Skip to main content
Back to Blog
CloudMarch 10, 20269 min read

Cloudflare Tunnel vs AWS ALB: When to Use Which

An architecture comparison of Cloudflare Tunnel and AWS Application Load Balancer, covering cost, DDoS protection, SSL termination, latency, and setup complexity.

AWS

Introduction

When exposing a web application to the internet, two popular approaches dominate in 2026: Cloudflare Tunnel and AWS Application Load Balancer (ALB). Both route traffic to backend services, terminate SSL, and provide some level of protection. But they differ significantly in architecture, cost model, and operational characteristics.

This article breaks down when to use each, and when to combine them.

Architecture Overview

Cloudflare Tunnel

Cloudflare Tunnel (formerly Argo Tunnel) works by running a lightweight daemon (cloudflared) on the server. The daemon establishes outbound connections to Cloudflare's edge network. No inbound ports need to be open on the server's firewall.

User --> Cloudflare Edge (PoP) --> cloudflared daemon --> Application
         (SSL termination)        (outbound only)

AWS ALB

AWS ALB is a managed load balancer that runs inside a VPC. It listens on public ports 80/443, terminates SSL, and forwards traffic to targets (EC2 instances, ECS tasks, Lambda).

User --> AWS ALB (public subnet) --> Target Group --> Application (private subnet)
         (SSL termination)

Cost Comparison

| Component | Cloudflare Tunnel | AWS ALB | |---|---|---| | Base cost | Free (included with any CF plan) | ~$16/month + LCU charges | | SSL certificates | Free, automatic | Free via ACM | | DDoS protection | Included (L3/L4/L7) | Basic AWS Shield (L3/L4 only) | | WAF | Included on Pro plan (~$20/mo) | AWS WAF at ~$5/mo + $1/million requests | | Data transfer | Free on CF side | Standard AWS data transfer rates |

For small to medium workloads, Cloudflare Tunnel is significantly cheaper because there is no per-hour load balancer fee and no LCU charges.

DDoS Protection

Cloudflare's entire network is designed for DDoS mitigation. Every request passes through their edge before reaching the origin. The server's real IP is never exposed.

With ALB, the load balancer has a public IP. AWS Shield Standard provides basic L3/L4 protection, but L7 DDoS protection requires AWS Shield Advanced at $3,000/month or implementing rate limiting via AWS WAF rules.

SSL and TLS

Both solutions handle SSL termination well:

  • Cloudflare Tunnel: SSL is terminated at the Cloudflare edge. The connection between Cloudflare and the origin can be encrypted with a Cloudflare Origin Certificate (free, 15-year validity).
  • AWS ALB: SSL is terminated at the ALB using certificates from AWS Certificate Manager (free). Backend connections can be encrypted with self-signed or ACM certificates.

Setup Complexity

Cloudflare Tunnel Setup

# Install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared

# Authenticate
cloudflared tunnel login

# Create a tunnel
cloudflared tunnel create myapp

# Configure the tunnel
cat > ~/.cloudflared/config.yml << 'EOF'
tunnel: <TUNNEL_ID>
credentials-file: /root/.cloudflared/<TUNNEL_ID>.json

ingress:
  - hostname: myapp.example.com
    service: http://localhost:3000
  - service: http_status:404
EOF

# Route DNS
cloudflared tunnel route dns myapp myapp.example.com

# Run as a service
cloudflared service install
systemctl enable --now cloudflared

AWS ALB Setup

Setting up an ALB requires: creating a target group, provisioning the ALB in at least two availability zones, configuring security groups, requesting an ACM certificate, creating HTTPS listeners, and setting up DNS in Route 53. This typically involves 15-20 steps in the console or a Terraform module.

When to Use Cloudflare Tunnel

  • The server does not need any inbound ports open (maximum security).
  • We want free, built-in DDoS protection and WAF.
  • The infrastructure runs on bare metal, a VPS, or a home lab.
  • Cost is a concern and we want to avoid per-hour load balancer fees.
  • We want to expose services running on K3s without a cloud load balancer.

When to Use AWS ALB

  • The backend runs on AWS-native services (ECS, EKS, Lambda).
  • We need tight integration with AWS WAF rules, Cognito authentication, or other AWS services.
  • The application requires advanced routing rules (weighted target groups, host-based routing).
  • We already have a mature AWS infrastructure and want to stay within the AWS ecosystem.

Combining Both

In many of our production setups, we use both. Cloudflare sits in front as the CDN and DDoS shield, and the ALB handles internal routing within AWS:

User --> Cloudflare Edge --> ALB (restricted to CF IPs) --> ECS Tasks

The ALB security group only allows traffic from Cloudflare's published IP ranges, so the ALB is never directly reachable from the internet.

Conclusion

Cloudflare Tunnel is the clear winner for simplicity, cost, and security when running on non-AWS infrastructure or small Kubernetes clusters. AWS ALB is the right choice when deeply integrated with the AWS ecosystem. For maximum protection, combining both layers gives us the best of both worlds.

Need help with this?

Our team handles this kind of work daily. Let us take care of your infrastructure.

View Related Service Live ChatBook a Free Call

Related Articles

Cloud

AWS Cost Optimization: 10 Things You're Probably Overpaying For

Ten common areas where AWS customers overspend, with practical strategies for right-sizing, reserved capacity, storage lifecycle management, and more.