[ZT] IP calculator for Split Tunnels (#20900)

ranbel · RebeccaTamachiro · commit 159d65f510ff · 2025-04-21T11:06:50.000+01:00
* aws and gcp

* private network config
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
@@ -9,6 +9,7 @@ head:
 ---
 
 import { Render } from "~/components";
+import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx";
 
 This guide covers how to connect an Amazon Web Services (AWS) virtual machine to Cloudflare using our lightweight connector, `cloudflared`.
 
@@ -98,7 +99,20 @@ EOF
 [Private network routes](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) allow users to connect to your virtual private cloud (VPC) using the WARP client. To add a private network route for your Cloudflare Tunnel:
 
 1. In the **Private Network** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary.
-2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance -- you can use [this calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/) to determine which IP addresses to re-add.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance.
+
+		To determine which IP addresses to re-add, subtract your AWS instance IPs from `172.16.0.0/12`:
+
+		<SubtractIPCalculator
+			client:load
+			defaults={{
+				base: "172.16.0.0/12",
+				exclude: ["172.31.19.0", "172.24.0.0/16"]
+			}}
+		/>
+
+		Add the results back to your Split Tunnel Exclude mode list.
+
 3. To test on a user device:
 
    1. [Log in to the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/).
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx
@@ -6,6 +6,7 @@ sidebar:
 ---
 
 import { Render } from "~/components";
+import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx";
 
 This guide covers how to connect a Google Cloud Project (GCP) virtual machine to Cloudflare using our lightweight connector, `cloudflared`.
 
@@ -77,7 +78,19 @@ To complete the following procedure, you will need to:
 To configure a private network route for your Cloudflare Tunnel:
 
 1. In the **Private Network** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary.
-2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM -- you can use [this calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/) to determine which IP addresses to re-add.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM.
+
+		To determine which IP addresses to re-add, subtract your GCP instance IPs from `10.0.0.0/8`:
+
+		<SubtractIPCalculator
+			client:load
+			defaults={{
+				base: "10.0.0.0/8",
+				exclude: ["10.0.0.2", "10.0.16.0/24"]
+			}}
+		/>
+
+		Add the results back to your Split Tunnel Exclude mode list.
 3. To test on a user device:
 
    1. [Log in to the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/).
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx
@@ -3,14 +3,28 @@ params:
   - one
 ---
 
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
+import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx";
 
 By default, WARP excludes traffic bound for [RFC 1918 space](https://datatracker.ietf.org/doc/html/rfc1918), which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your <Markdown text={props.one}/>, you must configure [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) so that the IP/CIDR of your <Markdown text={props.one}/> routes through WARP.
 
 1. First, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include** mode.
 2. If you are using **Include** mode, add your <Markdown text={props.one}/>'s IP/CIDR range to the list. Your list should also include the [domains necessary for Cloudflare Zero Trust functionality](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains).
 3. If you are using **Exclude** mode:
-   1. Delete your <Markdown text={props.one}/>'s IP/CIDR range from the list. For example, if your network uses the default AWS range of `172.31.0.0/16`, delete `172.16.0.0/12`.
-   2. Re-add IP/CIDR ranges that are not explicitly used by your <Markdown text={props.one}/>. For the AWS example above, you would add new entries for `172.16.0.0/13`, `172.24.0.0/14`, `172.28.0.0/15`, and `172.30.0.0/16`. This ensures that only traffic to `172.31.0.0/16` routes through WARP.
+
+		a. Delete your <Markdown text={props.one}/>'s IP/CIDR range from the list. For example, if your network uses the default AWS range of `172.31.0.0/16`, delete `172.16.0.0/12`.
+
+		b. Re-add IP/CIDR ranges that are not explicitly used by your <Markdown text={props.one}/>. For the AWS example above, you would add new entries for `172.16.0.0/13`, `172.24.0.0/14`, `172.28.0.0/15`, and `172.30.0.0/16`. This ensures that only traffic to `172.31.0.0/16` routes through WARP.
+
+		You can use the following calculator to determine which IP addresses to re-add:
+
+			<SubtractIPCalculator
+				client:load
+				defaults={{
+					base: "172.16.0.0/12",
+					exclude: ["172.31.0.0/16", `172.28.0.0/15`]
+				}}
+			/>
+		In **Base CIDR**, enter the RFC 1918 range that you deleted from Split Tunnels. In **Excluded CIDRs**, enter the IP/CIDR range used by your <Markdown text={props.one}/>. Re-add the calculator results to your Split Tunnel Exclude mode list.
 
 By tightening the private IP range included in WARP, you reduce the risk of breaking a user's [access to local resources](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-users-to-enable-local-network-exclusion).
