Skip to content

Cloudflare Spectrum — TCP/UDP Protection for Non-HTTP Traffic

DodaTech Updated 2026-06-23 4 min read

In this tutorial, you'll learn about Cloudflare Spectrum. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare Spectrum extends DDoS protection and traffic acceleration to any TCP or UDP application, not just HTTP services. This tutorial explains how Spectrum works, how to configure it for non-web protocols, and how it fits into your overall security architecture.

Why Spectrum Matters

HTTP traffic gets Cloudflare protection automatically, but many applications use custom TCP or UDP protocols. Gaming servers use UDP. Email relays use SMTP over TCP. SSH uses TCP on port 22. Without Spectrum, these services are exposed directly to the internet and vulnerable to layer 3 and layer 4 DDoS attacks.

Real-world use: DodaZIP's enterprise file transfer service uses Spectrum to proxy SFTP traffic on port 22. DDoS attacks that previously saturated the 1 Gbps origin link are now absorbed at Cloudflare's edge, and the service maintains availability during attacks exceeding 1 Tbps.

How Spectrum Works

flowchart LR
  C[Client] --> E1[Cloudflare Edge]
  E1 --> E2[Cloudflare Network]
  E2 --> O[Origin Server]
  subgraph Spectrum Proxy
    E1
    E2
  end
  C -.->|TCP/UDP| E1
  E2 -.->|TCP/UDP| O
  style C fill:#09c,color:#fff
  style O fill:#090,color:#fff
  style Spectrum Proxy fill:#f90,color:#fff

Spectrum vs Proxy

The main difference between Cloudflare proxy (orange cloud) and Spectrum is the protocol support.

Feature Cloudflare Proxy (HTTP) Spectrum (TCP/UDP)
Protocols HTTP, HTTPS, WebSocket Any TCP or UDP
Port support Standard web ports Any port
DDoS protection Layer 7 Layer 3-4 + optional L7
Caching Yes No
WAF rules Yes No (L4 only)

Configuring Spectrum

Spectrum requires an Enterprise plan. Configuration happens under the Spectrum tab in the dashboard or via API.

# Create a Spectrum application for SSH (TCP/22)
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "protocol": "tcp/22",
    "dns": {
      "type": "CNAME",
      "name": "ssh.example.com"
    },
    "origin_direct": ["tcp://203.0.113.10:22"],
    "ip_firewall": true,
    "proxy_protocol": "off",
    "tls": "off",
    "traffic_type": "direct"
  }'

# Traffic flows: client -> Cloudflare edge -> 203.0.113.10:22
# Create a Spectrum application for UDP gaming server
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "protocol": "udp/27015",
    "dns": {
      "type": "CNAME",
      "name": "game.example.com"
    },
    "origin_direct": ["udp://203.0.113.20:27015"],
    "ip_firewall": true,
    "traffic_type": "direct"
  }'

# UDP traffic is proxied through Cloudflare's IPFS infrastructure
# Verify Spectrum application status
curl -s https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
  -H "Authorization: Bearer {api_token}" | jq '.result[].status'

# Returns "active" or "disabled" for each Spectrum app

DDoS Protection for Non-HTTP Traffic

Spectrum provides layer 3 and layer 4 DDoS mitigation. Attack traffic is dropped at the edge before reaching your origin.

# Enable IP Access Rules for Spectrum
# Navigate to Security > WAF > IP Access Rules
# Apply rules globally or per-Spectrum-app
# Rule example: block traffic from specific countries or ASNs
# Configure rate limiting for Spectrum connections
# Under Security > Rate Limiting, create a rule targeting
# spectrum traffic by destination port
# Example: Max 100 connections per IP per 10 seconds on port 22

FAQ

What protocols does Cloudflare Spectrum support?

Spectrum supports any TCP or UDP protocol. Common use cases include SSH (TCP/22), RDP (TCP/3389), SMTP (TCP/25), DNS (UDP/53), gaming protocols (UDP/27015+), and custom enterprise applications.

Can I use Spectrum without an Enterprise plan?

No. Spectrum is an Enterprise-only feature. However, some protocols can be tunneled through Cloudflare Tunnel or Argo Tunnel as an alternative for non-Enterprise accounts.

Does Spectrum support TLS termination for TCP traffic?

Yes. Spectrum can terminate TLS at the edge for TCP traffic, then forward the decrypted traffic to your origin. Set the TLS field to "on" in the app configuration. Your origin does not need its own TLS certificate.

Practice Questions

  1. What is the main difference between Cloudflare proxy and Spectrum?
  2. How does Spectrum protect non-HTTP services from DDoS attacks?
  3. What configuration changes are needed on the origin side when using Spectrum with TLS termination?

Summary

Cloudflare Spectrum protects any TCP or UDP application with edge-based DDoS mitigation and traffic acceleration. It extends Cloudflare's security capabilities beyond HTTP to protocols like SSH, RDP, gaming, and custom TCP/UDP services. Spectrum requires an Enterprise plan and is configured through the dashboard or API with a DNS record pointing to your origin server.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro