apply review feedback

Author: ranbel

src/content/docs/cloudflare-one/applications/configure-apps/index.mdx

@@ -16,6 +16,6 @@ You can protect the following types of web applications:
 
 - **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
 	- [**Public hostname applications**](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
-	- [**Private network applications**](/cloudflare-one/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, remote users must install the WARP client on their device and enroll in your Zero Trust organization.
+	- [**Private network applications**](/cloudflare-one/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/).
 
 - [**Cloudflare Dashboard SSO**](/cloudflare-one/applications/configure-apps/dash-sso-apps/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.

src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx

@@ -21,7 +21,11 @@ You can securely publish internal tools and applications by adding Cloudflare Ac
 
 ## 2. Connect your origin to Cloudflare
 
-[Set up a Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) to make your internal application available over the Internet.
+[Set up a Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) to publish your internal application. Only users who match your Access policies will be granted access.
+
+:::note
+We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, public hostname routes in Tunnel are available to anyone on the Internet.
+ :::
 
 If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using [other methods](/fundamentals/basic-tasks/protect-your-origin-server/).
 

src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

@@ -34,7 +34,7 @@ This feature is available in early access and replaces the legacy [private netwo
 
    Cloudflare checks every HTTPS request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/identity/users/session-management/). If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the WARP client per application.
 
-6. Add the private IP and/or private hostname that represents the application.
+6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
 
 	:::note
 	Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI).

src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx

@@ -29,6 +29,8 @@ Follow these steps to connect an application through your tunnel. If you are loo
 
 <Render file="tunnel/add-public-hostname" product="cloudflare-one" />
 
+The application is now publicly available on the Internet. To allow or block specific users, [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app).
+
 ## 3. Connect a network
 
 Follow these steps to connect a private network through your tunnel.
@@ -37,8 +39,11 @@ Follow these steps to connect a private network through your tunnel.
 
 2. Select **Save tunnel**.
 
+To configure Zero Trust policies and connect as a user, refer to [Connect private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
+
 ## 4. View your tunnel
 
 After saving the tunnel, you will be redirected to the **Tunnels** page. Look for your new tunnel to be listed along with its active connector.
 
 ![Tunnel appearing in the Tunnels table](~/assets/images/cloudflare-one/connections/connect-apps/tunnel-table.png)
+

src/content/docs/cloudflare-one/policies/access/app-paths.mdx

@@ -6,7 +6,7 @@ sidebar:
 
 ---
 
-Application paths define the URLs protected by an Access policy. When adding a [self-hosted web application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths.
+Application paths define the URLs protected by an Access policy. When adding a self-hosted application to Access, you can choose to protect the entire website by entering its apex domain, or alternatively, protect specific subdomains and paths.
 
 ## Policy inheritance