Skip to content
Truto
Back
AI & Agents

Connect Cloudflare to Claude: Monitor logs and zone security rules

Learn how to connect Cloudflare to Claude via Truto's MCP server. Audit security logs, manage zones, and query firewall rules directly from your LLM.

Uday Gajavalli Uday Gajavalli · · 7 min read
Connect Cloudflare to Claude: Monitor logs and zone security rules

Managing Cloudflare configurations across multiple zones, WAF rulesets, and team members is a notoriously complex operations task. By connecting Cloudflare to Claude via the Model Context Protocol (MCP), DevOps and security teams can query audit logs, review security overrides, and inspect firewall configurations using natural language.

If your team uses ChatGPT, check out our guide on connecting Cloudflare to ChatGPT. We also have a dedicated walkthrough for connecting Cloudflare to AI Agents if you are building custom multi-agent frameworks.

This guide explains how to generate a Cloudflare MCP server using Truto, attach it to Claude, and execute complex infrastructure queries without writing custom API polling scripts.

The Engineering Reality of the Cloudflare API

Building integrations for Cloudflare exposes a few strict architectural constraints that impact how LLMs navigate the API.

First, there is a hard structural divide between Account-level and Zone-level resources. You cannot simply ask the API for "all firewall rules." Rules belong to specific zones. An LLM must be smart enough to first fetch the zone_id before querying firewall or WAF configurations.

Second, Cloudflare is in a prolonged migration from legacy "Firewall Rules" to modern "Rulesets." The Ruleset API requires understanding distinct phases (like http_request_firewall_custom) and kinds (like zone). When an agent queries WAF configurations, it often needs to parse nested rule parameters and match them against expected actions (block, challenge, log).

Finally, Cloudflare relies heavily on granular API tokens rather than global keys. Your connected account in Truto must have the exact token scopes required for the endpoints you wish to query, or the MCP tools will return 403 Forbidden errors when invoked.

Creating the Cloudflare MCP Server

Truto dynamically generates MCP tools based on the active integration's documentation and resource schemas. You can provision a new MCP server via the Truto dashboard or programmatically via the API.

1. Via the Truto UI

  1. Navigate to the Integrated Accounts page in your Truto dashboard and select your connected Cloudflare account.
  2. Click the MCP Servers tab.
  3. Click Create MCP Server.
  4. Define a name (e.g., "Cloudflare SecOps Server").
  5. Select your desired filters (for example, setting the method to "read" ensures Claude can only monitor data, not alter infrastructure).
  6. Save and copy the generated MCP server URL.

2. Via the Truto API

For engineering teams automating access provisioning, you can generate the MCP server with a POST request to the /integrated-account/:id/mcp endpoint.

POST https://api.truto.one/integrated-account/<cloudflare_account_id>/mcp
Authorization: Bearer <your_truto_api_token>
Content-Type: application/json
 
{
  "name": "Cloudflare Audit MCP",
  "config": {
    "methods": ["read", "list", "get"]
  },
  "expires_at": "2025-12-31T23:59:59Z"
}

The API returns a fully qualified remote MCP URL containing a secure cryptographic hash. Truto handles the protocol translation, authentication, and schema formatting automatically.

Connecting the MCP Server to Claude

Once you have the Truto MCP URL, you need to expose it to your Claude environment.

Method A: Claude Desktop UI

Claude natively supports remote HTTP-based MCP connections on its paid plans.

  1. Open Claude and navigate to Settings -> Connectors -> Add custom connector.
  2. Paste your Truto MCP URL into the connection field.
  3. Give the connector a name like "Cloudflare (Truto)".
  4. Click Add. Claude will instantly parse the available tools and make them available in your workspace.

Method B: Manual Configuration File

If you prefer managing configurations as code or are using Claude Desktop locally, you can edit the claude_desktop_config.json file directly.

{
  "mcpServers": {
    "cloudflare_truto": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-everything",
        "--remote",
        "<YOUR_TRUTO_MCP_URL>"
      ]
    }
  }
}

Note: Replace the args with your specific SSE/HTTP proxy wrapper if you aren't using Claude's native remote URL feature directly.

Hero Tools for Cloudflare Operations

Truto automatically generates highly specific tool functions. Here are the most valuable tools for managing Cloudflare environments via Claude.

list_all_cloudflare_zones

Retrieves the core properties of the domains hosted in your account. Because most security queries require a zone_id, this is almost always the first tool an LLM will call. Usage Note: The agent can use the name query parameter to directly search for a specific domain rather than paginating through hundreds of records.

"Find the zone ID for example.com."

list_all_cloudflare_audit_logs

Fetches a comprehensive list of change events across the account. This is essential for incident response and compliance tracking. Usage Note: The LLM can pass actor or action query parameters to filter events, such as tracking when a specific user modified API tokens or DNS records.

"Check the Cloudflare audit logs for the last 48 hours and summarize any changes made to our API tokens."

list_all_cloudflare_firewall_rules

Fetches legacy firewall rules applied to a specific zone. Usage Note: Always requires the zone_id. The LLM will use this to verify if traffic from certain ASNs or IP blocks is being explicitly blocked or challenged.

"List all the active firewall rules for the staging-app.com zone and tell me if any are currently paused."

list_all_cloudflare_rule_sets

Retrieves modern Rulesets for a specific zone. Cloudflare is shifting WAF functionality here. Usage Note: Requires zone_id. The output includes deeply nested fields like rules, action, and description. Claude excels at parsing this nested JSON structure to explain what the WAF is actually doing.

"Pull the WAF rulesets for our production zone and summarize what custom rate limits we have configured."

list_all_cloudflare_waf_overrides

Lists specific exceptions to managed WAF rules. Usage Note: Crucial for debugging "why did this bad traffic get through?" Requires the zone_id. It returns fields indicating rewritten actions and excluded URLs.

"Are there any WAF overrides currently active on the api.example.com zone that might be bypassing our main security rules?"

For the complete tool inventory and full schema details, visit the Cloudflare integration page.

Workflows in Action

When Claude is equipped with these tools, it acts as a senior SecOps assistant. To optimize these interactions, it's helpful to understand how to publish benchmarks and case studies for AI tool calling within your infrastructure. Here is exactly how Claude translates natural language into API execution.

Workflow 1: Investigating a Security Configuration Change

"Someone reported a sudden spike in blocked traffic on example.com. First, get the zone ID for example.com. Next, check the audit logs for any firewall or WAF changes in the past 24 hours. Finally, pull the current rulesets for that zone and summarize the block actions."

Execution Steps:

  1. Claude calls list_all_cloudflare_zones passing name="example.com" to extract the zone_id.
  2. Claude calls list_all_cloudflare_audit_logs passing an action filter to look for recent updates by team members.
  3. Claude calls list_all_cloudflare_rule_sets using the retrieved zone_id to dump the current WAF configuration.
  4. Result: Claude synthesizes the JSON output, identifying that a team member recently adjusted a custom HTTP request rule to block a specific ASN, and presents the exact rule ID and description.

Workflow 2: Auditing Team Access and Roles

"I need an access review for our primary Cloudflare account. List all current team members and their associated roles. Cross - reference this with the available roles list so I know exactly what permissions each user holds."

Execution Steps:

  1. Claude calls list_all_cloudflare_accounts to grab the primary account ID.
  2. Claude calls list_all_cloudflare_members using the account ID to get the list of users and their assigned role IDs.
  3. Claude calls list_all_cloudflare_roles to get the mapping of role IDs to human-readable permission sets.
  4. Result: Claude generates a clean markdown table listing every user, their role (e.g., Super Administrator, DNS Manager), and a brief summary of what that role allows them to do based on the API definitions.

Handling Rate Limits

When giving AI agents access to your infrastructure APIs, handling rate limits correctly is critical. Cloudflare enforces strict rate limits on its API (often around 1,200 requests per 5 minutes per user).

Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream Cloudflare API returns an HTTP 429 error, Truto passes that error directly to the caller.

Truto normalizes the upstream rate limit information into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF specification. The caller (Claude or your custom AI agent) is entirely responsible for reading these headers and executing the appropriate backoff and retry logic. Do not assume the MCP server will absorb the rate limit - your agent must be programmed to pause execution when it hits the limit.

Security and Access Control

Exposing network edge controls to an LLM requires strict governance. For a deeper dive, read our full guide on understanding MCP server security. Truto provides several mechanisms to lock down your MCP server:

  • Method Filtering: You can restrict the MCP server config to only allow ["read", "list"] methods. This ensures the LLM can audit logs and view firewall rules, but mathematically cannot delete a zone or modify a WAF rule.
  • Tag Filtering: Integrations tag resources logically. You can generate an MCP server that only exposes tools tagged with security or dns, preventing the agent from wandering into billing or worker deployments.
  • require_api_token_auth: By setting this flag to true, mere possession of the MCP URL is not enough. The connecting client must also pass a valid Truto API token in the Authorization header, adding a critical second layer of identity verification.
  • expires_at: You can set a time-to-live timestamp when creating the server. Truto uses an internal alarm handler to automatically purge the server and all associated cryptographic tokens from the internal database once the expiry is reached. This is perfect for granting temporary audit access to contractors.

FAQ

Does Truto handle Cloudflare API rate limit retries?
No, Truto passes HTTP 429 errors directly to the caller and normalizes the rate limit data into standard IETF headers. The client or agent is responsible for handling retries and backoff.
How do I authenticate my MCP connection to Cloudflare?
The Truto MCP URL contains a cryptographic token. For higher security, you can configure the server with require_api_token_auth, which forces the client to provide a valid Truto API token as well.
Can I limit which Cloudflare tools Claude can access?
Yes. You can use method filtering to restrict the server to read-only operations, and tag filtering to expose only specific subsets of the integration.

More from our Blog