41.192.77` | `2606:4700:a0::1` `2606:4700:a0::2` `2606:4700:a0::3` `2606:4700:a0::4` `2606:4700:a0::5` `2606:4700:a0::6` `2606:4700:a0::7` `2606:4700:a0::8` `2606:4700:a0::9` `2606:4700:a0::10` | 7844 | TCP/UDP (`http2`/`quic`) | | region2.v2.argotunnel.com | `198.41.200.13` `198.41.200.193` `198.41.200.33` `198.41.200.233` `198.41.200.53` `198.41.200.63` `198.41.200.113` `198.41.200.73` `198.41.200.43` `198.41.200.23` | `2606:4700:a8::1` `2606:4700:a8::2` `2606:4700:a8::3` `2606:4700:a8::4` `2606:4700:a8::5` `2606:4700:a8::6` `2606:4700:a8::7` `2606:4700:a8::8` `2606:4700:a8::9` `2606:4700:a8::10` | 7844 | TCP/UDP (`http2`/`quic`) | | \_v2-origintunneld.\_tcp.argotunnel.com1  | Not applicable | Not applicable | 7844 | TCP (`http2`) | | cftunnel.com1  | Not applicable | Not applicable | 7844 | TCP/UDP (`http2`/`quic`) | | h2.cftunnel.com1  | Not applicable | Not applicable | 7844 | TCP (`http2`) | | quic.cftunnel.com1  | Not applicable | Not applicable | 7844 | UDP (`quic`) | 1 This rule is only required for firewalls that enforce SNI. ## Health statuses Commonly encountered health statuses for Tunnel and any remediations. These health statuses indicate the health of the connection between the container and Cloudflare Edge. It doesn't indicate the health of the container itself. ### `Healthy` The tunnel is active and serving traffic through four connections to the Cloudflare global network. ### `Degraded` One or more tunnel containers are active and serving traffic, but at least one individual connection has failed. Further degradation in tunnel availability could risk the tunnel going down and failing to serve traffic. We recommend restarting the tunnel container to resolve the issue. If the status continues to be in a degraded state after restart, please reach out to support with the debug logs. You can find the instructions on how to turn on debug logs for your tunnel container by visiting `/admin/tunnel` in your Tines tenant. ### `Inactive` This usually happens when tunnels have been created, but have never been run. It should clear away after your first run. ### `Down` One or more tunnel containers cannot serve traffic as it has no connections to the Cloudflare global network. Please ensure that the tunnel container is up and running. ## Tunnel Permissions Tenant owners or users with the `TUNNEL_MANAGE` tenant permission can restrict which team(s) can use a tunnel from the link `https:///admin/tunnel`. The default for all existing and new tunnels is that any team can access them until an admin chooses otherwise. To configure team access select the tunnel from the list after navigating to `/admin/tunnel.` Select the teams which you would like to have access to the tunnel and click **save**. ![](https://www.datocms-assets.com/55802/1715075390-screenshot-2024-05-07-at-10-49-32.png)