for example cloudflare tunnels will not work if restarted, our production is running with 1 single tunnel now.

Whats the reason for using tunnels and not just ip addresses?

You don't have to expose any ports to the internet, preventing people from finding and directly attacking your origin servers.

Only downside seems to be the Performance of tunnels in Containers. I use them for my personal Website, did a bit of Loadtesting and was able to get significantly more RPS without the CF Tunnel. Might be something on my end tho, not sure.

That's interesting. Cloudflare tunnels do a few things that I expected to to make it perform better in general: obviously TLS termination on CF's side where they likely have faster hardware doing that (at least faster than many customers), then the keep-alive sockets for tunnel<->CF, and I think they use UDP/QUIC for the tunnel<->CF connection[0] which I figure could remove some latency.

[0]: `lsof -i | grep cloudfl` shows me 4 UDP connections & 1 TCP

Makes firewall/ACL administration much simpler for one. Also makes it easier to hide and/or rotate origin IPs.

Tunnels work until you restart them

I hope you didn’t find that out the hard way.

the hard way is the only way

this man has found out

This feels like data and control planes being at least somewhat separated.

As a general rule, Cloudflare hot paths (CDN, etc.) tend to still work during an API outage. Communication between the API servers and the hot paths are mostly async, and (usually) work fine independently.

Thats great to hear. Would be scary if they experienced a full outage.