N/A

it is not possible right now, the cf tunnel will tunnel to any replica is any region due to how dns on the private network works

routing to the closest deployment is specific to public traffic through our proxy

Thank you, that's what I figured. I'm guessing I would need to deploy the services separately in each region with their own local CF Tunnel service, then use a CF Load balancer to route to the closest tunnel etc.

Seems like switching over to the railway ingress would be a lot simpler.

The reasons for being on a CF Tunnel currently would be:

• DDoS Protection

• Unexposed Origin IPs

• ZeroTrust access to specific pages/sections on our web services that can be placed behind Azure AD without having to integrate an entire SSO auth

What interests me most about multi-region is not placing the services closer to the user for performance, but failover.

well if you dont actually care about multi region, just add multiple replicas to a single region

but otherwise, yes the solution you mentioned is exactly what you would need to do

I care about multi-region for failover purposes, just not as much for performance

replicas in the same region will have failover, at least as long as the cf tunnel service will try multiple replicas via their DNS results

And what if an entire region goes down?

we have multiple hosts per region

https://blog.cloudflare.com/major-data-center-power-failure-again-cloudflare-code-orange-tested/

Thinking more along these lines when the whole datacenter is down. Would be nice to just failover to a different region.

Ah gotcha, yes we only use a single zone per region so if the GCP datacenter itself goes down, that can happen same as it did to Cloudflare.

Then sounds like you do want to implement the solution you mentioned!

I think I might. Thanks, just wanted to clarify how things were working

sounds good, anything else i can help with?

all good!

!s