CONCEPT Cited by 1 source

Public-to-private routing

Routing traffic from the public Internet to applications running on private networks (RFC 1918/6598/4193 address space) through an intermediary proxy that terminates the public connection and forwards over a private path — without requiring the origin to have a public IP, inbound firewall exceptions, or connector software.

Definition

In the traditional CDN/proxy model, both the user and the origin are on the public Internet. Public-to-private routing extends this model by allowing the proxy's last hop to traverse a private network path (IPsec, GRE, CNI, overlay mesh, or tunnel) rather than the public Internet. The proxy applies its full security and performance stack (WAF, caching, Workers, bot management) to the request before handing off to the private path — the origin never needs to be publicly reachable.

Significance

This fills the third quadrant in a four-quadrant traffic model:

1. Public → Public — classic CDN/WAF (long-solved)
2. Private → Public — zero-trust client (ZTNA/SASE)
3. Public → Private — this concept
4. Private → Private — full mesh (emerging)

The architectural insight is that security should be a property of the traffic reaching an application, not a consequence of where it sits. Internal APIs, AI agent backends, MCP servers, and operational tools benefit from the same protections as public-facing applications.

Seen in

• sources/2026-06-10-cloudflare-route-public-traffic-to-private-applications — Cloudflare's "Application Services for Private Origins" (closed beta June 2026), integrating the private networking layer into the proxy stack so private IPs become valid origin targets for public hostnames.

(Source: sources/2026-06-10-cloudflare-route-public-traffic-to-private-applications)