SYSTEM Cited by 1 source
Cloudflare Private Origins¶
Application Services for Private Origins (closed beta June 2026, Enterprise; GA target Q4 2026) extends Cloudflare's full L7 application services stack โ WAF, bot management, rate limiting, caching, Workers, transform rules โ to origins reachable only via private networks.
Architecture¶
The private networking layer is integrated directly into the application services proxy stack. When the proxy sees use_private_routing: true in the Origin API response for a hostname, it hands the request to the private networking layer instead of connecting to the IP over the public Internet. The private networking layer routes the connection across the customer's existing connectivity:
- IPsec tunnels (Cloudflare WAN)
- GRE tunnels (Cloudflare WAN)
- CNI links (Cloud Network Interconnect)
- Cloudflare Tunnel (
cloudflaredconnector) - Cloudflare Mesh
The same routing layer is shared across: - DNS-proxied HTTP/HTTPS origins (this launch) - Spectrum L4 TCP/UDP proxy - Workers VPC bindings
Key differentiator¶
Unlike Cloudflare Tunnel which requires cloudflared connector software on or near the origin, customers already on Cloudflare WAN or Mesh get private-origin routing without deploying any additional software โ their existing network-layer connectivity is reused.
Four-quadrant model¶
| User location | Origin location | Solution |
|---|---|---|
| Public Internet | Public Internet | Classic CDN (existing) |
| Private network | Public Internet | Cloudflare One Client (existing) |
| Public Internet | Private network | Private Origins (this launch) |
| Private network | Private network | Building toward (next) |
API¶
POST /zones/{zone_id}/dns_records
{
"type": "A",
"name": "app.example.com",
"content": "10.0.0.50",
"proxied": true,
"use_private_routing": true
}
Auto-enabled for RFC 1918, RFC 6598, and RFC 4193 addresses.
Seen in¶
(Source: sources/2026-06-10-cloudflare-route-public-traffic-to-private-applications)