I have a static front-end and a compute back-end on the DO App Platform. I’d like to put it behind a Cloudflare Zero Trust Tunnel. I created a Droplet and installed the Cloudflare docker and the tunnel is healthy.
My questions are-
- Do the App Platform deployments live on my VPC network?
- If so, how can I find their IP address?
- How can I turn off public access to App Platform apps? (static and compute)
We really like the ease of auto-deploy when the App Platfom is linked up to bitbucket- so I don’t want to have to build an image and host on a droplet.
Any thoughts or best practices are appreciated.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hey!
If I remember correctly the DigitalOcean App Platform apps don’t live inside your VPC, so you won’t be able to get internal IPs or restrict access via VPC-level controls. That also means you can’t natively route App Platform traffic through your Cloudflare Tunnel the same way you would with a Droplet.
There’s a feature request open for this exact thing, VPC support for App Platform apps and managed services: 👉 https://ideas.digitalocean.com/app-platform/p/vpc-with-apps-droplets-and-managed-databases
Make sure to upvote it!
Until then, one workaround is to place your App Platform backend behind Basic Auth or IP filtering (via headers + app logic), and tunnel via a proxy Droplet using your Cloudflare tunnel setup, though that adds some complexity.
Hope this helps!
Yes, you can run a DigitalOcean App Platform service behind a Cloudflare Zero Trust Tunnel, but it requires some setup to ensure secure and seamless connectivity. Essentially, Cloudflare Zero Trust Tunnel (formerly Argo Tunnel) creates a secure outbound-only connection from your app to Cloudflare’s network, allowing you to protect your app without exposing it directly to the internet.
To achieve this with DigitalOcean App Platform:
-
Set up Cloudflare Tunnel: Install and configure the Cloudflare Tunnel client (cloudflared) within your app environment or a connected server that can proxy traffic.
-
Configure your app to listen locally: Your app should accept traffic on a local port that Cloudflare Tunnel will forward requests to.
-
DNS and Access Policies: Point your domain’s DNS to Cloudflare, and configure Zero Trust Access policies to control who can reach your app through the tunnel.
-
Firewall and Security: You can restrict DigitalOcean’s inbound firewall rules to only allow connections from Cloudflare’s IP ranges or rely on the tunnel to avoid public exposure.
Keep in mind that since DigitalOcean App Platform is a managed service, direct control over the underlying infrastructure is limited, so using a separate VM or container with cloudflared acting as a proxy can sometimes be easier.
This setup enhances security by ensuring all traffic goes through Cloudflare’s Zero Trust controls, adding layers like identity verification, device posture checks, and threat protection.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.