Introduction

Cloudflare Tunnel can connect private services cleanly until one advertised route stops carrying traffic. At that point the hostname may still resolve and the connector may still look online, but the private subnet or service behind it remains unreachable. The break usually lives in route advertisement, connector selection, DNS targeting, or policy alignment rather than the application itself. The fix is to verify the entire route path from Cloudflare configuration to the private network segment.

Symptoms

  • A private hostname resolves, but traffic never reaches the internal service
  • One tunneled route fails while other routes on the same account still work
  • Connector status looks healthy even though the destination subnet is unreachable
  • The issue started after changing routes, connectors, policies, or internal network ranges
  • Access appears to succeed at the edge but times out before reaching the service

Common Causes

  • The private route is missing, outdated, or advertised from the wrong connector
  • DNS points to the wrong tunnel target or stale hostname mapping
  • Access policies allow the user but not the intended application or network path
  • The connector can reach Cloudflare but not the internal subnet or service itself
  • Overlapping routes or network changes send traffic toward the wrong private destination

Step-by-Step Fix

  1. Confirm the failing route, hostname, and destination subnet so you are testing the exact private path that should work.
  2. Review the tunnel and connector status, but do not stop there, because a healthy connector does not guarantee the route is usable.
  3. Check the private network route advertisement and verify the intended subnet or destination is still associated with the correct connector.
  4. Confirm the public hostname or application mapping points to the right tunnel and has not drifted after recent changes.
  5. Test whether the connector host can actually reach the internal service directly on the expected port and network path.
  6. Review access policies, identity rules, and service targeting to make sure authorization and routing agree on the same destination.
  7. Inspect recent subnet overlaps, VPN changes, or network renumbering that may cause traffic to follow the wrong private path.
  8. Re-test with logs from both the connector side and the application side so you can see where the traffic stops.
  9. Keep tunnel routes, internal addressing, and access policies documented together so future network changes do not silently break private reachability.