outline steps

ranbel · ranbel · commit 41961ee9e24b · 2025-05-21T16:58:34.000-04:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx
@@ -5,20 +5,14 @@ sidebar:
   order: 2
 ---
 
-import { Render } from "~/components";
+import { Render, Details } from "~/components";
 
 `cloudflared` can route to non-HTTP applications on your private network using their private hostname (for example, `wiki.internal.local`). Private hostname routes are especially useful when the application has an unknown or ephemeral IP, which often occurs when infrastructure is provisioned by a third-party cloud provider.
 
 :::note[Availability]
 Hostname routes currently require Gateway resolver policies, an Enterprise-only feature. If you are on a Free or Pay-as-you-go plan, you will need to connect the application using its [IP address](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr) and [configure Local Domain Fallback](/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns/) to resolve its private hostname.
 :::
 
-## Limitations
-
-### Supported user traffic
-
-### Supported network on-ramps
-
 ## How private hostname routing works
 
 Private hostname routing with Cloudflare Tunnel consists of three main components:
@@ -27,7 +21,7 @@ Private hostname routing with Cloudflare Tunnel consists of three main component
 - Gateway resolver policies instruct Gateway to resolve the private hostname using your internal DNS resolver instead of the default public resolver.
 - `cloudflared` installs on a host machine in your private network and proxies traffic from Cloudflare to your internal DNS resolver and internal applications.
 
-Figures 1 and 2 illustrate what happens when a user connects to a private hostname (`wiki.internal.local`) from a WARP device.
+Figures 1 and 2 illustrate the flow of DNS and network traffic when a user connects to a private hostname (`wiki.internal.local`):
 
 ![Figure 1: DNS resolution for a private hostname](~/assets/images/cloudflare-one/connections/private-hostname-route-1.png "Figure 1: DNS resolution for private hostname")
 
@@ -36,14 +30,88 @@ Figures 1 and 2 illustrate what happens when a user connects to a private hostna
 3. `cloudflared` does a DNS lookup to figure out what the origin IP is for `wiki.internal.local`.
 4. The Gateway resolver now knows that the origin IP is `10.0.0.5`.
 5. Rather than responding to the DNS query with the actual origin IP, Gateway responds with a random IP address from the CGNAT range `100.80.0.0/16` (for example, `100.80.0.1`). This CGNAT IP is called the initial resolved IP.
-6. Gateway stores the mapping between the private hostname, CGNAT initial resolved IP, and the actual IP.
+6. Gateway's network engine stores the mapping between the private hostname, initial resolved IP, and the actual IP.
 7. The WARP client receives the initial resolved IP (`100.80.0.1`) in the DNS response for `wiki.internal.local`.
 
-As shown in Figure 2 below, the WARP client will now send `wiki.internal.local` traffic to the initial resolved IP through Gateway. Because the destination IP falls within the designated CGNAT range, Gateway knows how it maps to the actual origin IP. Traffic that passes your network policies will now route through Cloudflare Tunnel to the private application.
+As shown in Figure 2 below, the WARP client will now send `wiki.internal.local` traffic to the initial resolved IP. The initial resolved IP mechanism is required because Gateway's network engine operates at L3/L4 and can only see IPs (not hostnames) when processing the connection. Because the packet's destination IP falls within the designated CGNAT range, Gateway knows that it corresponds to a hostname route and can apply hostname-based policies. Traffic that passes your Gateway policies will route through Cloudflare Tunnel to the application's actual origin IP.
 
 ![Figure 2: Network traffic flow for a private hostname route](~/assets/images/cloudflare-one/connections/private-hostname-route-2.png "Figure 1: Network traffic flow for a private hostname route")
 
-To learn more about the initial resolved IP mechanism, refer to the [Cloudflare blog]().
+To learn more about hostname routing, refer to the [Cloudflare blog]().
+
+## Connect to a private hostname
+
+This section covers how to enable remote access to a private hostname application using `cloudflared` and WARP.
+
+### 1. Connect the server to Cloudflare
+
+### 2. Set up the client
+
+<Details header="Feature availability">
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| Gateway with WARP                                                                         | Enterprise                                                    |
+
+| System   | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows  | ✅           | 2025.4.929.0         |
+| macOS    | ✅           | 2025.4.929.0         |
+| Linux    | ✅           | 2025.4.929.0         |
+| iOS      | ❌           |                      |
+| Android  | ❌           |                      |
+| ChromeOS | ❌           |                      |
+
+</Details>
+
+
+### 3. Route private network IPs through WARP
+
+- Initial resolved IP CGNAT range: `100.80.0.0/16`
+- Private network CIDR where the application is located, e.g. `10.0.0.0/8`. (Still need to know the IP range of the network. Do not need to know the specific IP of the application)
+- Internal DNS resolver IP
+
+### 4. Create a resolver policy
+
+### 5. (Recommended) Filter network traffic with Gateway
+
+#### Enable Gateway proxy for TCP and UDP
+#### Zero Trust policies
+
+If you're running a private app on port 443:
+
+Option 1: create an Access self-hosted private app https://developers.cloudflare.com/cloudflare-one/applications/non-http/self-hosted-private-app/
+
+Option 2: create a Gateway network policy using the SNI selector https://developers.cloudflare.com/cloudflare-one/policies/gateway/network-policies/#sni
+
+Self-hosted private apps and Gateway network policies are not currently supported for services on non-443 ports. You can only create a Gateway DNS policy.
+
+
+### 6. Connect as a user
+
+
+
+## Supported on-ramps/off-ramps
+
+### Device connectivity
+
+End users can connect to private hostnames from the following device on-ramps:
+
+| On-ramp method                                                                             | Compatibility |
+| ------------------------------------------------------------------------------------------ | ------------- |
+| [WARP client](/cloudflare-one/connections/connect-devices/warp/)                                  | ✅          |
+| [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/)              | ✅            |
+| [Browser Isolation](/cloudflare-one/policies/browser-isolation/)                           | ✅            |
+| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | ❌            |
+| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/)                                     | ❌            |
+
+### Private network connectivity
 
-## Configure a private hostname route
+To route to private applications using hostnames instead of IPs, connect your infrastructure to Cloudflare using a supported traffic off-ramp:
 
+| Connector                                                                             | Compatibility |
+| ------------------------------------------------------------------------------------------ | ------------- |
+| [cloudflared](/cloudflare-one/connections/connect-networks/private-net/cloudflared/)                       | ✅           |
+| [WARP-to-WARP](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/)             | ❌            |
+| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | ❌            |
+| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/)                                     | ❌            |
diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared.mdx
@@ -28,4 +28,16 @@ For example, assume that your organization's banking service, `app.bank.com`, ex
 
 ## Prerequisites
 
-## Configure a public hostname route
+## 1. Connect private network to Cloudflare
+
+## 2. Add a public hostname route
+
+## 3. Route private network IPs through WARP
+
+## 4. (Optional) Filter network traffic with Gateway
+
+## 5. Create an egress policy
+
+Create an egress policy that points traffic to Cloudflare Tunnel.
+
+## 6. Test the connection
