cloudflare · Oxyjun · Jan 24, 2025 · Jan 23, 2025 · Jan 24, 2025
@@ -18,6 +18,12 @@ When your database is isolated within a private network (such as a [virtual priv
 - [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) is used to establish the secure tunnel connection.
 - [Cloudflare Access](/cloudflare-one/policies/access/) is used to restrict access to your tunnel such that only specific Hyperdrive configurations can access it.
 
+A request from the Cloudflare Worker to the origin database goes through Hyperdrive, Cloudflare Access and the Cloudflare Tunnel established by `cloudflared`. `cloudflared` must be running in the private network in which your database is accessible.
+
+The Cloudflare Tunnel will establish an outbound bidirectional connection from your private network to Cloudflare. Cloudflare Access will secure your Cloudflare Tunnel to be only accessible by your Hyperdrive configuration.
+
+![A request from the Cloudflare Worker to the origin database goes through Hyperdrive, Cloudflare Access and the Cloudflare Tunnel established by `cloudflared`.](~/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png)
+
 <Render file="tutorials-before-you-start" product="workers" />
 
 :::caution[Warning]
@@ -177,4 +183,5 @@ If you successfully receive the list of `pg_tables` from your database when you
 ## Troubleshooting
 
 If you encounter issues when setting up your Hyperdrive configuration with tunnels to a private database, consider these common solutions, in addition to [general troubleshooting steps](/hyperdrive/observability/troubleshooting/) for Hyperdrive:
-* Ensure your database is configured to use TLS (SSL). Hyperdrive requires TLS (SSL) to connect.
+
+- Ensure your database is configured to use TLS (SSL). Hyperdrive requires TLS (SSL) to connect.