The Home Assistant Matter Hub became my escape route from a persistent security headache. Every time I opened Home Assistant, an orange notification dot was waiting for me, usually tied to another failed login attempt from random IPs across the internet. The system logs made it clear that even though I was using a Cloudflare Tunnel for remote access, the Home Assistant login page was still publicly reachable through a Cloudflare-protected endpoint, which meant automated bots could continuously attempt authentication against it.
A tunnel doesn’t eliminate exposure; it simply moves the entry point to a managed edge layer in front of your server.
While the setup worked reliably, it always felt like unnecessary complexity for something running inside a private home network. Voice control in particular had become an elaborate chain of cloud services. A command would originate in my kitchen, pass through Amazon’s voice services, then through a cloud-based automation layer, and eventually make its way back into my home network to trigger Home Assistant. Functionally it worked, but architecturally it felt like a long round trip through multiple external systems just to toggle a light.
Slamming the Door on the Public Internet
At that point I decided to remove the external attack surface entirely and bring everything back inside the network. The Cloudflare Tunnel and the AWS accounts were removed along with the external access path into Home Assistant. The goal was simple: Home Assistant should no longer be reachable from the internet at all. Alexa voice recognition would still operate through Amazon’s cloud, but Home Assistant itself would no longer be exposed through any public endpoint or proxy layer.
Rebuilding with Matter
The replacement for the cloud-based integration chain was a local Matter bridge using the Home Assistant Matter Hub app by RiDDiX. This allows selected Home Assistant entities to be exposed as Matter devices on the local network, where they can be discovered and controlled by Matter-compatible controllers such as Alexa.
After installing the app, I opened its web interface and created a new bridge instance. During bridge configuration, I applied a filter using a dedicated Home Assistant label called Matter, which I created under Settings → Areas, Labels & Zones. This label became the explicit allow-list for what could be exposed, ensuring that only intentionally tagged entities would be bridged into Matter.
Once the bridge configuration was saved, the Matter Hub interface generated a pairing code used for Matter commissioning. With the bridge running locally, there were no inbound ports, no external endpoints, and no cloud relay required for device exposure, only a local service operating entirely on the LAN.
Pairing with Alexa
Reconnecting Alexa was surprisingly straightforward. In the Alexa app, I added a new device, selected Matter, and entered the numeric setup code provided by the Matter Hub bridge instead of scanning a QR code. Alexa then commissioned the bridge over the local network and established itself as a Matter controller for the exposed Home Assistant entities.
From that point forward, control stayed entirely local from the Home Assistant side of the equation. Alexa still handled voice processing in the cloud, but once a command was understood, execution occurred directly over the local network between Alexa’s Matter controller and Home Assistant’s bridge.
Adding new devices became a lightweight workflow. If I wanted something exposed, I simply applied the Matter label to that entity in Home Assistant. Matter Hub detected the change, updated the bridge, and Alexa typically discovered the new device shortly afterward without additional configuration.
The Architectural Payoff
The previous setup depended on a chain of external services bridging voice commands into the home network. That entire path is now gone. There is no Cloudflare Tunnel exposing Home Assistant to the internet, no intermediary cloud automation layer, and no publicly reachable login page generating failed authentication attempts.
Home Assistant now operates strictly inside the local network, and only explicitly labeled entities are exposed through the Matter bridge.
Alexa remains cloud-dependent for voice recognition, but the execution path after interpretation is now local, predictable, and much faster. The end result is a system that is simpler to reason about and significantly smaller in external attack surface, while still preserving voice control throughout the house.
