Starting with cloudflared version 2026.5.2, Cloudflare Tunnel automates the entire connectivity pre-checks workflow directly inside the binary. Previously, customers had to install dig and netcat and run those commands by hand to verify their environment. Now cloudflared does it natively at startup — and surfaces actionable remediation when something is blocked.
On every cloudflared tunnel run (and cloudflared tunnel diag), the binary now natively checks:
- DNS resolution —
region1.v2.argotunnel.comandregion2.v2.argotunnel.comresolve to valid Cloudflare IPs. - Transport connectivity — outbound
UDP (QUIC)andTCP (HTTP/2)on port7844. - Management API — outbound
TCP/443toapi.cloudflare.comfor software updates.
Results are printed in a scannable CLI table with three states:
- ✅ Pass — the check succeeded.
- ⚠️ Warn — a non-blocking issue, for example the Management API is unreachable so automatic updates will not work, but the tunnel will still come up.
- ❌ Fail — a blocking issue, with a specific remediation hint (for example,
Allow outbound UDP on port 7844).
If DNS is unresolvable, or both UDP and TCP fail on port 7844, cloudflared exits early with the failure rather than looping on opaque failed to dial errors.
Pre-checks now run automatically on every start, which also catches regressions like overnight firewall policy changes — no need to remember to rerun the troubleshooting guide.
To get the new behavior, upgrade cloudflared to version 2026.5.2 or later. For more details, refer to the Connectivity pre-checks documentation.
Source: Cloudflare
Latest Posts
- Cloudflare Tunnel, Cloudflare Tunnel for SASE – Cloudflare Tunnel now runs connectivity pre-checks at startup
- Amazon EC2 X8i instances are now available in additional regions
- Dynamics 365 Project Operations – Enable subcontractor vendor invoice matching to actuals [MC1323856]
- Dynamics 365 Sales – Improve opportunity data completeness with AI-powered data enrichment [MC1323861]
