final edits

deadlypants1973 · deadlypants1973 · commit 0963d847294d · 2025-10-09T14:51:33.000+01:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
@@ -96,7 +96,7 @@ chmod 600 /etc/ssh/ca.pub
 
 ## 8. Connect as a user
 
-Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is [connected to that virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:
+Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is [connected to that virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) before initiating the connection. Users do not need to modify any SSH configuration on their device. For example, to SSH from a terminal:
 
 ```sh
 ssh <username>@<target IP>
@@ -191,7 +191,7 @@ SSH sessions have a maximum expected duration of 10 hours. For more information,
 
 ## Troubleshooting
 
-Failure to connect to your SSH endpoint could be the result of multiple variables. Use the following steps to systematically investigate and resolve the source of your connection failure.
+Failure to connect to your SSH endpoint could be the result of multiple variables. Use the following steps to investigate and resolve the source of your connection failure.
 
 1. [Verify that your Access policies](#1-review-access-policies) allow the user to access the target machine.
 2. [Check Cloudflare Tunnel](#2-check-target-machine-connection) health.
@@ -205,17 +205,25 @@ A user may be blocked by an Access policy from reaching an SSH target because:
 - An Access policy exists that denies that user access, or
 - No explicit allow Access policy exists and Access is set to deny the user by default.
 
+:::note[Access policies and infrastructure applications]
+
+The Access infrastructure application (created in [step 5](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#5-add-an-infrastructure-application)) is the policy container for your SSH server. Cloudflare refers to your SSH server as a [target](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#4-add-a-target).
+
+[Access policies](/cloudflare-one/policies/access/policy-management/) are the rules attached to this Access infrastructure application, determining who can connect and what UNIX usernames they can log in as on the server. Cloudflare will not create new users on the target. UNIX users must already be present on the server.
+
 You were guided to create an Access policy for your SSH target in [substep 9 of step 5: Add an infrastructure application](#5-add-an-infrastructure-application).
 
+:::
+
 #### End users
 
 As an end user, run [`warp-cli target list`](/cloudflare-one/applications/non-http/infrastructure-apps/#display-available-targets) to verify that you have access to the target machine.
 
 <Render file="tunnel/warp-cli-target-list" product="cloudflare-one" />
 
-- If the target appears in the list, confirm that the username you are attempting to connect with is shown in the output. If the username is not shown, you must go to the Access policy associated with the target machine and add that user to the Access policy. If the username is shown, that means the Access policy should be granting access and you should ensure that the Tunnel is healthy in [step 2](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#2-check-target-machine-connection).
+- If the target appears in the list, confirm that the username you are attempting to connect with is shown in the output. If the username is not shown, an administrator must find the Access policy associated with the target machine and add that username to the Access policy. An administrator should have created an Access policy in [substep 9 of step 5: Add an infrastructure application](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#5-add-an-infrastructure-application). If the username is shown, that means the Access policy should be granting access and you should ensure that the tunnel is healthy in [step 2](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#2-check-target-machine-connection).
 
-- If the target does not appear in the list, your Access policies concerning the target machine must be audited for potential misconfigurations that may be blocking access.
+- If the target does not appear in the list, an administrator must audit your organization's policies for the target machine in the Zero Trust dashboard for potential misconfigurations that may be blocking access.
 
 #### Administrators
 
@@ -233,19 +241,19 @@ You will need Cloudflare dashboard access and log view [permissions](/cloudflare
 
 3. Review the **Decision**. If the **Decision** is `Access denied`, select the application and copy the name under App.
 
-	If the decision is `Access granted`, this mean your connection issue is with the Cloudflare Tunnel, SSH server, or the `sshd_config` file and Access policies are not interfering with your connection attempts.
+	If the decision is `Access granted`, Access policies are not interfering with your connection attempts and your connection issue is due to the Cloudflare Tunnel, SSH server, or the `sshd_config` file.
 
 4. Go to **Access** > **Applications**.
 
 5. Input the app name in the search bar and select the application.
 
 6. Select **Configure**.
 
-7. Go to **Policies** to review what criteria may be blocking the user.
+7. Go to [**Policies**](/cloudflare-one/policies/access/policy-management/#test-your-policies) to review what criteria may be blocking the user.
 
 By editing a [policy](/cloudflare-one/policies/access/) that is explicitly blocking the user or adding a new policy to explicitly allow the user, the connection issue should be resolved. After saving your policy changes, attempt to connect to the target machine as the end user.
 
-After you have audited your Access policies and are still having connection issues, you must review Tunnel health.
+If you are still having connection issues after auditing your Access policies, review Tunnel health in the following step.
 
 ### 2. Check target machine connection
 
@@ -256,36 +264,36 @@ To check the status of your Tunnel:
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Routes**.
 2. Search your IP to find the Tunnel associated with the IP.
 
-	This IP will be visible in the `warp-cli target list` output in [the previous step](#1-review-access-policies). If you are an admin, you can also go to **Networks** > **Targets** and find the IP next your Hostname.
+	This IP will be visible in the `warp-cli target list` output in [the previous step](#1-review-access-policies). If you are an admin, you can also go to **Networks** > **Targets** and find the IP next to your Hostname.
 
 3. Copy the Tunnel name.
 4. Go to **Networks** > **Tunnels** and search by your Tunnel name.
-5. Review that the [Tunnel status](/cloudflare-one/connections/connect-networks/monitor-tunnels/notifications/#available-notifications) says Active, and not Down, Degraded, or Inactive.
+5. Review that the [Tunnel status](/cloudflare-one/connections/connect-networks/monitor-tunnels/notifications/#available-notifications) says `Active`, and not `Down`, `Degraded`, or `Inactive`.
 
 | Status    | Meaning                                                                                                                                                           | Recommended Action                                                                                                                                                                                                                                                                                            |
 |-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Healthy**   | The `cloudflared` process is running and maintaining the expected number of resilient connections to Cloudflare's edge network.                                   | No action is required. Your Tunnel is running correctly.                                                                                                                                                                                                                                                       |
-| **Inactive**  | The Tunnel has been created (via the API or dashboard) but the `cloudflared` connector has never been run to establish a connection.                          | Run the Tunnel as a service or using the `clouflared tunnel run` command on your origin server to connect the Tunnel to Cloudflare. Refer to substep 6 of step 1 in the [Create a Tunnel dashboard guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#1-create-a-tunnel) or step 4 in the [Create a Tunnel API guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#1-create-a-tunnel).                           |
+| **Healthy**   | The tunnel is active and serving traffic through four connections to the Cloudflare global network.                                    | No action is required. Your Tunnel is running correctly.                                                                                                                                                                                                                                                       |
+| **Inactive**  | The Tunnel has been created (via the API or dashboard) but the `cloudflared` connector has never been run to establish a connection.                          | Run the tunnel as a service (recommended) or use the `cloudflared tunnel run` command on your origin server to connect the tunnel to Cloudflare. Refer to [substep 6 of step 1 in the Create a Tunnel dashboard guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#1-create-a-tunnel) or step 4 in the [Create a Tunnel API guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#1-create-a-tunnel).                           |
 | **Down**      | The Tunnel was previously connected but is currently disconnected because the `cloudflared` process has stopped.                                            | 1. Ensure the `cloudflared` service or process is actively running on your server. <br /> 2. Check for server-side issues, such as the machine being powered off, an application crash, or recent network changes.                                                                                                |
-| **Degraded**  | The `cloudflared` connector is running but has fewer than the expected number of connections (it is connected to a single Cloudflare data center).               | 1. Review your `cloudflared` logs for connection failures or error messages. <br /> 2. Investigate local network and firewall rules to ensure they are not blocking connections to other Cloudflare IP ranges. <br />                                                                        |
+| **Degraded**  | The `cloudflared` connector is running and the tunnel is serving traffic, but at least one individual connection has failed. Further degradation in [tunnel availability](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) could risk the tunnel going down and failing to serve traffic.               | 1. Review your `cloudflared` logs for connection failures or error messages. <br /> 2. Investigate local network and firewall rules to ensure they are not blocking connections to the [Cloudflare Tunnel IPs and ports](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/). <br />                                                                        |
 
 For detailed steps on troubleshooting, refer to the [Troubleshooting Tunnel documentation](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/). Review the [Tunnel with Firewall documentation](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#test-connectivity) to ensure your network is correctly configured to allow `cloudflared` connections.
 
-After you have vertified that there are no issues with your Tunnel's health, continue to verifying the user's existence on the target SSH server.
+After you have verified that there are no issues with your Tunnel's health, confirm the user's existence on the target SSH server in the following step.
 
 ### 3. Confirm user existence on the target server
 
-To verify the existence of the end user on the target server, run the `id <USERNAME>` command on the target SSH server to verify that the end user's username exists. If the username does not exist, you must add the user to the server.
+To verify the existence of the end user on the target SSH server, run the `id <USERNAME>` command on the target SSH server to verify that the end user's username exists. If the username does not exist, you must add the user to the server.
 
-If the user exists on the target machine, continue to debugging the `sshd_config` file.
+If the user exists on the target machine, debug your `sshd_config` file in the following step.
 
 ### 4. Debug `sshd_config` file misconfiguration
 
 One reason a user is failing to connect to your SSH endpoint might be the result of a misconfigured `sshd_config` file. Follow the steps below to audit your `sshd_config` file for misconfigurations.
 
 #### Review your `sshd` logs
 
-`sshd` logs can confirm whether or not the user is making it to the server. The location of your `sshd` logs is defined in your `sshd_config`. Logs location will likely be found at `journalctl -u ssh` on Ubuntu and `tail /var/log/auth.log` for Red Hat.
+`sshd` logs can confirm whether or not the user is making it to the server. The location of your `sshd` logs is defined in your `sshd_config`. Logs location is likely at `journalctl -u ssh` on Ubuntu and `tail /var/log/auth.log` for Red Hat.
 
 Using your `sshd` logs, validate that SSH connection attempts are arriving to the SSH target machine.
 
@@ -444,26 +452,26 @@ These troubleshooting steps could result in you being locked out of your SSH ser
 
 1. Back up the existing `sshd_config` file.
 
-	```
+	```sh
 	mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
 	```
 
 2. Create a new `sshd_config` file.
 
-	```
+	```sh
 	vi /etc/ssh/sshd_config
 	```
 
-3. Enter insert mode by pressing the 'i' character on your keyboard.
+3. Enter insert mode by pressing the 'i' key on your keyboard.
 
 4. Paste in the [example file](#review-your-sshd_config-file-for-misconfigurations).
 
-5. Exit insert mode by pressing the escape `esc` key.
+5. Exit insert mode by pressing the escape (`esc`) key.
 6. Enter `:x` to save and exit.
 7. [Reload](#reload-your-ssh-server) your SSH server.
 
 	:::caution[Do not restart]
-	Restarting your `sshd` service will result in the termination of your current SSH connection. Make sure to reload instead restarting to avoid terminating all currently open SSH sessions.
+	Restarting your `sshd` service will result in the termination of your current SSH connection. Make sure to reload instead of restarting to avoid terminating all currently open SSH sessions.
 	:::
 
 	<Render file="ssh/restart-server" product="cloudflare-one" />
