Cloudflare Tunnel on Multiple VPSes: HA, Scaling, and Pitfalls

Introduction

Cloudflare Tunnel is one of the simplest ways to expose self-hosted applications without opening inbound ports on a VPS. A common question arises when infrastructure grows beyond a single server:

What happens if I run the same Cloudflare Tunnel on multiple VPSes?

Can it be used for high availability? Does it automatically become a load balancer? Can different servers expose different services through the same tunnel? What breaks when applications become stateful?

This article explores these questions in depth and covers several real-world deployment scenarios.

Understanding Cloudflare Tunnel Connectors

A Cloudflare Tunnel consists of:

A Tunnel ID (UUID)
Tunnel credentials
One or more cloudflared connector instances

A single tunnel may have multiple active connectors.

For example:

                Cloudflare Edge
                       |
                Tunnel: prod-tunnel
                       |
          +------------+------------+
          |                         |
      Connector A              Connector B
         VPS1                     VPS2

Both VPSes establish outbound connections to Cloudflare. No inbound ports are required.

Common Misconception: "Multiple Connectors = Failover Only"

Many administrators assume:

VPS1 active
VPS2 standby

and that Cloudflare only switches to VPS2 when VPS1 dies. That is not entirely accurate. Cloudflare can utilize multiple healthy connectors attached to the same tunnel simultaneously.

Conceptually:

Request 1 -> VPS1
Request 2 -> VPS2
Request 3 -> VPS1
Request 4 -> VPS2

However, this should not be confused with a dedicated load balancer.

Cloudflare Tunnel does not provide:

Weighted traffic distribution
Service-level health checks
Session affinity
Canary deployments
Geographic routing
Blue-green deployments

Those features belong to Cloudflare Load Balancing.

Scenario 1: Identical Services on Both VPSes

Consider:

VPS1
 ├─ Express API
 ├─ Directus
 └─ Umami

VPS2
 ├─ Express API
 ├─ Directus
 └─ Umami

Both servers:

Run the same tunnel
Use the same tunnel credentials
Use the same ingress configuration

This setup works well.

                           Client
                             |
                         Cloudflare
                             |
                           Tunnel
                             |
                      +------+------+
                      |             |
                     VPS1          VPS2

Traffic can reach either VPS. This is the closest thing to horizontal scaling that Tunnel provides by itself.

The Hidden Requirement: Shared State

Most scaling failures occur because applications are not truly stateless.

Express API

Usually safe if:

Stateless
JWT authentication
External session storage

Example:

VPS1 -> Express
VPS2 -> Express

No issues.

Directus CMS (Self-hosted)

Directus requires shared backend infrastructure.

Good:

 VPS1 Directus
 VPS2 Directus
       |
       |
Shared PostgreSQL

Bad:

VPS1 -> PostgreSQL A
VPS2 -> PostgreSQL B

Data immediately diverges.

Any self-hosted analytics services

Same requirement. Both instances should point to the same database.

Otherwise:

Visitors on VPS1
Visitors on VPS2

are counted separately.

Scenario 2: Same Tunnel, Completely Different Services

Suppose:

VPS1
 ├─ Express
 ├─ Directus
 └─ Umami

VPS2
 ├─ Grafana
 └─ Prometheus

and both use the same tunnel credentials. At first glance this seems convenient. Unfortunately, it introduces a major problem.

Why Different Services Break Shared Tunnels

Assume the tunnel config contains:

ingress:
  - hostname: app.example.com
    service: http://express:3000

  - hostname: grafana.example.com
    service: http://grafana:3000

Cloudflare sees:

Tunnel
├─ Connector VPS1
└─ Connector VPS2

A request arrives:

https://app.example.com

Cloudflare may choose either connector.

Case A:

Cloudflare
    |
   VPS1
    |
 Express

Success.

Case B:

Cloudflare
    |
   VPS2
    |
 Express ?

Container doesn't exist.

Result:

502 Bad Gateway

Connection Refused

This is one of the most common tunnel architecture mistakes.

Important Rule

Every connector attached to a tunnel should be able to satisfy every ingress rule associated with that tunnel.

If not:

Routing becomes unpredictable
Some requests fail
Troubleshooting becomes difficult

Scenario 3: Same Tunnel Credentials, Different Config Files

Another subtle case:

Server A:

ingress:
  - hostname: app.example.com
    service: http://express:3000

Server B:

ingress:
  - hostname: grafana.example.com
    service: http://grafana:3000

But both use:

same tunnel UUID
same credentials file

This configuration is dangerous. Cloudflare does not maintain a mapping of:

app.example.com -> VPS1 only
grafana.example.com -> VPS2 only

The tunnel is the routing object. The connector is merely an endpoint attached to that tunnel. As a result:

Cloudflare
    |
 Tunnel
    |
+---+---+
|       |
A       B

Traffic can arrive at either connector.

Recommended Architecture for Different Services

Instead of:

One Tunnel
    |
+---+---+
|       |
VPS1   VPS2

Use:

Tunnel A               Tunnel B
   |                      |
 VPS1                    VPS2

Example:

prod-tunnel
 ├─ app.example.com
 ├─ cms.example.com
 └─ analytics.example.com

monitoring-tunnel
 ├─ grafana.example.com
 └─ prometheus.example.com

This is cleaner, safer, and easier to operate.

Scenario 4: Using Tunnel as a Horizontal Scaling Mechanism

Can Tunnel provide horizontal scaling? Technically yes, but only under certain conditions.

Requirements:

VPS1
 ├─ Express
 ├─ Directus
 └─ Umami

VPS2
 ├─ Express
 ├─ Directus
 └─ Umami

And:

Shared PostgreSQL
Shared Redis
Shared Object Storage

Architecture:

                  Cloudflare
                      |
                    Tunnel
                      |
          +-----------+-----------+
          |                       |
         VPS1                   VPS2
          |                       |
          +-----------+-----------+
                      |
              Shared Database

This can work surprisingly well for small and medium deployments.

Scenario 5: Docker External Networks Across VPSes

Many people create:

networks:
  tunnel:
    external: true

and assume it can span servers. It cannot. Docker bridge networks are local to a host.

This works:

VPS1
 ├─ cloudflared
 ├─ express
 └─ directus

because all containers share the same Docker network.

This does not work:

VPS1 cloudflared
      |
      |
      X
      |
      |
VPS2 directus

Docker networking does not magically connect containers across hosts.

You need:

Overlay networking
Kubernetes
Docker Swarm
Tailscale
WireGuard
Service mesh

or another cross-host networking solution.

Scenario 6: Real Load Balancing

Eventually you may need:

Health checks
Weighted traffic
Regional routing
Traffic steering
Session stickiness

At that point use:

Cloudflare Load Balancer

Architecture:

    Client
       |
 Cloudflare LB
       |
+------+------+
|             |
VPS1       VPS2

Unlike Tunnel alone, the Load Balancer actively understands backend health and routing policies.

Recommended Production Architecture

For a modern self-hosted stack:

VPS1
 ├─ cloudflared
 ├─ Express
 ├─ Directus

VPS2
 ├─ cloudflared
 ├─ Express
 ├─ Directus

Shared:
 ├─ PostgreSQL
 ├─ Redis
 └─ Object Storage

Monitoring:

Separate Tunnel
       |
    Grafana
   Prometheus

This provides:

High availability
Connector redundancy
Basic traffic distribution
Horizontal scaling
Simpler operations

without introducing unnecessary complexity.

Final Takeaway

Cloudflare Tunnel is excellent for exposing services securely and providing connector-level redundancy. Multiple connectors attached to the same tunnel can improve availability and distribute traffic, but they are not a replacement for a dedicated load balancer.

The most important rule is simple:

If multiple servers share a tunnel, every server should be capable of serving every hostname defined by that tunnel.

If servers host different workloads, create separate tunnels.

If servers host identical workloads backed by shared state, multiple connectors can provide a lightweight and effective high-availability architecture.

Introduction

Cloudflare Tunnel is one of the simplest ways to expose self-hosted applications without opening inbound ports on a VPS. A common question arises when infrastructure grows beyond a single server:

What happens if I run the same Cloudflare Tunnel on multiple VPSes?

This article explores these questions in depth and covers several real-world deployment scenarios.

Understanding Cloudflare Tunnel Connectors

A Cloudflare Tunnel consists of:

A Tunnel ID (UUID)
Tunnel credentials
One or more cloudflared connector instances

A single tunnel may have multiple active connectors.

For example:

                Cloudflare Edge
                       |
                Tunnel: prod-tunnel
                       |
          +------------+------------+
          |                         |
      Connector A              Connector B
         VPS1                     VPS2

Both VPSes establish outbound connections to Cloudflare. No inbound ports are required.

Common Misconception: "Multiple Connectors = Failover Only"

Many administrators assume:

VPS1 active
VPS2 standby

and that Cloudflare only switches to VPS2 when VPS1 dies. That is not entirely accurate. Cloudflare can utilize multiple healthy connectors attached to the same tunnel simultaneously.

Conceptually:

Request 1 -> VPS1
Request 2 -> VPS2
Request 3 -> VPS1
Request 4 -> VPS2

However, this should not be confused with a dedicated load balancer.

Cloudflare Tunnel does not provide:

Weighted traffic distribution
Service-level health checks
Session affinity
Canary deployments
Geographic routing
Blue-green deployments

Those features belong to Cloudflare Load Balancing.

Scenario 1: Identical Services on Both VPSes

Consider:

VPS1
 ├─ Express API
 ├─ Directus
 └─ Umami

VPS2
 ├─ Express API
 ├─ Directus
 └─ Umami

Both servers:

Run the same tunnel
Use the same tunnel credentials
Use the same ingress configuration

This setup works well.

                           Client
                             |
                         Cloudflare
                             |
                           Tunnel
                             |
                      +------+------+
                      |             |
                     VPS1          VPS2

Traffic can reach either VPS. This is the closest thing to horizontal scaling that Tunnel provides by itself.

The Hidden Requirement: Shared State

Most scaling failures occur because applications are not truly stateless.

Express API

Usually safe if:

Stateless
JWT authentication
External session storage

Example:

VPS1 -> Express
VPS2 -> Express

No issues.

Directus CMS (Self-hosted)

Directus requires shared backend infrastructure.

Good:

 VPS1 Directus
 VPS2 Directus
       |
       |
Shared PostgreSQL

Bad:

VPS1 -> PostgreSQL A
VPS2 -> PostgreSQL B

Data immediately diverges.

Any self-hosted analytics services

Same requirement. Both instances should point to the same database.

Otherwise:

Visitors on VPS1
Visitors on VPS2

are counted separately.

Scenario 2: Same Tunnel, Completely Different Services

Suppose:

VPS1
 ├─ Express
 ├─ Directus
 └─ Umami

VPS2
 ├─ Grafana
 └─ Prometheus

and both use the same tunnel credentials. At first glance this seems convenient. Unfortunately, it introduces a major problem.

Why Different Services Break Shared Tunnels

Assume the tunnel config contains:

ingress:
  - hostname: app.example.com
    service: http://express:3000

  - hostname: grafana.example.com
    service: http://grafana:3000

Cloudflare sees:

Tunnel
├─ Connector VPS1
└─ Connector VPS2

A request arrives:

https://app.example.com

Cloudflare may choose either connector.

Case A:

Cloudflare
    |
   VPS1
    |
 Express

Success.

Case B:

Cloudflare
    |
   VPS2
    |
 Express ?

Container doesn't exist.

Result:

502 Bad Gateway

Connection Refused

This is one of the most common tunnel architecture mistakes.

Important Rule

Every connector attached to a tunnel should be able to satisfy every ingress rule associated with that tunnel.

If not:

Routing becomes unpredictable
Some requests fail
Troubleshooting becomes difficult

Scenario 3: Same Tunnel Credentials, Different Config Files

Another subtle case:

Server A:

ingress:
  - hostname: app.example.com
    service: http://express:3000

Server B:

ingress:
  - hostname: grafana.example.com
    service: http://grafana:3000

But both use:

same tunnel UUID
same credentials file

This configuration is dangerous. Cloudflare does not maintain a mapping of:

app.example.com -> VPS1 only
grafana.example.com -> VPS2 only

The tunnel is the routing object. The connector is merely an endpoint attached to that tunnel. As a result:

Cloudflare
    |
 Tunnel
    |
+---+---+
|       |
A       B

Traffic can arrive at either connector.

Recommended Architecture for Different Services

Instead of:

One Tunnel
    |
+---+---+
|       |
VPS1   VPS2

Use:

Tunnel A               Tunnel B
   |                      |
 VPS1                    VPS2

Example:

prod-tunnel
 ├─ app.example.com
 ├─ cms.example.com
 └─ analytics.example.com

monitoring-tunnel
 ├─ grafana.example.com
 └─ prometheus.example.com

This is cleaner, safer, and easier to operate.

Scenario 4: Using Tunnel as a Horizontal Scaling Mechanism

Can Tunnel provide horizontal scaling? Technically yes, but only under certain conditions.

Requirements:

VPS1
 ├─ Express
 ├─ Directus
 └─ Umami

VPS2
 ├─ Express
 ├─ Directus
 └─ Umami

And:

Shared PostgreSQL
Shared Redis
Shared Object Storage

Architecture:

                  Cloudflare
                      |
                    Tunnel
                      |
          +-----------+-----------+
          |                       |
         VPS1                   VPS2
          |                       |
          +-----------+-----------+
                      |
              Shared Database

This can work surprisingly well for small and medium deployments.

Scenario 5: Docker External Networks Across VPSes

Many people create:

networks:
  tunnel:
    external: true

and assume it can span servers. It cannot. Docker bridge networks are local to a host.

This works:

VPS1
 ├─ cloudflared
 ├─ express
 └─ directus

because all containers share the same Docker network.

This does not work:

VPS1 cloudflared
      |
      |
      X
      |
      |
VPS2 directus

Docker networking does not magically connect containers across hosts.

You need:

Overlay networking
Kubernetes
Docker Swarm
Tailscale
WireGuard
Service mesh

or another cross-host networking solution.

Scenario 6: Real Load Balancing

Eventually you may need:

Health checks
Weighted traffic
Regional routing
Traffic steering
Session stickiness

At that point use:

Cloudflare Load Balancer

Architecture:

    Client
       |
 Cloudflare LB
       |
+------+------+
|             |
VPS1       VPS2

Unlike Tunnel alone, the Load Balancer actively understands backend health and routing policies.

Recommended Production Architecture

For a modern self-hosted stack:

VPS1
 ├─ cloudflared
 ├─ Express
 ├─ Directus

VPS2
 ├─ cloudflared
 ├─ Express
 ├─ Directus

Shared:
 ├─ PostgreSQL
 ├─ Redis
 └─ Object Storage

Monitoring:

Separate Tunnel
       |
    Grafana
   Prometheus

This provides:

High availability
Connector redundancy
Basic traffic distribution
Horizontal scaling
Simpler operations

without introducing unnecessary complexity.

Final Takeaway

The most important rule is simple:

If multiple servers share a tunnel, every server should be capable of serving every hostname defined by that tunnel.

If servers host different workloads, create separate tunnels.

If servers host identical workloads backed by shared state, multiple connectors can provide a lightweight and effective high-availability architecture.

Command Palette

Rahul Ravindran

Discover

Pages

Cloudflare Tunnel on Multiple VPSes: HA, Scaling, and Pitfalls

Introduction

Understanding Cloudflare Tunnel Connectors

Common Misconception: "Multiple Connectors = Failover Only"

Scenario 1: Identical Services on Both VPSes

The Hidden Requirement: Shared State

Express API

Directus CMS (Self-hosted)

Any self-hosted analytics services

Scenario 2: Same Tunnel, Completely Different Services

Why Different Services Break Shared Tunnels

Important Rule

Scenario 3: Same Tunnel Credentials, Different Config Files

Recommended Architecture for Different Services

Scenario 4: Using Tunnel as a Horizontal Scaling Mechanism

Scenario 5: Docker External Networks Across VPSes

Scenario 6: Real Load Balancing

Recommended Production Architecture

Final Takeaway

Cloudflare Tunnel on Multiple VPSes: HA, Scaling, and Pitfalls

Introduction

Understanding Cloudflare Tunnel Connectors

Common Misconception: "Multiple Connectors = Failover Only"

Scenario 1: Identical Services on Both VPSes

The Hidden Requirement: Shared State

Express API

Directus CMS (Self-hosted)

Any self-hosted analytics services

Scenario 2: Same Tunnel, Completely Different Services

Why Different Services Break Shared Tunnels

Important Rule

Scenario 3: Same Tunnel Credentials, Different Config Files

Recommended Architecture for Different Services

Scenario 4: Using Tunnel as a Horizontal Scaling Mechanism

Scenario 5: Docker External Networks Across VPSes

Scenario 6: Real Load Balancing

Recommended Production Architecture

Final Takeaway