Blog

In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

Previously, you could only stream logs from one replica at a time. With this update:

• Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel’s overview page under Connectors. Select any replica to stream its logs.
• Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

For more information, refer to Tunnel log streams and Deploy replicas.

DNS Analytics is now available for customers with Customer Metadata Boundary (CMB) set to EU. Query your DNS analytics data while keeping metadata stored in the EU region.

This update includes:

• DNS Analytics — Access the same DNS analytics experience for zones in CMB=EU accounts.
• EU data residency — Analytics data is stored and queried from the EU region, meeting data localization requirements.
• DNS Firewall Analytics — DNS Firewall analytics is now supported for CMB=EU customers.

Availability

Available to customers with the Data Localization Suite who have Customer Metadata Boundary configured for the EU region.

Where to find it

• Authoritative DNS: In the Cloudflare dashboard, select your zone and go to the Analytics page.

  Go to Analytics

• DNS Firewall: In the Cloudflare dashboard, go to the DNS Firewall Analytics page.

  Go to Analytics

For more information, refer to DNS Analytics and DNS Firewall Analytics.

In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

Previously, you could only stream logs from one replica at a time. With this update:

• Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel’s overview page under Connectors. Select any replica to stream its logs.
• Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

For more information, refer to Tunnel log streams and Deploy replicas.

Cloudflare dashboard SCIM provisioning operations are now captured in Audit Logs v2, giving you visibility into user and group changes made by your identity provider.

Logged actions:

For more details, refer to the Audit Logs v2 documentation.

The Security Overview has been updated to provide Application Security customers with more actionable insights and a clearer view of their security posture.

Key improvements include:

• Criticality for all Insights: Every insight now includes a criticality rating, allowing you to prioritize the most impactful security action items first.
• Detection Tools Section: A new section displays the security detection tools available to you, indicating which are currently enabled and which can be activated to strengthen your defenses.
• Industry Peer Comparison (Enterprise customers): A new module from Security Reports benchmarks your security posture against industry peers, highlighting relative strengths and areas for improvement.

For more information, refer to Security Overview.

AI Gateway now supports the cf-aig-collect-log-payload header, which controls whether request and response bodies are stored in logs. By default, this header is set to true and payloads are stored alongside metadata. Set this header to false to skip payload storage while still logging metadata such as token counts, model, provider, status code, cost, and duration.

This is useful when you need usage metrics but do not want to persist sensitive prompt or response data.

curl https://gateway.ai.cloudflare.com/v1/$ACCOUNT_ID/$GATEWAY_ID/openai/chat/completions 
  --header "Authorization: Bearer $TOKEN" 
  --header 'Content-Type: application/json' 
  --header 'cf-aig-collect-log-payload: false' 
  --data '{
    "model": "gpt-4o-mini",
    "messages": [
      {
        "role": "user",
        "content": "What is the email address and phone number of user123?"
      }
    ]
  }'

For more information, refer to Logging.

You can now set topK up to 50 when a Vectorize query returns values or full metadata. This raises the previous limit of 20 for queries that use returnValues: true or returnMetadata: "all".

Use the higher limit when you need more matches in a single query response without dropping values or metadata. Refer to the Vectorize API reference for query options and current topK limits.

Cloudflare-generated 1xxx error responses now include a standard Retry-After HTTP header when the error is retryable. Agents and HTTP clients can read the recommended wait time from response headers alone — no body parsing required.

Changes

Seven retryable error codes now emit Retry-After:

The header value matches the existing retry_after body field in JSON and Markdown responses.

If a WAF rate limiting rule has already set a dynamic Retry-After value on the response, that value takes precedence.

Availability

Available for all zones on all plans.

Verify

Check for the header on any retryable error:

curl -s --compressed -D - -o /dev/null -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | grep -i retry-after

References:

• RFC 9110 section 10.2.3 – Retry-After
• Cloudflare 1xxx error documentation

A new wrangler containers instances command lists all instances for a given Container application. This mirrors the instances view in the Cloudflare dashboard.

The command displays each instance’s ID, name, state, location, version, and creation time:

wrangler containers instances <APPLICATION_ID>

Use the --json flag for machine-readable output, which is also the default format in non-interactive environments such as CI pipelines.

For the full list of options, refer to the containers instances command reference.

You can now SSH into running Container instances using Wrangler. This is useful for debugging, inspecting running processes, or executing one-off commands inside a Container.

To connect, enable wrangler_ssh in your Container configuration and add your ssh-ed25519 public key to authorized_keys:

• wrangler.jsonc

  {
    "containers": [
      {
        "wrangler_ssh": {
          "enabled": true
        },
        "authorized_keys": [
          {
            "name": "<NAME>",
            "public_key": "<YOUR_PUBLIC_KEY_HERE>"
          }
        ]
      }
    ]
  }

• wrangler.toml

  [[containers]]
  [containers.wrangler_ssh]
  enabled = true
  
  [[containers.authorized_keys]]
  name = "<NAME>"
  public_key = "<YOUR_PUBLIC_KEY_HERE>"

Then connect with:

wrangler containers ssh <INSTANCE_ID>

You can also run a single command without opening an interactive shell:

wrangler containers ssh <INSTANCE_ID> -- ls -al

Use wrangler containers instances <APPLICATION> to find the instance ID for a running Container.

For more information, refer to the SSH documentation.