Proxmox Hosting Architecture Comparison

Arch 1 — Hybrid / Legacy

Cloudflare proxied · DNS A Record · Port forwarding active

👤 Visitor HTTP/HTTPS Request

DNS lookup

Active 🌐 Cloudflare Edge A Record · Proxied ON · IP exposed in Record

Public ISP IP

Port Open 📡 ISP Router Port Forwarding 80/443 active

🔀 CyberPanel Internal Reverse Proxy · Proxmox VM

Online 🌍 site.ip Website Delivered

Port 80/443 OPEN A Record → Public IP Manual DNS on IP change

Online. Cloudflare is proxying, but the router is exposed via port forwarding.

Arch 2 — Modern / Zero Trust

Cloudflare Tunnel · CNAME · Zero port forwarding

👤 Visitor HTTP/HTTPS Request

DNS lookup

Active 🌐 Cloudflare Edge CNAME → Tunnel · No public IP in DNS

CF Tunnel

Connected 🔒 cloudflared Outbound tunnel · Inside-out connection

passes through router
without open ports

🔐 ISP Router All ports CLOSED · Total firewall

Online 📦 Proxmox Container Final destination · cloudflared runs here

Online 🌍 site.zt Website Delivered

Zero port forwarding 100% Hidden IP Auto-healing tunnel

Online. No ports open. ISP IP completely hidden from DNS.

// Comparison Table

Feature	Arch 1 — Hybrid	Arch 2 — Zero Trust
Cloudflare	✓ Proxied (DNS A)	✓ Tunnel (CNAME)
DNS Record	A → Public ISP IP	CNAME → *.cfargotunnel.com
Port Forwarding	80/443 open in router	Zero — router fully closed
ISP IP Visibility	Exposed (required in A Record)	100% Hidden — not in DNS
ISP IP Changes	Site offline → manual A Record update	Auto-healing tunnel — zero intervention
DDoS Attack	Router exposed if CF is bypassed	Blocked at CF edge, router invisible
Connection Type	Outside-In (ports mandatory)	Inside-Out (cloudflared initiates)
Internal Proxy	CyberPanel Reverse Proxy	cloudflared directly in container
Scalability	Tied to ISP static IP	Independent of ISP / IP

// Proxmox Hosting Architecture Comparison