Connectivity — How users and servers reach Cloudflare

Same network in the middle. Three on-ramps per side. Pick whichever fits each piece of your environment — they all hit the same security policy.

Why this exists: The most common follow-up after the platform diagram is "OK, but how do users actually connect, and how does the server side hook in?" This page answers both. Click any card to see when to use that pattern.
Speed
User side · how people connect
01
💻
Managed employee laptop
Corporate device, fully under IT control. WARP client installed and managed.
WARP client
02
🌐
Contractor / BYOD
Their own laptop, not enrolled in your MDM. Two paths: install WARP, or open a URL in any browser.
Browser only · or WARP
03
🏢
Branch office / site
Whole network behind a router. Everyone at the site gets policy without anyone installing anything.
IPsec / GRE from router
Cloudflare
Global network · security + connectivity, unified
330+ cities
Every check happens at the nearest PoP
Server side · how infrastructure connects
01
📦
Single server or VM
One app or one box. Install a small connector that dials out to Cloudflare. Three commands.
cloudflared connector
02
🗂
Whole VPC or subnet
Install one connector that represents the whole network. Everything behind it is reachable, no per-server agents.
WARP Connector · Mesh
03
🏛
Data center or cloud region
Network-level integration. Tunnel from your edge router, or a literal direct connection that bypasses the public internet.
IPsec · GRE · CNI · Magic WAN
Talk track · ~3 minutes
  1. Set up. "Quick walk through both sides — because the next question is always 'how does the user actually connect, and how does the server side hook in?'"
  2. User side. Point at the left column. "Three ways. Managed employee laptop runs our WARP client — every request routes through the nearest Cloudflare PoP. Contractor on their own laptop has two options — WARP if you want, or just open a URL in any browser. No agent, no install. Whole branch office connects directly from the router with IPsec or GRE. Three different on-ramps. Same security policy hits all three."
  3. Server side. Point at the right column. "Server side, same idea — three patterns. Individual server like an EC2 box — install a small connector called cloudflared. Three commands. It dials out to Cloudflare, nothing inbound. Whole VPC — install on one box, tell it 'I represent this network,' everything behind it is reachable. Entire data center or cloud region — IPsec, GRE, or CNI for a literal direct connection."
  4. The punchline. "The important part — no public IP, no firewall rule, no port forwarded. Every connection from your infrastructure to Cloudflare is outbound-only. The 'door' doesn't exist on the internet."
  5. Bridge to the architecture argument. "Okay — that's how both sides connect. Now let me show you the specific architectural argument for Zero Trust."
← Back to demo dashboard