Many self hosted environments start with the same pattern: expose services through a public tunnel, then gradually realize that most of those services never needed to be public in the first place. This talk walks through a migration from Cloudflare Tunnel to a private first design built around a Tailscale tailnet for internal access, with Tailscale Funnel used only for the small number of services that truly need public reachability. Tailscale describes a tailnet as private space that is not publicly accessible, while Funnel is designed to expose selected services from that private network to the internet.

I will compare the two architectures, explain what changed operationally, and show how to decide which services should remain private and which should be exposed publicly. Cloudflare Tunnel routes traffic through Cloudflare’s network using outbound cloudflared connections, while Tailscale Funnel exposes a local service through Tailscale’s Funnel relay servers and TCP proxy. The tradeoff is not simply “one is better,” but whether your environment benefits more from a public edge first model or a private network first model.

The session covers migration planning, service classification, internal naming with MagicDNS, policy design with grants, and the practical limits of the approach. I will also share what worked, what broke, and where the architecture became simpler or more secure after moving most services off the public internet. Tailscale supports MagicDNS, automatic NAT traversal, and both direct and relayed connectivity inside the tailnet, but public Funnel traffic has its own routing model and should be evaluated on its own terms.