# Cloudflare Tunnel MCP for AI Agents MCP

> Cloudflare Tunnel MCP lets your AI agent manage Zero Trust connectivity and private network routing for Cloudflare Tunnels. You can list tunnels, create new routes, update ingress rules, and monitor connections—all through natural conversation without touching the CLI.

## Overview
- **Category:** industry-titans
- **Price:** Free
- **Tags:** cloudflare-tunnel, zero-trust, cloudflared, network-security, remote-access

## Description

Managing cloud infrastructure usually means juggling a console here and a command line there. This MCP changes that. It gives your AI client direct control over Cloudflare Tunnels, letting you handle Zero Trust connectivity purely through chat. You can list every tunnel in your account to check their health status or retrieve detailed metadata for troubleshooting. Need to update an ingress rule? You can modify origin settings and routes remotely without ever typing `cf` into the terminal. It's a massive time saver for security teams auditing network paths, or DevOps engineers quickly patching routing issues during deployments. Because this MCP is part of Vinkius, you get access to hundreds of other industry-leading tools alongside your Cloudflare setup, keeping all your infrastructure management in one place.

## Tools

### cleanup_connections
Removes specified Cloudflare Tunnel connectors from your account to maintain a clean connection list.

### create_route
Creates a new network route for an existing tunnel, directing specific traffic streams.

### create_tunnel
Initializes and creates a brand-new Cloudflare Tunnel within your account.

### delete_route
Removes an existing tunnel route when the associated network path is no longer needed.

### delete_tunnel
Decommissions and deletes a Cloudflare Tunnel completely from your service.

### get_configuration
Retrieves the full configuration details for any remotely-managed tunnel.

### get_connector
Fetches specific details about a Cloudflare Tunnel connector instance.

### get_management_token
Generates the necessary token required to manage your tunnels programmatically.

### get_route_by_ip
Looks up a specific tunnel route using an associated IP address.

### get_tunnel_token
Retrieves the necessary token needed to run and connect a Cloudflare Tunnel client.

### get_tunnel
Pulls all specific details for one designated Cloudflare Tunnel ID.

### list_connections
Returns a comprehensive list of active and inactive Cloudflare Tunnel connections.

### list_routes
Lists all defined network routes across your entire set of tunnels.

### list_tunnels
Provides a filtered list of all Cloudflare Tunnels, allowing you to check health status and metadata.

### put_configuration
Adds or overwrites the configuration details for a specific remotely-managed tunnel.

### update_route
Modifies an existing network route, changing its destination or ruleset.

### update_tunnel
Updates core properties of a Cloudflare Tunnel that are not covered by simple configuration changes.

## Prompt Examples

**Prompt:** 
```
Show me all my tunnels and tell me which ones are currently degraded or down.
```

**Response:** 
```
**Cloudflare Tunnel Status Report**

*   🟢 web-server-prod: Healthy (Online)
*   🟡 db-bridge: Degraded (High Latency Detected)
*   🔴 test-lab: Down (Connector Failed)
*   🔵 internal-api: Healthy (Online)

We recommend checking the configuration for 'db-bridge' immediately. Would you like to view its current ingress rules?
```

**Prompt:** 
```
I need to expose a new monitoring dashboard on port 80, can you set up a tunnel route?
```

**Response:** 
```
**Route Creation Successful**

We created the following route:

*   **Destination:** `monitoring.example.com`
*   **Source:** Internet (Any)
*   **Target:** `http://localhost:80`
*   **Status:** Active

The new tunnel is now live. Use this endpoint to check the credentials required for access.
```

**Prompt:** 
```
Can you delete a tunnel named 'old-project' and clean up its connections?
```

**Response:** 
```
**Cleanup Complete.**

1.  Tunnel `old-project` has been permanently deleted.
2.  All associated connectors have been removed from your account.
3.  The resource cleanup is finished. Your network footprint is smaller and more secure.
```

## Capabilities

### List all tunnels and connections to check their status (healthy, degraded, or down) across the entire account.
The agent returns a consolidated report showing the operational health of every tunnel in your environment.

### Create or modify specific tunnel routes and IP-based network paths connecting internal resources securely.
You can define new rules that direct external traffic to specific internal services via updated routing records.

### Update an existing Cloudflare Tunnel, including updating its configuration and secrets.
The agent applies core changes to a tunnel's properties, ensuring the connection remains robust and up-to-date.

### Manage connections lifecycle
You can initiate the creation of new tunnels or fully decommission old ones, maintaining strict control over your network footprint.

### Audit Connectors and Sessions
The tool provides a clean way to list active connectors and run cleanup actions to remove stale sessions safely.

## Use Cases

### Auditing Compliance After an Incident
A security analyst needs to prove that no unauthorized tunnels exist. They ask the agent to 'List and filter all tunnels by status.' The agent runs `list_tunnels` and provides a clean report, ensuring compliance with Zero Trust policies.

### Deploying a New Backend Service
A DevOps engineer needs to expose a new internal microservice. They instruct the agent to 'Create a tunnel for my staging environment' (`create_tunnel`), and then use `create_route` to direct traffic to it.

### Fixing Broken API Access
The main website suddenly can't reach its database. The agent checks the routes by calling `get_route_by_ip`, identifies the broken path, and uses `update_route` to fix it immediately.

### Cleaning Up Old Infrastructure
A team decommissioned a project last month. Instead of manually deleting resources, they ask the agent to 'Clean up all connections for Project X,' triggering `cleanup_connections` and freeing up resources safely.

## Benefits

- Instead of running five different `cf` commands, you simply ask your agent to 'List all tunnels' using the `list_tunnels` tool. It gets you a consolidated view instantly.
- You can update complex ingress rules—like setting up a new API endpoint route—by calling `put_configuration`, which handles the syntax for you.
- Need to check if an old connection is still active? Use `cleanup_connections` and let your agent safely prune stale sessions, ensuring high availability without manual auditing.
- The ability to retrieve full tunnel details via `get_tunnel` means deep-diving into specific tunnels' metadata without leaving the chat interface.
- When building a new service connection, you can use `create_tunnel` and immediately follow up with `get_tunnel_token`, all in one conversation.

## How It Works

The bottom line is that your AI client acts as a single pane of glass, letting you manage complex network routing tasks without needing to memorize specific CLI commands.

1. First, subscribe to this MCP on Vinkius and provide your Cloudflare API Token with the necessary Tunnel permissions.
2. Next, ask your AI client a specific question, like 'List all tunnels in my production environment,' or 'Update the ingress rules for web-app'.
3. The agent executes the request against Cloudflare's infrastructure and returns actionable data, allowing you to confirm status changes or retrieve updated configurations.

## Frequently Asked Questions

**How can I use the Cloudflare Tunnel MCP to manage my Zero Trust policies?**
You can audit your entire tunnel infrastructure by listing all tunnels and connections. This allows you to verify that every active network path adheres strictly to your company's defined Zero Trust rules.

**Does the Cloudflare Tunnel MCP let me update ingress rules without using the command line?**
Yes, absolutely. You can tell your agent exactly which traffic should go where—for example, directing `api.example.com` to a new internal port—and it will handle updating those complex rules for you.

**What if I forget about temporary tunnels? Can the MCP clean them up?**
Yes. You can instruct your agent to run cleanup actions, which safely identifies and removes stale tunnel connections and unused resources from your account.

**Is this Cloudflare Tunnel MCP suitable for DevOps deployment tasks?**
It's ideal for DevOps workflows. Instead of multiple manual steps, you can ask the agent to create a new tunnel and immediately establish the necessary network routes needed for testing or production.

**I need to check if my internal resource is exposed properly. How do I use this MCP?**
You can use the MCP to list all defined tunnel routes, allowing you to verify that your specific IP addresses and resources are connected via the correct network paths.