Route Public Traffic to Private Applications with Cloudflare

For years, public‑facing websites and internal applications have lived in separate networking silos, each with its own set of security tools. Cloudflare’s new Application Services for Private Origins collapses that divide, allowing organizations to place the same edge‑level protections—WAF, bot mitigation, rate limiting, caching and programmable Workers—directly in front of private IPs. The service works by routing requests through existing Cloudflare private networking layers such as Tunnel, WAN or Mesh, eliminating the need for public IP exposure, additional load balancers, or connector software on the origin host.

The implementation is deliberately lightweight: a DNS record marked as proxied with the "use_private_routing" flag triggers Cloudflare’s proxy to forward traffic over the customer’s private network path instead of the public Internet. This approach unifies configuration across HTTP, TCP and UDP workloads, extending to Spectrum for Layer 4 services and Workers VPC for serverless code. Enterprises can automate the rollout via the standard DNS API, reducing operational overhead and simplifying compliance audits, while still benefiting from Cloudflare’s global edge infrastructure.

Beyond immediate security gains, the launch signals a broader shift toward a universal, zero‑trust edge where the origin’s location—public or private—no longer dictates the level of protection. Cloudflare aims to roll out private‑to‑private routing later in 2026, enabling internal users, AI agents and service‑to‑service traffic to enjoy the same WAF and rate‑limiting controls as external customers. This unified model could reshape how large organizations design network topologies, favoring cloud‑native, programmable security over traditional perimeter defenses.