diff --git a/Dockerfile b/Dockerfile
index 2cf735abb90..612ee11fe7c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,6 +21,8 @@ RUN make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian13:nonroot
+# Enable metrics for healthcheck
+ENV TUNNEL_METRICS=127.0.0.1:60123
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 
@@ -33,6 +35,10 @@ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cl
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 
+# Check if cloudflared is healthy
+HEALTHCHECK --interval=30s --timeout=30s --retries=3 \
+  CMD cloudflared tunnel --metrics localhost:60123 ready
+
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
diff --git a/Dockerfile.amd64 b/Dockerfile.amd64
index 871d0e24db7..34a416b9520 100644
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@@ -16,6 +16,8 @@ RUN GOOS=linux GOARCH=amd64 make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian13:nonroot
+# Enable metrics for healthcheck
+ENV TUNNEL_METRICS=127.0.0.1:60123
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 
@@ -28,6 +30,10 @@ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cl
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 
+# Check if cloudflared is healthy
+HEALTHCHECK --interval=30s --timeout=30s --retries=3 \
+  CMD cloudflared tunnel --metrics localhost:60123 ready
+
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
diff --git a/Dockerfile.arm64 b/Dockerfile.arm64
index 6dba868c16d..22ecd59c5f4 100644
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@@ -16,6 +16,8 @@ RUN GOOS=linux GOARCH=arm64 make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian13:nonroot-arm64
+# Enable metrics for healthcheck
+ENV TUNNEL_METRICS=127.0.0.1:60123
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 
@@ -28,6 +30,10 @@ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cl
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 
+# Check if cloudflared is healthy
+HEALTHCHECK --interval=30s --timeout=30s --retries=3 \
+  CMD cloudflared tunnel --metrics localhost:60123 ready
+
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]