Skip to content

SpectrumApplication

Source: src/Cloudflare/Spectrum/Application.ts

A Cloudflare Spectrum application — DDoS protection and proxying for arbitrary TCP/UDP services (SSH, Minecraft, RDP, custom protocols), not just HTTP.

An application is identified by its auto-assigned appId; its user-visible identity within a zone is the edge hostname (dns.name) + protocol pair. All configuration is mutable in place via PUT — only zoneId forces a replacement.

Spectrum is plan-gated: Pro zones get SSH (tcp/22) and Minecraft (tcp/25565), Business adds RDP, and Enterprise unlocks arbitrary ports/ranges, UDP, static edge IPs, and PROXY Protocol. On unentitled zones every create fails with the typed SpectrumProtocolNotAvailable error.

Safety: Spectrum applications carry no ownership markers. When there is no prior state, read scans the zone for an application with the same dns.name + protocol and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Proxying SSH

Section titled “Proxying SSH”
const ssh = yield* Cloudflare.SpectrumApplication("Ssh", {
  zoneId: zone.zoneId,
  dns: { type: "CNAME", name: "ssh.example.com" },
  protocol: "tcp/22",
  originDirect: ["tcp://203.0.113.1:22"],
});

Origin via DNS

Section titled “Origin via DNS”
yield* Cloudflare.SpectrumApplication("Minecraft", {
  zoneId: zone.zoneId,
  dns: { type: "CNAME", name: "mc.example.com" },
  protocol: "tcp/25565",
  originDns: { name: "origin.example.com" },
  originPort: 25565,
});

Enterprise features

Section titled “Enterprise features”
// Arbitrary ports/protocols, UDP, and proxyProtocol require an
// Enterprise plan with Spectrum.
yield* Cloudflare.SpectrumApplication("Dns", {
  zoneId: zone.zoneId,
  dns: { type: "CNAME", name: "dns.example.com" },
  protocol: "udp/53",
  originDirect: ["udp://203.0.113.1:53"],
  ipFirewall: true,
  proxyProtocol: "simple",
});