[Rules] Cloud connector (#16088)

* [Rules] Add Cloud Connector docs

* Incorporate received feedback

* More feedback

* Reorder first-level nav items (use dash order)

* Remove R2 for now

* Review supported provider URL formats

* added changes

* corrected text

* refined text

* corrected page weights

---------

Co-authored-by: Pedro Sousa <[email protected]>

Author: marciocloudflare

content/fundamentals/_partials/_zone-permissions-table.md

@@ -22,6 +22,8 @@ inputParameters: editWord
 | Cache Purge                      | Grants access to [purge cache](/cache/how-to/purge-cache/).                                                                                |
 | Cache Rules Read                 | Grants read access to [Cache Rules](/cache/how-to/cache-rules/).                                                                           |
 | Cache Rules $1                 | Grants write access to [Cache Rules](/cache/how-to/cache-rules/).                                                                          |
+| Cloud Connector Read             | Grants read access to [Cloud Connector rules](/rules/cloud-connector/).                                                                  |
+| Cloud Connector $1               | Grants write access to [Cloud Connector rules](/rules/cloud-connector/).                                                                 |
 | Config Rules Read                | Grants read access to [Configuration Rules](/rules/configuration-rules/).                                                                  |
 | Config Rules $1                | Grants write access to [Configuration Rules](/rules/configuration-rules/).                                                                 |
 | Custom Errors Read          | Grants read access to [Custom Errors Phase](/rules/custom-error-responses/create-api/).                                                               |

content/rules/cache-rules.md

@@ -2,7 +2,7 @@
 pcx_content_type: navigation
 title: Cache Rules
 external_link: /cache/how-to/cache-rules/
-weight: 6
+weight: 7
 _build:
   publishResources: false
   render: never

content/rules/cloud-connector/_index.md

@@ -0,0 +1,35 @@
+---
+title: Cloud Connector
+pcx_content_type: concept
+weight: 8
+---
+
+{{<heading-pill style="beta">}}Cloud Connector{{</heading-pill>}}
+
+Cloud Connector allows you to route matching incoming traffic from your website to a public cloud provider that you define such as AWS, Google Cloud, and Azure. With Cloud Connector you can make Cloudflare the control center for your web traffic, including traffic served from public cloud providers, without having to configure additional rules.
+
+{{<Aside type="note">}}
+We are gradually rolling out access to Cloud Connector throughout 2024. Refer to [Availability](#availability) for details. Support for Cloudflare R2 will be added soon.
+{{</Aside>}}
+
+## How it works
+
+First, you configure a Cloud Connector rule that specifies:
+- The cloud provider and a supported cloud service that will accept traffic.
+- The traffic that will be routed to that cloud service.
+
+Then, Cloudflare will create the [necessary configurations](#applied-configurations) so that the content is accessible for requests matching your Cloud Connector rule.
+
+Cloud Connector rules are evaluated last in the request evaluation workflow. When there is a rule match and you have other rules changing the same settings, the Cloud Connector rule will win over other rules.
+
+## Applied configurations
+
+Cloud Connector will perform the following configurations automatically, depending on the cloud provider:
+* Modify the `Host` header.
+* Adjust SSL/TLS for bucket-related traffic (AWS S3 only).
+
+## Availability
+
+Cloud Connector is being rolled out gradually throughout 2024 to all customers. Once you have access, the Cloudflare dashboard will show a new **Cloud Connector** tab under **Rules** at the zone level. The maximum number of rules depends on your Cloudflare plan:
+
+{{<feature-table id="rules.cloud_connector">}}

content/rules/cloud-connector/create-api.md

@@ -0,0 +1,111 @@
+---
+title: Configure via API
+pcx_content_type: how-to
+weight: 3
+meta:
+  title: Configure a Cloud Connector rule via API
+---
+
+# Configure a rule via API
+
+You can configure Cloud Connector rules using the [Cloudflare API](/fundamentals/api/).
+
+## Required permissions
+
+The [API token](/fundamentals/api/get-started/create-token/) used in API requests to manage Cloud Connector rules must have at least the following permission:
+
+- _Zone_ > _Cloud Connector_ > _Write_
+
+{{<Aside type="note" header="Note">}}
+A token with this permission is only valid for the Cloud Connector endpoints described in this page. You cannot use it to interact with the `http_cloud_connector` phase via [Rulesets API](/ruleset-engine/rulesets-api/).
+{{</Aside>}}
+
+## Endpoints
+
+To obtain the complete endpoint, append the Cloud Connector endpoints listed below to the Cloudflare API base URL:
+
+```txt
+https://api.cloudflare.com/client/v4
+```
+
+The `{zone_id}` argument is the [zone ID](/fundamentals/setup/find-account-and-zone-ids/) (a hexadecimal string). You can find this value in the Cloudflare dashboard.
+
+The following table summarizes the available operations.
+
+Operation | Verb + Endpoint
+----------|----------------
+List Cloud Connector rules | `GET zones/{zone_id}/cloud_connector/rules`
+Create/update/delete Cloud Connector rules | `PUT /zones/{zone_id}/cloud_connector/rules`
+
+## Example API calls
+
+### List of Cloud Connector rules
+
+The following example returns a list of existing Cloud Connector rules:
+
+```bash
+curl https://api.cloudflare.com/client/v4/zones/{zone_id}/cloud_connector/rules \
+--header "Authorization: Bearer <API_TOKEN>"
+```
+
+```json
+---
+header: Example response
+---
+{
+  "result": [
+    {
+      "id": "<RULE_1_ID>",
+      "provider": "aws_s3",
+      "expression": "http.request.uri.path wildcard \"/images/*\"",
+      "description": "Connect to S3 bucket containing images",
+      "enabled": true,
+      "parameters": {
+        "host": "examplebucketwithimages.s3.north-eu.amazonaws.com"
+      }
+    },
+    {
+      "id": "<RULE_2_ID>",
+      "provider": "cloudflare_r2",
+      "expression": "http.request.uri.path wildcard \"/videos/*\"",
+      "description": "Connect to R2 bucket containing videos",
+      "enabled": true,
+      "parameters": {
+        "host": "mybucketcustomdomain.example.com"
+      }
+    }
+  ],
+  "success": true,
+  "errors": [],
+  "messages": []
+}
+```
+
+### Create/update/delete Cloud Connector rules
+
+The following example request will replace all existing Cloud Connector rules with a single rule:
+
+```bash
+curl --request PUT \
+"https://api.cloudflare.com/client/v4/zones/{zone_id}/cloud_connector/rules" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--header "Content-Type: application/json" \
+--data '[
+  {
+    "expression": "http.request.uri.path wildcard \"/images/*\"",
+    "provider": "aws_s3",
+    "description": "Connect to S3 bucket containing images",
+    "parameters": {
+      "host": "examplebucketwithimages.s3.north-eu.amazonaws.com"
+    }
+  }
+]'
+```
+
+The required body parameters for each rule are: `expression`, `provider`, and `parameters.host`.
+
+The `provider` value must be one of the following: `aws_s3`, `azure_storage`, `gcp_storage`, and `cloudflare_r2`.
+
+{{<Aside type="warning" header="Warning">}}
+To create a new rule and keep all existing rules, you must include them all in your request body. Omitting an existing rule in the request body will delete the corresponding Cloud Connector rule.
+{{</Aside>}}

content/rules/cloud-connector/create-dashboard.md

@@ -0,0 +1,36 @@
+---
+title: Configure in the dashboard
+pcx_content_type: how-to
+weight: 2
+meta:
+  title: Configure a Cloud Connector rule in the dashboard
+---
+
+# Configure a rule in the dashboard
+
+To configure a Cloud Connector rule in the dashboard:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and domain.
+
+2. Go to **Rules** > **Cloud Connector**.
+
+3. Select your [cloud provider](/rules/cloud-connector/providers/).
+
+4. Enter the bucket URL and select **Next**.
+
+    {{<Aside type="warning">}}
+The bucket URL must follow a [specific format](/rules/cloud-connector/providers/) according to your provider.
+    {{</Aside>}}
+
+5. Enter a descriptive name for the rule in **Cloud Connector name**.
+
+6. Under **If**, select **Custom filter expression** and [enter an expression](/ruleset-engine/rules-language/expressions/edit-expressions/) to define the traffic that will be redirected to the bucket. For example:
+
+    - To route all requests under `https://example.com/images/*` you could enter the following expression:<br/>
+    `http.request.full_uri wildcard "https://example.com/images/*"`
+    - To route all requests under `https://images.example.com/*` you could enter the following expression:<br/>
+    `http.request.full_uri wildcard "https://images.example.com/*"`
+
+    Alternatively, select **All incoming requests** to redirect all incoming traffic for your zone to the storage bucket you selected.
+
+To save and deploy your rule, select **Deploy**. If you are not ready to deploy the rule, select **Save as Draft**.

content/rules/cloud-connector/providers.md

@@ -0,0 +1,76 @@
+---
+title: Supported cloud providers
+pcx_content_type: reference
+weight: 10
+---
+
+# Supported cloud providers
+
+Cloud Connector currently supports the following cloud providers and services:
+
+- Amazon Web Services - S3
+- Google Cloud Platform - Cloud Storage
+- Microsoft Azure - Blob Storage
+
+{{<Aside type="note">}}
+Support for Cloudflare R2 will be added soon.
+{{</Aside>}}
+
+## Amazon Web Services - S3 { #s3 }
+
+The hostname of your S3 bucket URL must have one of the following formats (where `*` is a wildcard character):
+
+- `*s3.amazonaws.com`
+- `*s3-website.<region>.amazonaws.com`
+- `*s3.<region>.amazonaws.com`
+- `*s3-website-<region>.amazonaws.com`
+
+Cloud Connector supports both subdomain and URI path bucket URLs.
+
+### Get the bucket URL
+
+1. Go to the [Amazon S3 console](https://console.aws.amazon.com/s3/) and select **Buckets** in the navigation pane.
+2. Select the bucket name.
+3. Go to the **Properties** tab.
+4. Select the **Static Website Hosting** card. The **Endpoint** field shows your bucket URL.
+
+For more information, refer to the [Amazon S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/EnableWebsiteHosting.html).
+
+## Google Cloud Platform - Cloud Storage { #gcp }
+
+The hostname of your Cloud Storage bucket URL must be the following:
+
+- `*storage.googleapis.com`
+- `*storage.cloud.google.com`
+
+Cloud Connector supports both subdomain and URI path bucket URLs.
+
+### Get the bucket URL
+
+1. Go to the [Google Cloud console](https://console.cloud.google.com/storage/browser) and select **Buckets**.
+2. Select the bucket name.
+3. For one of the files already in the bucket, select the link icon in the **Public** column to copy the file's public URL to the clipboard. The file URL will have the following format:
+
+    `https://storage.googleapis.com/<BUCKET_NAME>/<OBJECT_NAME>`
+
+    To obtain the bucket URL, remove `/<OBJECT_NAME>` from the file URL.
+
+If the files in your bucket are not publicly accessible, you must change the bucket permissions. For details, refer to the [Google Cloud Storage documentation](https://cloud.google.com/storage/docs/access-control/making-data-public#buckets).
+
+## Microsoft Azure - Blob Storage { #azure }
+
+The hostname of your Blob Storage bucket URL must have one of the following formats (where `*` is a wildcard character):
+
+- `*.blob.core.windows.net`
+- `*.web.core.windows.net`
+
+### Get the bucket URL
+
+1. Go to the [Azure portal](https://portal.azure.com/) and select your storage account.
+2. In the menu pane, under **Settings**, select **Endpoints**.
+3. Get your bucket URL from the **Blob service** endpoint or the **Static website** endpoint.
+
+If the blob container is not configured for public access, you must change the container settings. For details, refer to the [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal).
+
+
+

content/rules/compression-rules/_index.md

@@ -1,7 +1,7 @@
 ---
 title: Compression Rules
 pcx_content_type: concept
-weight: 8
+weight: 9
 ---
 
 # Compression Rules

content/rules/configuration-rules/_index.md

@@ -1,7 +1,7 @@
 ---
 pcx_content_type: concept
 title: Configuration Rules
-weight: 7
+weight: 2
 meta:
   title: Configuration Rules
 ---

content/rules/normalization/_index.md

@@ -1,7 +1,7 @@
 ---
 pcx_content_type: concept
 title: URL normalization
-weight: 4
+weight: 11
 ---
 
 # URL normalization

content/rules/page-rules/_index.md

@@ -2,7 +2,7 @@
 pcx_content_type: concept
 source: https://support.cloudflare.com/hc/en-us/articles/218411427-What-do-the-custom-caching-options-mean-in-Page-Rules-#summary-of-page-rules-settings
 title: Page Rules
-weight: 19
+weight: 10
 ---
 
 # Page Rules