Get started
Spectrum is available on all paid plans. Pro and Business support selected protocols only, whereas Enterprise supports all TCP and UDP based traffic. Refer to Configuration options for more configuration details.
To create a Spectrum application, you can either use an IP address, a CNAME Record or a load balancer. Independently of the method you use, you can create the application through the dashboard or via API.
Certain fields in Spectrum request and response bodies require an Enterprise plan. Refer to the Settings by plan page for more details.
To create a Spectrum application using an IP address, Cloudflare normally assigns you an arbitrary IP from Cloudflare’s IP pool to your application. If you want to use your own IP addresses, you can use BYOIP or you can also use a Static IP. In these two last cases, you need to create your Spectrum application through the API, as these features are not available via dash. When using the API, the field origin_direct takes as input the IP address.
Add your application via Dashboard
-
In the Cloudflare dashboard, go to the Spectrum page.
Go to Spectrum -
Select Create an Application. If this is your first time using Spectrum, the Create an Application modal appears.
-
Select your Application Type.
-
Under Domain, enter the domain that will use Spectrum.
-
Under Edge Port, enter the port Cloudflare should use for your application.
-
Under Origin, enter your application's origin IP and port.
-
If your application requires the client IP and supports Proxy Protocol ↗, enable Proxy Protocols. Proxy Protocol is a method for a proxy like Cloudflare to send the client IP to the origin application.
-
Select Add.
Add your application via API
Below is a curl example and the associated data being posted to the API.
API example:
Required API token permissions
At least one of the following token permissions
is required:
Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "protocol": "tcp/22", "dns": { "type": "CNAME", "name": "ssh.example.com" }, "origin_direct": [ "tcp://192.0.2.1:22" ], "proxy_protocol": "off", "ip_firewall": true, "tls": "full", "edge_ips": { "type": "dynamic", "connectivity": "all" }, "traffic_type": "direct", "argo_smart_routing": true }'Example data:
{ "success": true, "errors": [], "messages": [], "result": { "id": "ea95132c15732412d22c1476fa83f27a", "protocol": "tcp/22", "dns": { "type": "CNAME", "name": "ssh.example.com" }, "origin_direct": ["tcp://192.0.2.1:22"], "proxy_protocol": "off", "ip_firewall": true, "tls": "full", "edge_ips": { "type": "dynamic", "connectivity": "all" }, "traffic_type": "direct", "argo_smart_routing": true, "created_on": "2014-01-02T02:20:00Z", "modified_on": "2014-01-02T02:20:00Z" }}To create a Spectrum application using a CNAME record, you will need to create a CNAME record ↗ on your Cloudflare hosted zone that points to your origin's hostname. This is required to resolve to your hostname origin. Refer to Create DNS records, for more information. When using a CNAME as an origin, note that Cloudflare needs to be authoritative for that zone. When using the API, the origin_dns field takes as input the CNAME record.
Add your application via Dashboard
-
In the Cloudflare dashboard, go to the Spectrum page.
Go to Spectrum -
Select Create an Application. If this is your first time using Spectrum, the Create an Application modal appears.
-
Select your Application Type.
-
Under Domain, enter the domain that will use Spectrum.
-
Under Edge Port, enter the port Cloudflare should use for your application.
-
Under Origin, enter your
CNAMErecord name. -
Select Add.
Add your application via API
Below is a curl example and the associated data being posted to the API.
API example:
Required API token permissions
At least one of the following token permissions
is required:
Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "dns": { "type": "CNAME", "name": "spectrum-cname.example.com" }, "ip_firewall": false, "protocol": "tcp/22", "proxy_protocol": "off", "tls": "off", "origin_dns": { "name": "cname-to-origin.example.com", "ttl": 1200 }, "origin_port": 22 }'Example data:
{ "dns": { "type": "CNAME", "name": "spectrum-cname.example.com" }, "ip_firewall": false, "protocol": "tcp/22", "proxy_protocol": "off", "tls": "off", "origin_dns": { "name": "cname-to-origin.example.com", "ttl": 1200 }, "origin_port": 22}To create a Spectrum application using a load balancer, you will need to generate a load balancer from the dashboard or via the API. Refer to the Load Balancing documentation for more details.
Add your application via Dashboard
-
In the Cloudflare dashboard, go to the Spectrum page.
Go to Spectrum -
Select Create an Application. If this is your first time using Spectrum, the Create an Application modal appears.
-
Select your Application Type.
-
Under Domain, enter the domain that will use Spectrum.
-
Under Edge Port, enter the port Cloudflare should use for your application.
-
Under Origin, select Load Balancer.
-
Select the load balancer you want to use from the dropdown. Disabled load balancers will not show on the Load Balancer menu.
-
Select Add.
Add your application via API
Below is a curl example and the associated data being posted to the API.
API example:
Required API token permissions
At least one of the following token permissions
is required:
Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "dns": { "type": "CNAME", "name": "spectrum-cname.example.com" }, "ip_firewall": false, "protocol": "tcp/22", "proxy_protocol": "off", "tls": "off", "origin_dns": { "name": "cname-to-origin.example.com", "ttl": 1200 }, "origin_port": 22 }'Example data:
{ "dns": { "type": "CNAME", "name": "spectrum-cname.example.com" }, "ip_firewall": false, "protocol": "tcp/22", "proxy_protocol": "off", "tls": "off", "origin_dns": { "name": "cname-to-origin.example.com", "ttl": 1200 }, "origin_port": 22}To proxy TCP or UDP traffic to an origin on your private network, attach a Cloudflare Tunnel virtual network to a Spectrum application. Spectrum routes traffic through the connector (Cloudflare Tunnel or Cloudflare WAN connection) associated with that virtual network. This provides an alternative to the previous pattern of putting a load balancer in front of a private origin.
Virtual network origins are only supported for TCP and UDP applications. The origin must be a single private IP routable within the specified virtual network. Port ranges, hostname origins (origin_dns), and multiple addresses in origin_direct are not supported. Proxy Protocol is not currently supported, so proxy_protocol must be set to off. For details on validation errors, refer to Error codes.
For a primer on virtual networks, refer to Virtual networks.
Set up the virtual network and a route covering your origin IP before creating the Spectrum application:
- Create a virtual network and a Cloudflare Tunnel that carries it by following Manage virtual networks.
- Attach a route covering your origin's private IP to the tunnel by following Connect an IP/CIDR.
For Cloudflare WAN (formerly Magic WAN) as the connector, refer to Get started with Cloudflare WAN for setting up tunnel endpoints and routes.
Add your application via Dashboard
-
In the Cloudflare dashboard, go to the Spectrum page.
Go to Spectrum -
Select Create an Application.
-
Under Application Type, select TCP or UDP.
-
Under Domain, enter the domain that will use Spectrum.
-
Under Edge Port, enter the port Cloudflare should use for your application.
-
Under Origin, select Virtual Network.
-
Under Virtual Network, select the virtual network that contains your origin.
-
Under IP, enter the private IP address of your origin.
-
Under Port, enter a single port (port ranges are not supported).
-
Select Add.
Add your application via API
Below is a curl example and the associated data being posted to the API.
API example:
Required API token permissions
At least one of the following token permissions
is required:
Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "protocol": "tcp/22", "dns": { "type": "CNAME", "name": "ssh.example.com" }, "origin_direct": [ "tcp://10.0.0.5:22" ], "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "proxy_protocol": "off", "ip_firewall": true, "tls": "off", "edge_ips": { "type": "dynamic", "connectivity": "all" }, "traffic_type": "direct" }'Set origin_direct to the private IP of your origin and virtual_network_id to the ID of the virtual network that the IP is routable within. You can list virtual networks for your account with the List virtual networks endpoint.
Example data:
{ "success": true, "errors": [], "messages": [], "result": { "id": "ea95132c15732412d22c1476fa83f27a", "protocol": "tcp/22", "dns": { "type": "CNAME", "name": "ssh.example.com" }, "origin_direct": ["tcp://10.0.0.5:22"], "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "proxy_protocol": "off", "ip_firewall": true, "tls": "off", "edge_ips": { "type": "dynamic", "connectivity": "all" }, "traffic_type": "direct", "created_on": "2014-01-02T02:20:00Z", "modified_on": "2014-01-02T02:20:00Z" }}You can now proxy traffic through Cloudflare without additional configuration. As you run traffic through Cloudflare, you will see the last minute of traffic from Spectrum in the dashboard.
If you have any feedback, please let us know ↗.