From Cloudflare Tunnel to Tailscale Funnel

From Cloudflare Tunnel to Tailscale Funnel

From Cloudflare Tunnel to Tailscale Funnel

This talk walks through a migration from Cloudflare Tunnel to a private-first design built around a Tailscale tailnet for internal access, with Tailscale Funnel used only for the small number of services that truly need public reachability.

I will compare the two architectures, explain what changed operationally, and show how to decide which services should remain private and which should be exposed publicly.

The session covers migration planning, service classification, internal naming with MagicDNS, policy design with grants, and the practical limits of the approach. I will also share what worked, what broke, and where the architecture became simpler or more secure after moving most services off the public internet.