[Magic] Tunnel endpoints partials (#21092)

* added vars

* removed markdown

* added gre ipsec tunnels subtitle

* removed note title

* renamed vars

* added anti replay

* add tunnels

* renamed vard

* optional mt egress

* legacy hcs

* refined render with extra info

* updated var

* reorg vars

* added render vars

* corrected var

* deleted content not needed

* removed extra line

* added link

* deleted partials not needed

* moved partial

* corrected path

* Apply suggestions from code review

Co-authored-by: Jun Lee <[email protected]>

* re added icmp partial

---------

Co-authored-by: Jun Lee <[email protected]>

Author: marciocloudflare

src/content/docs/magic-transit/how-to/configure-tunnels.mdx

@@ -11,73 +11,22 @@ description: Cloudflare recommends two tunnels for each ISP and network location
 
 import { GlossaryTooltip, Render } from "~/components";
 
-<Render file="tunnel-endpoints/tunnel-endpoints" params={{ ipRange: " " }} />
-
-## Ways to onboard traffic to Cloudflare
-
-### GRE and IPsec tunnels
-
-<Render
-	file="tunnel-endpoints/gre-ipsec"
-	params={{
-		productName: "Magic Transit",
-		tunnelsPath: "/magic-transit/reference/tunnels/",
-		ciphersPath:
-			"/magic-transit/reference/tunnels/#supported-configuration-parameters",
-	}}
-/>
-
-#### Anti-replay protection
-
-<Render
-	file="tunnel-endpoints/anti-replay"
+<Render file="configure-tunnels"
 	params={{
+		magicWord: "Magic Transit",
 		productName: "Magic Transit",
+		tunnelsAndEncapsulationPagePath: "/magic-transit/reference/tunnels/",
+		ciphersPagePath: "/magic-transit/reference/tunnels/#supported-configuration-parameters",
 		antiReplayPagePath: "/magic-transit/reference/anti-replay-protection/",
-	}}
-/>
-
-### Network Interconnect (CNI)
-
-<Render
-	file="tunnel-endpoints/cni"
-	params={{
-		magicName: "Magic Transit",
-		cniPath: "Network Interconnect and Magic Transit",
-		productLink: "/magic-transit/network-interconnect/",
-	}}
-/>
-
-## Add tunnels
-
-<Render
-	file="tunnel-endpoints/add-tunnels"
-	params={{
-		productName: "Magic Transit",
+		cniLink: "/magic-transit/network-interconnect/",
 		productPathDash: "Magic Transit > Configuration",
-		healthCheck: "/magic-transit/how-to/tunnel-health-checks/",
-		productPathProbe: "/magic-transit/reference/tunnel-health-checks/",
+		updateHCFrequencyPage: "/magic-transit/how-to/tunnel-health-checks/",
+		tunnelHealthChecksPage: "/magic-transit/reference/tunnel-health-checks/",
 		antiReplayPagePath: "/magic-transit/reference/anti-replay-protection/",
 		biVsUniHealthCheck: "unidirectional",
 		tunnelHealthDash: "/magic-transit/how-to/check-tunnel-health-dashboard/",
 		biVsUniHealthCheckDefaults: "For Magic Transit this option defaults to unidirectional"
-	}}
-/>
-
-## Bidirectional vs unidirectional health checks
-
-<Render
-	file="tunnel-endpoints/bi-uni-health-checks"
-	params={{
-		productPathProbe: "/magic-transit/reference/tunnel-health-checks/",
-	}}
-/>
-
-<Render file="tunnel-endpoints/mt-egress" />
-
-### Legacy bidirectional health checks
-
-<Render file="legacy-hc-system" />
+	}} />
 
 ## Next steps
 

src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnels.mdx

@@ -11,79 +11,25 @@ description: Cloudflare recommends two tunnels for each ISP and network location
 
 import { GlossaryTooltip, Render } from "~/components";
 
-<Render
-	file="tunnel-endpoints/tunnel-endpoints"
-	product="magic-transit"
-	params={{ ipRange: "(this address space is also a link-local address)" }}
-/>
-
-## Ways to onboard traffic to Cloudflare
-
-### GRE and IPsec tunnels
-
-<Render
-	file="tunnel-endpoints/gre-ipsec"
-	product="magic-transit"
-	params={{
-		productName: "Magic WAN",
-		tunnelsPath: "/magic-wan/reference/tunnels/",
-		ciphersPath:
-			"/magic-wan/reference/tunnels/#supported-configuration-parameters",
-	}}
-/>
-
-#### Anti-replay protection
-
-<Render
-	file="tunnel-endpoints/anti-replay"
+<Render file="configure-tunnels"
 	product="magic-transit"
 	params={{
+		ipRange: "(this address space is also a link-local address)",
 		productName: "Magic WAN",
+		tunnelsAndEncapsulationPagePath: "/magic-wan/reference/tunnels/",
+		ciphersPagePath: "/magic-wan/reference/tunnels/#supported-configuration-parameters",
 		antiReplayPagePath: "/magic-wan/reference/anti-replay-protection/",
-	}}
-/>
-
-### Network Interconnect (CNI)
-
-<Render
-	file="tunnel-endpoints/cni"
-	product="magic-transit"
-	params={{
-		magicName: "Magic WAN",
-		cniPath: "Network Interconnect (CNI)",
-		productLink: "/magic-wan/network-interconnect/",
-	}}
-/>
-
-## Add tunnels
-
-<Render
-	file="tunnel-endpoints/add-tunnels"
-	product="magic-transit"
-	params={{
-		productName: "Magic WAN",
+		cniLink: "/magic-wan/network-interconnect/",
 		productPathDash: "Magic WAN > Configuration",
-		healthCheck: "/magic-wan/configuration/common-settings/tunnel-health-checks/",
-		productPathProbe: "/magic-wan/reference/tunnel-health-checks/",
+		updateHCFrequencyPage: "/magic-wan/configuration/common-settings/tunnel-health-checks/",
+		tunnelHealthChecksPage: "/magic-wan/reference/tunnel-health-checks/",
 		antiReplayPagePath: "/magic-wan/reference/anti-replay-protection/",
 		biVsUniHealthCheck: "bidirectional",
 		tunnelHealthDash: "/magic-wan/configuration/common-settings/check-tunnel-health-dashboard/",
 		biVsUniHealthCheckDefaults: "For Magic WAN this option defaults to bidirectional"
 	}}
 />
 
-## Bidirectional vs unidirectional health checks
-
-<Render
-	file="tunnel-endpoints/bi-uni-health-checks"
-	product="magic-transit"
-	params={{ productPathProbe: "/magic-wan/reference/tunnel-health-checks/" }}
-/>
-
-### Legacy bidirectional health checks
-
-<Render file="legacy-hc-system" product="magic-transit" />
-
 ## Next steps
 
 - Now that you have set up your tunnel endpoints, you need to configure <GlossaryTooltip term="static route" link="/magic-wan/configuration/manually/how-to/configure-static-routes/">static routes</GlossaryTooltip> to route your traffic through Cloudflare. <br /> If you are connecting to Cloudflare through a [Direct CNI connection](/network-interconnect/express-cni/), you can [configure BGP routing](/magic-wan/configuration/manually/how-to/bgp-peering/) instead.

src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx renamed to src/content/partials/magic-transit/configure-tunnels.mdx

@@ -1,16 +1,67 @@
 ---
 params:
+  - magicWord?
+  - ipRange?
   - productName
+  - tunnelsAndEncapsulationPagePath
+  - ciphersPagePath
+  - antiReplayPagePath
+  - cniLink
   - productPathDash
-  - healthCheck
-  - productPathProbe
+  - updateHCFrequencyPage
+  - tunnelHealthChecksPage
   - antiReplayPagePath
   - biVsUniHealthCheck
   - tunnelHealthDash
   - biVsUniHealthCheckDefaults
 ---
 
-import { APIRequest, CURL, Details, Markdown, Render, TabItem, Tabs } from "~/components";
+import { APIRequest, CURL, Details, GlossaryTooltip, Render, TabItem, Tabs } from "~/components";
+
+Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Shortly after your onboarding kickoff call, Cloudflare will assign two Cloudflare endpoint addresses  that you can use as the tunnel destinations on your network location's routers/endpoints.
+
+To configure the tunnels between Cloudflare and your locations, you must provide the following data for each tunnel:
+
+- **Tunnel name**: For GRE tunnels, the name must have 15 or fewer characters. IPsec tunnels have no character limit. For both GRE and IPsec tunnels, the name cannot contain spaces or special characters, and cannot be shared with other tunnels.
+- **Cloudflare endpoint address**: The public IP address of the Cloudflare side of the tunnel.
+- **Customer endpoint**: A public Internet routable IP address which is outside of the prefixes that Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection like [Cloudflare Network Interconnect](/network-interconnect/), you do not need to provide endpoints because Cloudflare will provide them. <br/>
+  This value is not required for <GlossaryTooltip term="IPsec tunnel">IPsec</GlossaryTooltip> tunnels, unless your router is using an <GlossaryTooltip term="Internet key exchange (IKE)">Internet Key Exchange (IKE)</GlossaryTooltip> ID of type `ID_IPV4_ADDR`.
+- **Interface address**: A 31-bit (recommended) or 30-bit subnet (`/31` or `/30` in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space:
+  - `10.0.0.0/8`
+  - `172.16.0.0/12`
+  - `192.168.0.0/16`
+  - `169.254.240.0/20` {props.ipRange}
+    :::caution
+    Make sure the prefixes are always within the allowed Cloudflare ranges, especially for cloud service providers that might automatically generate prefixes for you. Otherwise, the tunnel will not work.
+    :::
+- **TTL**: Time to Live (TTL) in number of hops for the <GlossaryTooltip term="GRE tunnel">GRE</GlossaryTooltip> tunnel. The default value is 64.
+- **MTU**: Maximum transmission unit (MTU) in bytes for the GRE tunnel. The default value is 1476.
+
+## Ways to onboard traffic to Cloudflare
+
+### GRE and IPsec tunnels
+
+You can use GRE or IPsec tunnels to onboard your traffic to {props.productName}, and set them up via the Cloudflare dashboard or the API. However, if you want to use the API, be sure to have your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and [API key](/fundamentals/api/get-started/keys/#view-your-global-api-key) ready before you begin.
+
+:::note
+IPsec tunnels only support Internet Key Exchange version 2 (IKEv2).
+:::
+
+#### IPsec supported ciphers
+
+Refer to <a href={props.tunnelsAndEncapsulationPagePath}>Tunnels and encapsulation</a> to learn more about the technical requirements for GRE and IPsec tunnels used in {props.productName}. In this page, you can also find the <a href={props.ciphersPagePath}>supported ciphers for IPsec</a>.
+
+#### Anti-replay protection
+
+If you use {props.productName} and <GlossaryTooltip term="anycast">anycast</GlossaryTooltip> IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare's side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
+
+Refer to <a href={props.antiReplayPagePath}>Anti-replay protection</a> for more information on this topic, or [Add IPsec tunnels](#add-tunnels) below to learn how to enable this feature.
+
+### Network Interconnect (CNI)
+
+Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onboard your traffic to {props.productName}. Refer to <a href={props.cniLink}>Network Interconnect (CNI)</a> for more information.
+
+## Add tunnels
 
 <Render file="icmp-mfirewall" product="magic-transit" />
 
@@ -29,9 +80,9 @@ import { APIRequest, CURL, Details, Markdown, Render, TabItem, Tabs } from "~/co
 8. In **Customer GRE endpoint**, enter your router's public IP address. This value is not needed if you intend to use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare will provide it.
 9. In **Cloudflare GRE endpoint**, enter the anycast address you received from your account team.
 10. Leave the default values for **TTL** and **MTU**.
-11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your <a href={props.tunnelHealthDash}>tunnel health dashboard</a> even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to <a href={props.productPathProbe}>Tunnel health checks</a> for more information.
-12. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the <a href={props.healthCheck}>**Health check rate**</a> for your tunnel. Available options are _Low_, _Medium_, and _High_.
-13. The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to <a href={props.productPathProbe}>Tunnel health checks</a> for more information.
+11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your <a href={props.tunnelHealthDash}>tunnel health dashboard</a> even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to <a href={props.tunnelHealthChecksPage}>Tunnel health checks</a> for more information.
+12. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the <a href={props.updateHCFrequencyPage}>**Health check rate**</a> for your tunnel. Available options are _Low_, _Medium_, and _High_.
+13. The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to <a href={props.tunnelHealthChecksPage}>Tunnel health checks</a> for more information.
 14. The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details.
 15. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_.
 16. _(Optional)_ We recommend you test your tunnel before officially adding it. To test the tunnel, select **Test tunnels**.
@@ -47,9 +98,9 @@ import { APIRequest, CURL, Details, Markdown, Render, TabItem, Tabs } from "~/co
 7. In **IPv4 Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
 8. In **Customer endpoint**, enter your router's public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`.
 9. In **Cloudflare endpoint**, enter the anycast address you received from your account team.
-10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your <a href={props.tunnelHealthDash}>tunnel health dashboard</a> even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to <a href={props.productPathProbe}>Tunnel health checks</a> for more information.
-11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the <a href={props.healthCheck}>**Health check rate**</a> for your tunnel. Available options are _Low_, _Medium_ and _High_.
-12. _(Optional)_ The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to <a href={props.productPathProbe}>Tunnel health checks</a> for more information.
+10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your <a href={props.tunnelHealthDash}>tunnel health dashboard</a> even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to <a href={props.tunnelHealthChecksPage}>Tunnel health checks</a> for more information.
+11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the <a href={props.updateHCFrequencyPage}>**Health check rate**</a> for your tunnel. Available options are _Low_, _Medium_ and _High_.
+12. _(Optional)_ The **Health check type** defaults to _Reply_ and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to _Request_ which will create an ICMP request. Refer to <a href={props.tunnelHealthChecksPage}>Tunnel health checks</a> for more information.
 13. _(Optional)_ The **Health check direction** defaults to **{props.BiVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details.
 14. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_.
 
@@ -324,3 +375,23 @@ You can change this setting via the API with `"bidirectional"` or `"unidirection
 </Details>
 
 </TabItem> </Tabs>
+
+## Bidirectional vs unidirectional health checks
+
+To check for tunnel health, Cloudflare sends a <a href={props.tunnelHealthChecksPage}>health check probe</a> consisting of ICMP (Internet Control Message Protocol) reply [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy.
+
+Cloudflare defaults to bidirectional health checks for Magic WAN, and unidirectional health checks for Magic Transit (direct server return). However, routing unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. Magic Transit customers with egress traffic can modify this setting to bidirectional.
+
+{ props.magicWord === "Magic Transit" && (
+  <>
+	<p>If you are a Magic Transit customer with egress traffic, refer to <a href="/magic-transit/reference/egress/" rel="noopener noreferrer">Magic Transit egress traffic</a> for more information on the technical aspects you need to consider to create a successful connection to Cloudflare.</p>
+  </>
+  )
+}
+
+### Legacy bidirectional health checks
+
+For customers using the legacy health check system with a public IP range, Cloudflare recommends:
+
+- Configuring the tunnel health check target IP address to one within the `172.64.240.252/30` prefix range.
+- Applying a policy-based route that matches [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) with a source IP address equal to the configured tunnel health check target (for example `172.64.240.253/32`), and route them over the tunnel back to Cloudflare.