update IA

Author: ranbel

src/assets/images/cloudflare-one/applications/network-diagram.png

@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Cloudflare dashboard SSO application
 sidebar:
-  order: 3
+  order: 4
 
 ---
 
@@ -40,7 +40,7 @@ Once your SSO domain is approved, a new **SSO App** application will appear unde
 
 :::note
 
-We recommend noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later. 
+We recommend noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later.
 :::
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.

src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx

@@ -6,14 +6,16 @@ sidebar:
 
 ---
 
-Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. Users can only log in to the application if they meet the criteria you want to introduce.
+Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/policies/access/#selectors) to control who can log in to the application.
 
 ![Cloudflare Access verifies a user's identity before granting access to your application.](~/assets/images/cloudflare-one/applications/diagram-saas.jpg)
 
 You can protect the following types of web applications:
 
-- [**SaaS applications**](/cloudflare-one/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday.
+- [**SaaS applications**](/cloudflare-one/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
 
-- [**Self-hosted applications**](/cloudflare-one/applications/configure-apps/self-hosted-apps/) consist of internal applications that you host in your own environment. These can be hosted versions of tools like the Atlassian suite or applications created and hosted by your own team.
+- **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
+	- [**Public hostname applications**](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
+	- [**Private network applications**](/cloudflare-one/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, remote users must install the WARP client on their device and enroll in your Zero Trust organization.
 
-- [**Cloudflare Dashboard SSO**](/cloudflare-one/applications/configure-apps/dash-sso-apps/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
+- [**Cloudflare Dashboard SSO**](/cloudflare-one/applications/configure-apps/dash-sso-apps/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.

src/content/docs/cloudflare-one/applications/configure-apps/index.mdx

@@ -2,13 +2,13 @@
 pcx_content_type: how-to
 title: Publish a self-hosted application to the Internet
 sidebar:
-  order: 1
-  label: Public hostname applications
+  order: 2
+  label: Self-hosted public application
 ---
 
 import { Render } from "~/components"
 
-
+You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server.
 
 ## Prerequisites
 

src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-apps/index.mdx

@@ -14,9 +14,9 @@ Non-HTTP applications require [connecting your private network](/cloudflare-one/
 
 ## WARP client
 
-Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.
+Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application. To secure the application, you can [create a self-hosted application](/cloudflare-one/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/policies/access/) that allow or block specific users.
 
-If you would like to define how users access specific infrastructure servers within your network, create an infrastructure application in [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/). Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
+If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
 - Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server.
 - Eliminate SSH keys by using short-lived certificates to authenticate users.
 

src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-apps/public-hostname-app.mdx renamed to src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx

@@ -0,0 +1,53 @@
+---
+pcx_content_type: how-to
+title: Private network applications (legacy)
+sidebar:
+  order: 4
+  label: Private network applications (legacy)
+---
+
+:::note
+Not recommended for new deployments. We recommend using a [self-hosted application](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/) to secure a private IP address.
+:::
+
+You can configure a **Private Network** application to manage access to specific applications on your private network.
+
+To create a private network application:
+
+1. In Zero Trust, go to **Access** > **Applications** > **Add an application**.
+
+2. Select **Private Network**.
+
+3. Name your application.
+
+4. For **Application type**, select _Destination IP_.
+
+5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`).
+   :::note
+   If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/policies/gateway/network-policies/) using the **Destination IP** selector.
+   :::
+
+6. Configure your [App Launcher](/cloudflare-one/applications/app-launcher/) visibility and logo.
+
+7. Select **Next**. You will see two auto-generated Gateway Network policies: one that allows access to the destination IP and another that blocks access.
+
+8. Modify the policies to include additional identity-based conditions. For example:
+
+   - **Policy 1**
+
+     | Selector       | Operator      | Value            | Logic | Action |
+     | -------------- | ------------- | ---------------- | ----- | ------ |
+     | Destination IP | in            | `10.128.0.7`     | And   | Allow  |
+     | User Email     | matches regex | `.*@example.com` |       |        |
+
+   - **Policy 2**
+
+     | Selector       | Operator | Value        | Action |
+     | -------------- | -------- | ------------ | ------ |
+     | Destination IP | in       | `10.128.0.7` | Block  |
+
+   Policies are evaluated in [numerical order](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/policies/gateway/network-policies/).
+
+9. Select **Add application**.
+
+Your application will appear on the **Applications** page.

src/content/docs/cloudflare-one/applications/non-http/index.mdx

@@ -0,0 +1,7 @@
+---
+pcx_content_type: how-to
+title: Secure a private IP or hostname
+sidebar:
+  order: 3
+  label: Add a self-hosted private application
+---

src/content/docs/cloudflare-one/applications/non-http/private-network-app.mdx

@@ -40,45 +40,6 @@ By default, all WARP devices enrolled in your Zero Trust organization can connec
 
 ### Create Zero Trust policies
 
-You can create Zero Trust policies to manage access to specific applications on your network.
-
-1. Go to **Access** > **Applications** > **Add an application**.
-
-2. Select **Private Network**.
-
-3. Name your application.
-
-4. For **Application type**, select _Destination IP_.
-
-5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`).
-   :::note
-   If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/policies/gateway/network-policies/) using the **Destination IP** selector.
-   :::
-
-6. Configure your [App Launcher](/cloudflare-one/applications/app-launcher/) visibility and logo.
-
-7. Select **Next**. You will see two auto-generated Gateway Network policies: one that allows access to the destination IP and another that blocks access.
-
-8. Modify the policies to include additional identity-based conditions. For example:
-
-   - **Policy 1**
-
-     | Selector       | Operator      | Value            | Logic | Action |
-     | -------------- | ------------- | ---------------- | ----- | ------ |
-     | Destination IP | in            | `10.128.0.7`     | And   | Allow  |
-     | User Email     | matches regex | `.*@example.com` |       |        |
-
-   - **Policy 2**
-
-     | Selector       | Operator | Value        | Action |
-     | -------------- | -------- | ------------ | ------ |
-     | Destination IP | in       | `10.128.0.7` | Block  |
-
-   Policies are evaluated in [numerical order](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/policies/gateway/network-policies/).
-
-9. Select **Add application**.
-
-Your application will appear on the **Applications** page.
 
 ## 5. Connect as a user