Dev tunnels command-line reference

Dev tunnels offer a command-line interface (CLI) tool for creating and managing dev tunnels. This article explains the syntax and parameters for the various devtunnel CLI commands.

Important

This feature is currently in public preview. This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

Note

devtunnel CLI commands are in preview. Command names and options may change in future releases.

Global options

  • -v, --verbose: Enable verbose output.
  • -?, -h, --help: Show help and usage information.

Manage user credentials

The dev tunnel service requires login for authorizing management of and access to dev tunnels. By default, a dev tunnel is only accessible to the user who created the dev tunnel, though that user may grant access to others.

After logging in, the login token is cached in the system secure key chain, and is valid for several days before expiration. Logging out of the CLI clears this cached token, but doesn't clear any browser cookies. Which may include dev tunnel access tokens if a browser was used to authenticate with a dev tunnel.

Command Description
devtunnel user login Login with a Microsoft or GitHub account.
devtunnel user logout Clear the cached token
devtunnel user show Show current login status

Tip

devtunnel login and devtunnel logout are shorthand commands for logging in and out.

Here are some examples on use of these commands:

Examples Description
devtunnel user login Login with a Microsoft organization (Microsoft Entra ID) or personal account
devtunnel user login -g Login with a GitHub account
devtunnel user login -d Login with a Microsoft organization (Microsoft Entra ID) or personal account with device code login, if local interactive browser login isn't possible
devtunnel user login -g -d Login with a GitHub account with device code login, if local interactive browser login isn't possible

Host a dev tunnel

devtunnel host is the main command used to host your dev tunnel. The command should be run on the host system running the server you want accessible through the dev tunnel.

Command Description
devtunnel host Host a dev tunnel. If a dev tunnel ID isn't specified, a new temporary dev tunnel is created that is deleted once the connection is closed.

Here are some examples on use of this command:

Examples Description
devtunnel host -p 3000 Host a temporary dev tunnel for a server listening port 3000 on the host system.
devtunnel host -p 3000 --allow-anonymous Host a temporary dev tunnel and enable anonymous client access.
devtunnel host -p 3000 5000 Host a temporary dev tunnel for local servers listening on ports 3000 and 5000.
devtunnel host -p 8443 --protocol https Host a temporary dev tunnel for a server listening on port 8443 that uses the HTTPS protocol.
devtunnel host -p 8000 --expiration 2d Host a temporary dev tunnel with a custom expiration time. Minimum is 1 hour (1h) and the maximum is 30 days (30d).
devtunnel host TUNNELID Host an existing dev tunnel that has previously been configured.

Warning

Allowing anonymous access to a dev tunnel means anyone on the internet is able to connect to your local server, if they can guess the dev tunnel ID.

Press Control-C to stop the dev tunnel host process and terminate any client connections through the dev tunnel. If an existing dev tunnel wasn't provided, the dev tunnel that was automatically created by the process will be deleted on process exit.

Connect to a dev tunnel

Using web-forwarding UI:

The devtunnel host command shows output similar to the following:

Hosting port 3000 at https://l3rs99qw-3000.usw2.devtunnels.ms/

The displayed https: URI is unique to the dev tunnel port: the first component is a subdomain containing the given dev tunnel id and port number.

If the hosted port connects to a web server, then that URI can be opened directly in a browser, from anywhere. If access to the dev tunnel requires authorization, then the initial request to the URI will redirect to a login page, and return to the site after the user is authorized.

If the hosted port connects to a web service, then that URI can be used as the base URI by a web service client application. However, if the dev tunnel doesn't allow anonymous access then the web service client normally won't know how to authenticate. If the web service is safe to expose publicly, consider allowing anonymous access. Otherwise, a web service client may add a request header with a dev tunnel access token to authorize the connection.

Using the CLI:

Instead of having a client browser or application connect directly to a dev tunnel relay URI, the CLI may be used to forward connections from a port on the client to a dev tunnel port. The client may also need to log in, if the dev tunnel doesn't allow anonymous access.

devtunnel connect TUNNELID
  • Replace TUNNELID with the same dev tunnel id that was used on the host.

Successful client output is similar to the following:

Connected to tunnel: l3rs99qw
SSH: Forwarding from 127.0.0.1:3000 to host port 3000.
SSH: Forwarding from [::1]:3000 to host port 3000.

Now, the server that was shared on the host's port 3000 is available at localhost:3000 on the client, using either IPv4 or IPv6. (The "SSH" prefix is because the dev tunnel service builds on the standard SSH protocol for port-forwarding.) If the hosted port connects to a web server, then http://localhost:3000/ can be opened in a browser. In this case, no further authorization is required because the client's CLI login token was used to authorize the connection if necessary.

Advanced: Manage dev tunnels

It's possible to create a dev tunnel without yet hosting it. This is useful for advanced dev tunnel configuration and management such as:

  • Listing all owned dev tunnels
  • Adding and removing ports of a dev tunnel
  • Managing dev tunnel access controls
  • Adding metadata to a dev tunnel like description and tags
Command Description
devtunnel create Create a persistent dev tunnel
devtunnel list List dev tunnels
devtunnel show Show dev tunnel details
devtunnel update Update dev tunnel properties
devtunnel delete Delete a dev tunnel
devtunnel delete-all Delete all dev tunnels

Here are some examples on use of these commands:

Examples Description
devtunnel create -a Create a persistent dev tunnel that allows anonymous access.
devtunnel create -d 'my tunnel description' Create a persistent dev tunnel with a non-searchable description.
devtunnel create --expiration 4h Create a persistent dev tunnel with a custom expiration time. Minimum is 1 hour (1h) and the maximum is 30 days (30d).
devtunnel create myTunnelID Create a persistent dev tunnel with a custom tunnel ID.
devtunnel create --tags my-web-app v1 Create a persistent dev tunnel and apply searchable tags.
devtunnel list --tags my-web-app List dev tunnels that have any of the specified tags.
devtunnel list --all-tags my-web-app v1 List dev tunnels that have all the specified tags.
devtunnel show Show details of the last-used dev tunnel.
devtunnel show TUNNELID Show details for a dev tunnel.
devtunnel update TUNNELID -d 'my new tunnel description' Update the description of a dev tunnel.
devtunnel update TUNNELID --remove-tags Remove all tags from a dev tunnel.
devtunnel update TUNNELID --expiration 10d Update a dev tunnel with a new custom expiration time. Minimum is 1 hour (1h) and the maximum is 30 days (30d).
devtunnel delete TUNNELID Delete a dev tunnel.
devtunnel delete-all Delete all your dev tunnels.

Tip

Most CLI commands operate on the last-used dev tunnel implicitly, though there's an option to specify a dev tunnel ID if necessary.

Advanced: Manage dev tunnel ports

A dev tunnel created using the devtunnel create command initially has no ports. Use devtunnel port commands to add ports before hosting:

Command Description
devtunnel port create Create a dev tunnel port
devtunnel port list List dev tunnel ports
devtunnel port show Show dev tunnel port details
devtunnel port update Update dev tunnel port properties
devtunnel port delete Delete a dev tunnel port
Examples Description
devtunnel port create -p 3000 --protocol http Add a port with the specified protocol
devtunnel port list TUNNELID List current ports
devtunnel port show TUNNELID -p 3000 Show the details for port 3000
devtunnel port update -p 3000 --description 'frontend port' Update a dev tunnel port description
devtunnel port delete -p 3000 Delete a port

When creating a port, the protocol may optionally be specified, if auto-detection doesn't work properly. Current options are "http", "https" or "auto" (default). If the hosted port is HTTPS, then it's recommended to set the port protocol to "https"; otherwise "auto" is probably fine.

After configuring a dev tunnel using the above commands, start hosting it:

devtunnel host

Advanced: Manage dev tunnel access

With the following commands, dev tunnel access tokens can be issued to provide other clients access to your dev tunnel without allowing anonymous access. The access control entry commands allow you to configure access control on dev tunnels and dev tunnel ports.

Command Description
devtunnel token Issue dev tunnel access token
devtunnel access create Create an access control entry
devtunnel access list List access control entries
devtunnel access delete Delete an access control entry
devtunnel access reset Reset access control entries to default

Here are some examples on use of these commands:

Examples Description
devtunnel token TUNNELID --scopes connect Get a 'connect' access token for a dev tunnel that can be shared to provide temporarily access to the dev tunnel.
devtunnel access create TUNNELID --anonymous Enable anonymous client access on the dev tunnel.
devtunnel access create TUNNELID --anonymous --expiration 4h Enable anonymous client access on the dev tunnel with a custom access control expiration time. Minimum is 1 hour (1h) and the maximum is 30 days (30d).
devtunnel access create TUNNELID --port 3000 --anonymous Enable anonymous client access on port 3000.
devtunnel access create TUNNELID --tenant Enable the current Microsoft Entra tenant access on the dev tunnel.
devtunnel access create TUNNELID --org ORG Enable a GitHub organization access by name on the dev tunnel.

Tip

GitHub organization access requires installing the Dev Tunnels GitHub app into the org.

Supplementary commands

These commands can be used if you need to explicitly set or unset this local cache of last-used dev tunnel.

Command Description
devtunnel set Set default dev tunnel
devtunnel unset Clear default dev tunnel

Diagnostic commands

Command Description
devtunnel clusters List available service clusters by location
devtunnel echo Run a diagnostic echo server on a local port
devtunnel ping Send diagnostic messages to a remote echo server
Examples Description
devtunnel clusters --ping List available service clusters sorted by measured latency.
devtunnel echo http --port 8080 --interface 127.0.0.1 Start a local http diagnostic server on port 8080.

Troubleshooting

To troubleshoot issues with the devtunnel CLI, the following tips may be useful:

  • Ensure you're on the latest version of the devtunnel CLI. Check the currently installed version with devtunnel --version.
  • The --verbose option prints debugging messages, which can provide extra diagnostic information.