Use virtual networks to change user egress IPs
This tutorial gives administrators an easy way to allow their users to change their egress IP address between any of your assigned dedicated egress IP addresses. Your users can choose which egress IP to use by switching virtual networks directly from in the WARP client.
Changing egress IPs can be useful in quality assurance (QA) and other similar scenarios in which users both use their local egress location and either switch to or simulate other remote locations.
Before you begin
Make sure you have:
- Deployed the WARP client on your users’ devices.
- Configured tunnels to connect your private network to Cloudflare. This tutorial assumes you have:
- Created two tunnels through the dashboard.
- Routed
10.0.0.0/8
through one tunnel. - Routed
192.168.88.0/24
through the other tunnel.
- Received multiple dedicated egress IP addresses.
Create a virtual network for each egress route
First, create virtual networks corresponding to your dedicated egress IPs.
- In Zero Trust, go to Settings > WARP Client.
- In Network locations, go to Virtual networks and select Manage.
- Select Create virtual network.
- Name your virtual network. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network
vnet-AMER
. - Select Save.
- Repeat Steps 3-5 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called
vnet-EMEA
for egress from Europe, the Middle East, and Africa.
Create a virtual network corresponding to one of your dedicated egress IPs. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network
vnet-AMER
.curl https://api.cloudflare.com/client/v4/accounts/{account_id}/teamnet/virtual_networks \--header "Authorization: Bearer <API_TOKEN>" \--header 'Content-Type: application/json' \--data '{"comment": "Virtual network to egress from the Americas","is_default": false,"name": "vnet-AMER"}'For more information, refer to Create a virtual network.
Repeat Step 1 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called
vnet-EMEA
for egress from Europe, the Middle East, and Africa.
Assign each virtual network to each tunnel
After creating your virtual networks, route your private network CIDRs over each virtual network. This ensures that users can reach all services on your network regardless of which egress IP they use.
- Go to Networks > Tunnels.
- Select your tunnel routing
10.0.0.0/8
, then select Configure. - Go to Private Network. Select the
10.0.0.0/8
route. - In Additional settings, choose your first virtual network. For example,
vnet-AMER
. - Select Save private network.
- To route
10.0.0.0/8
over another virtual network, select Add a private network. - In CIDR, enter
10.0.0.0/8
. In Additional settings, choose your second virtual network. For example,vnet-EMEA
. - Select Save private network.
- Repeat Steps 6-8 for each virtual network you created.
- Return to Networks > Tunnels. Repeat Steps 2-9 for each private network tunnel route.
Assign your first virtual network to your private network route. For example, assign
vnet-AMER
to your tunnel that routes10.0.0.0/8
:curl --request PATCH \https:https://api.cloudflare.com/client/v4/accounts/{account_id}/teamnet/routes/{route_id} \--header "Authorization: Bearer <API_TOKEN>" \--header 'Content-Type: application/json' \--data '{"network": "10.0.0.0/8","tunnel_id": <TUNNEL_UUID>,"virtual_network_id": <VNET_AMER_UUID>}'For more information, refer to Update a tunnel route.
Repeat this process for each virtual network you created. For example:
curl --request PATCH \https:https://api.cloudflare.com/client/v4/accounts/{account_id}/teamnet/routes/{route_id} \--header "Authorization: Bearer <API_TOKEN>" \--header 'Content-Type: application/json' \--data '{"network": "10.0.0.0/8","tunnel_id": <TUNNEL_UUID>,"virtual_network_id": <VNET_EMEA_UUID>}'Repeat Steps 1-2 for each private network tunnel route.
Each tunnel connected to your private network should have each of your virtual networks assigned to it. For example, if you have tunnels routing 10.0.0.0/8
and 192.168.88.0/24
, both tunnels should have the vnet-AMER
and vnet-EMEA
virtual networks assigned.
Tunnel | CIDR | Virtual network |
---|---|---|
Tunnel 1 | 10.0.0.0/8 | vnet-AMER |
10.0.0.0/8 | vnet-EMEA | |
Tunnel 2 | 192.168.88.0/24 | vnet-AMER |
192.168.88.0/24 | vnet-EMEA |
Create virtual network egress policies
Next, assign your dedicated egress IPs to each virtual network using Gateway egress policies.
In Zero Trust, go to Gateway > Egress Policies.
Select Add a policy.
Name your policy. We recommend including the country or region traffic will egress from.
Add the virtual network with the Virtual Network selector. For example:
Selector Operator Value Virtual Network is vnet-AMER In Select an egress IP, choose Use dedicated Cloudflare egress IPs. Choose the dedicated IPv4 and IPv6 addresses you want traffic to egress with.
Select Create policy.
Repeat Steps 1-6 to create a separate egress policy for each virtual network you created.
Add a Gateway egress policy that matches the corresponding virtual network. For example:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \--header "Authorization: Bearer <API_TOKEN>" \--header 'Content-Type: application/json' \--data '{"action": "egress","description": "Egress via North America by connecting to vnet-AMER","enabled": true,"filters": ["egress"],"name": "Egress AMER vnet","precedence": 0,"traffic": "net.vnet_id == <VNET_AMER_UUID>","rule_settings": {"egress": {"ipv6": <DEDICATED_IPV6_ADDRESS>,"ipv4": <DEDICATED_IPV4_ADDRESS>,"ipv4_fallback": <SECONDARY_DEDICATED_IPV6_ADDRESS>}}}'For more information, refer to Create a Zero Trust Gateway rule.
Repeat Step 1 to create an egress policy for each virtual network you created.
Each policy you create should correspond to a different primary dedicated egress IP.
Test virtual network egress
Windows, macOS, and Linux
On your user’s device, log in to your Zero Trust organization in the WARP client.
In a terminal, run the following command to check the default egress IP address.
$ curl ifconfig.me -4The command should output your organization’s default egress IP.
In the WARP client, select the gear icon > Virtual Networks. Choose a virtual network you created.
Check the egress IP address by running
curl ifconfig.me -4
again. The command should output the IP address specified in your egress policy.
iOS and Android
- On your user’s device, log in to your Zero Trust organization in the Cloudflare One Agent app.
- In a browser, go to ifconfig.me. Your organization’s default egress IP should appear in IP Address.
- In Cloudflare One Agent, go to Advanced > Connection options > Virtual networks. Choose a virtual network you created.
- Check the egress IP address by reloading the browser page from Step 1. The IP address specified in your egress policy should appear in IP Address.
While your users are connected to a virtual network, their traffic will route via the dedicated egress IP specified. You can repeat these steps to test that each virtual network is egressing from the correct IP.