Use virtual networks to change user egress IPs
This tutorial gives administrators an easy way to allow their users to change their egress IP address between any of your assigned dedicated egress IP addresses. Your users can choose which egress IP to use by switching virtual networks directly from in the WARP client.
Changing egress IPs can be useful in quality assurance (QA) and other similar scenarios in which users both use their local egress location and either switch to or simulate other remote locations.
Make sure you have:
- Deployed the WARP client on your users' devices.
- Configured tunnels to connect your private network to Cloudflare. This tutorial assumes you have:
- Created two tunnels through the dashboard.
- Routed 10.0.0.0/8through one tunnel.
- Routed 192.168.88.0/24through the other tunnel.
 
- Received multiple dedicated egress IP addresses.
First, create virtual networks corresponding to your dedicated egress IPs.
- In Zero Trust ↗, go to Settings > WARP Client.
- In Network locations, go to Virtual networks and select Manage.
- Select Create virtual network.
- Name your virtual network. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network vnet-AMER.
- Select Save.
- Repeat Steps 3-5 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called vnet-EMEAfor egress from Europe, the Middle East, and Africa.
- 
Create a virtual network corresponding to one of your dedicated egress IPs. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network vnet-AMER.
At least one of the following token permissions is required:Required API token permissions - Cloudflare One Networks Write
- Cloudflare Tunnel Write
 Create a virtual network curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks" \--request POST \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"comment": "Virtual network to egress from the Americas","is_default": false,"name": "vnet-AMER"}'For more information, refer to Create a virtual network. 
- 
Repeat Step 1 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called vnet-EMEAfor egress from Europe, the Middle East, and Africa.
After creating your virtual networks, route your private network CIDRs over each virtual network. This ensures that users can reach all services on your network regardless of which egress IP they use.
- Go to Networks > Tunnels.
- Select your tunnel routing 10.0.0.0/8, then select Configure.
- Go to Private Networks. Select the 10.0.0.0/8route.
- In Additional settings, choose your first virtual network. For example, vnet-AMER.
- Select Save private network.
- To route 10.0.0.0/8over another virtual network, select Add a private network.
- In CIDR, enter 10.0.0.0/8. In Additional settings, choose your second virtual network. For example,vnet-EMEA.
- Select Save private network.
- Repeat Steps 6-8 for each virtual network you created.
- Return to Networks > Tunnels. Repeat Steps 2-9 for each private network tunnel route.
- 
Assign your first virtual network to your private network route. For example, assign vnet-AMERto your tunnel that routes10.0.0.0/8:
At least one of the following token permissions is required:Required API token permissions - Cloudflare One Networks Write
- Cloudflare Tunnel Write
 Update a tunnel route curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID" \--request PATCH \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"network": "10.0.0.0/8","tunnel_id": "<TUNNEL_UUID>","virtual_network_id": "<VNET_AMER_UUID>"}'For more information, refer to Update a tunnel route. 
- 
Repeat this process for each virtual network you created. For example: 
At least one of the following token permissions is required:Required API token permissions - Cloudflare One Networks Write
- Cloudflare Tunnel Write
 Update a tunnel route curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID" \--request PATCH \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"network": "10.0.0.0/8","tunnel_id": "<TUNNEL_UUID>","virtual_network_id": "<VNET_EMEA_UUID>"}'
- 
Repeat Steps 1-2 for each private network tunnel route. 
Each tunnel connected to your private network should have each of your virtual networks assigned to it. For example, if you have tunnels routing 10.0.0.0/8 and 192.168.88.0/24, both tunnels should have the vnet-AMER and vnet-EMEA virtual networks assigned.
| Tunnel | CIDR | Virtual network | 
|---|---|---|
| Tunnel 1 | 10.0.0.0/8 | vnet-AMER | 
| 10.0.0.0/8 | vnet-EMEA | |
| Tunnel 2 | 192.168.88.0/24 | vnet-AMER | 
| 192.168.88.0/24 | vnet-EMEA | 
Next, assign your dedicated egress IPs to each virtual network using Gateway egress policies.
- 
In Zero Trust ↗, go to Gateway > Egress policies. 
- 
Select Add a policy. 
- 
Name your policy. We recommend including the country or region traffic will egress from. 
- 
Add the virtual network with the Virtual Network selector. For example: Selector Operator Value Virtual Network is vnet-AMER 
- 
In Select an egress IP, choose Use dedicated Cloudflare egress IPs. Choose the dedicated IPv4 and IPv6 addresses you want traffic to egress with. 
- 
Select Create policy. 
- 
Repeat Steps 1-6 to create a separate egress policy for each virtual network you created. 
- 
Add a Gateway egress policy that matches the corresponding virtual network. For example: 
At least one of the following token permissions is required:Required API token permissions - Zero Trust Write
 Create a Zero Trust Gateway rule curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \--request POST \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"action": "egress","description": "Egress via North America by connecting to vnet-AMER","enabled": true,"filters": ["egress"],"name": "Egress AMER vnet","precedence": 0,"traffic": "net.vnet_id == <VNET_AMER_UUID>","rule_settings": {"egress": {"ipv4": "<DEDICATED_IPV4_ADDRESS>","ipv4_fallback": "<SECONDARY_DEDICATED_IPV6_ADDRESS>","ipv6": "<DEDICATED_IPV6_ADDRESS>"}}}'For more information, refer to Create a Zero Trust Gateway rule. 
- 
Repeat Step 1 to create an egress policy for each virtual network you created. 
Each policy you create should correspond to a different primary dedicated egress IP.
Windows, macOS, and Linux
 - 
On your user's device, log in to your Zero Trust organization in the WARP client. 
- 
In a terminal, run the following command to check the default egress IP address. Terminal window curl ifconfig.me -4The command should output your organization's default egress IP. 
- 
In the WARP client, select the gear icon > Virtual Networks. Choose a virtual network you created. 
- 
Check the egress IP address by running curl ifconfig.me -4again. The command should output the IP address specified in your egress policy.
iOS and Android
 - On your user's device, log in to your Zero Trust organization in the Cloudflare One Agent app.
- In a browser, go to ifconfig.me ↗. Your organization's default egress IP should appear in IP Address.
- In Cloudflare One Agent, go to Advanced > Connection options > Virtual networks. Choose a virtual network you created.
- Check the egress IP address by reloading the browser page from Step 1. The IP address specified in your egress policy should appear in IP Address.
While your users are connected to a virtual network, their traffic will route via the dedicated egress IP specified. You can repeat these steps to test that each virtual network is egressing from the correct IP.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-