System configuration
System requirements
Our connector, cloudflared, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server in a data center. 
Unlike legacy VPNs where throughput is determined by the server's memory, CPU and other hardware specifications, Cloudflare Tunnel throughput is primarily limited by the number of ports configured in system software. Therefore, when sizing your cloudflared server, the most important element is sizing the available ports on the machine to reflect the expected throughput of TCP and UDP traffic.
For most use cases, we recommend the following baseline configuration:
- Run a cloudflaredreplica on two dedicated host machines per network location. Using two hosts enables server-side redundancy and traffic balancing.
- Size each host with minimum 4GB of RAM and 4 CPU cores.
- Allocate 50,000 ports to the cloudflaredprocess on each host.
This setup is usually sufficient to handle traffic from 8,000 WARP users (4,000 per host). The actual amount of resources used by cloudflared will depend on many variables, including the number of requests per second, bandwidth, network path and hardware. As additional users are onboarded, or if network traffic increases beyond your existing tunnel capacity, you can scale your tunnel by adding an additional cloudflared host in that location.
When cloudflared receives a request from a WARP device, it uses the ports on the host machine to evaluate and forward the request to your origin service. Every machine by system design is hardware-limited to a maximum 65,535 ports. Additionally, each service on the machine has a limited number of ports that it can consume. For this reason, we recommend the following deployment model:
- cloudflaredshould be deployed on a dedicated host machine. This model is typically appropriate, but there may be serverless or clustered workflows where a dedicated host is not possible.
- The host machine should allocate 50,000 ports to be available for use by the cloudflaredservice. The remaining ports are reserved for system administrative processes.
To increase the number of ports available to cloudflared on Linux:
If your machine has a /etc/sysctl.d/ directory:
echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.d/99-cloudflared.confsudo sysctl -p /etc/sysctl.d/99-cloudflared.confOtherwise:
echo 'net.ipv4.ip_local_port_range = 11000 60999' | sudo tee -a /etc/sysctl.confsudo sysctl -p /etc/sysctl.confTo increase the number of ports available to cloudflared on Windows, set the dynamic port range ↗ for TCP and UDP:
netsh int ipv4 set dynamicport tcp start=11000 num=50000netsh int ipv4 set dynamicport udp start=11000 num=50000netsh int ipv6 set dynamicport tcp start=11000 num=50000netsh int ipv6 set dynamicport udp start=11000 num=50000DNS queries utilize more system resources compared to TCP and non-DNS UDP requests. To optimize service availability, Cloudflare recommends splitting private DNS traffic into its own Cloudflare Tunnel. The tunnel should run on a dedicated host and only include routes for your internal DNS resolver IPs.
On Linux and macOS, ulimit settings determine the system resources available to a logged-in user. We recommend configuring the following ulimits on the cloudflared server:
| ulimit | Description | Value | 
|---|---|---|
| -n | Maximum number of open files or file descriptors | ≥ 70,000 | 
To view your current ulimits, open a terminal and run:
ulimit -aTo set the open files ulimit:
ulimit -n 70000The command above sets the open files limit only for the current terminal session and will not persist after a reboot or new login. To apply this limit permanently, configure it using the persistent method appropriate for your operating system.
Most private network traffic proxied by cloudflared falls in one of two categories:
- TCP requests (more common, less resource intensive)
- UDP requests (less common, more resource intensive)
TCP traffic uses and releases ports almost instantaneously. This means that in order to overload a cloudflared instance with 50,000 available ports, your organization would need to continuously generate 50,001 TCP requests per second.
UDP traffic is more unique. DNS queries - usually the bulk of UDP traffic - are held by ports in cloudflared for five seconds. Non-DNS UDP traffic holds each port for the duration of the connection, which can be any amount of time. This means that in order to overload a cloudflared instance with 50,000 available ports, you would need to continuously generate either 10,000 DNS queries to your private resolver per second, or a cumulative 50,000 non-DNS UDP requests over a shorter time than your connection reset rate.
Our baseline recommendations serve as a starting point for a Cloudflare Tunnel deployment. Once you have a representative population of users engaging with your network for at least a week, you can customize tunnel sizing according to your own traffic patterns.
To calculate your tunnel capacity:
- Set up a metrics service when you run the tunnel.
- After a week or so, query the following tunnel metrics:
- cloudflared_tcp_total_sessions
- cloudflared_udp_total_sessions
 
- Compute the average TCP requests per second and Non-DNS UDP requests per second by dividing total sessions by total time.
- In your private DNS resolver, obtain the average Private DNS requests per second.
- Input your values into our sizing calculator:
Metrics
Result
You can use these results to determine if your tunnel is appropriately sized. To increase your tunnel capacity, add identical host machines running cloudflared replicas.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark