public hostnames --> published applications

ranbel · ranbel · commit 6269d44ef3b9 · 2025-05-22T15:21:47.000-04:00
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx
@@ -24,7 +24,7 @@ You can securely publish internal tools and applications by adding Cloudflare Ac
 [Set up a Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) to publish your internal application. Only users who match your Access policies will be granted access.
 
 :::note
-We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, public hostname routes in Tunnel are available to anyone on the Internet.
+We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, the published application will be available to anyone on the Internet.
 :::
 
 If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using [other methods](/fundamentals/security/protect-your-origin-server/).
diff --git a/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx b/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx
@@ -23,7 +23,7 @@ Cloudflare Access short-lived certificates can work with any modern SSH server,
 
 To secure your server behind Cloudflare Access:
 
-1. [Connect the server to Cloudflare](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) as a public hostname route.
+1. [Connect the server to Cloudflare](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) as a published application.
 2. Create a [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for the server.
 
 :::note
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx
@@ -140,11 +140,11 @@ On Windows, Cloudflare Tunnel installs itself as a system service using the Regi
 
 ## Update origin configuration
 
-To configure how `cloudflared` sends requests to your [public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) services:
+To configure how `cloudflared` sends requests to your [published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**.
 2. Choose a tunnel and select **Configure**.
-3. Select the **Public Hostname** tab.
-4. Choose a route and select **Edit**.
+3. Select the **Published applications** tab.
+4. Choose an application and select **Edit**.
 5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/).
 6. Select **Save hostname**.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx
@@ -171,7 +171,7 @@ The timeout after which a TCP keepalive packet is sent on a connection between C
 | ------- | ------------------- |
 | `""`    | Protect with Access |
 
-Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname routes that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header.
+Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname services that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header.
 
 To enable this security control in a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#origin-configuration), [get the AUD tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`:
 
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx
@@ -113,7 +113,7 @@ The following configuration will modify settings in your Cloudflare account.
 			proxied = true
 		}
 
-		# Configures tunnel with a public hostname route for clientless access.
+		# Configures tunnel with a published application for clientless access.
 		resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
 			tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
 			account_id = var.cloudflare_account_id
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/terraform.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/terraform.mdx
@@ -156,7 +156,7 @@ The following configuration will modify settings in your Cloudflare account.
 			proxied = true
 		}
 
-		# Configures tunnel with a public hostname route for clientless access.
+		# Configures tunnel with a published application for clientless access.
 		resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
 			tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
 			account_id = var.cloudflare_account_id
@@ -240,7 +240,7 @@ The following configuration will modify settings in your Cloudflare account.
 			proxied = true
 		}
 
-		# Configures tunnel with a public hostname route for clientless access.
+		# Configures tunnel with a published application for clientless access.
 			resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
 				tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
 				account_id = var.cloudflare_account_id
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 7
 ---
 
-With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare's global network. This involves installing a [connector](#connectors) on the private network, and then [setting up routes](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2b-connect-a-network) which define the IP addresses available in that environment. Unlike [public hostname routes](/cloudflare-one/connections/connect-networks/routing-to-tunnel/), private network routes can expose both HTTP and non-HTTP resources.
+With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare's global network. This involves installing a [connector](#connectors) on the private network, and then [setting up routes](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2b-connect-a-network) which define the IP addresses available in that environment. Unlike [published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/), private network routes can expose both HTTP and non-HTTP resources.
 
 To reach private network IPs, end users must connect their device to Cloudflare and enroll in your Zero Trust organization. The most common method is to install the [WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device, or you can onboard their network traffic to Cloudflare using our [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) or [Magic WAN](/magic-wan/zero-trust/cloudflare-tunnel/).
 
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx
@@ -48,6 +48,6 @@ To set up WARP Connector, refer to the guide for your use case:
 - **[Site-to-Internet](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet/)**: Send requests from your private network to the Internet.
 - **[Site-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/)**: Send requests between two or more private networks.
 - **[User-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site/)**: Allow WARP client devices to send requests to your private network.
-- **Internet-to-site**: Not supported by WARP Connector. To provide clientless access to applications on your private network, set up a [Cloudflare Tunnel with `cloudflared`](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) and configure a [public hostname route](/cloudflare-one/connections/connect-networks/routing-to-tunnel/).
+- **Internet-to-site**: Not supported by WARP Connector. To provide clientless access to applications on your private network, set up a [Cloudflare Tunnel with `cloudflared`](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) and configure a [published application](/cloudflare-one/connections/connect-networks/routing-to-tunnel/).
 
 [^1]: WARP Connector is an extension of the [WARP client](/cloudflare-one/connections/connect-devices/warp/).
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx
@@ -1,6 +1,6 @@
 ---
 pcx_content_type: concept
-title: Public hostnames
+title: Published applications
 sidebar:
   order: 8
 
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx
@@ -16,11 +16,11 @@ Client-side `cloudflared` can be used in conjunction with [routing over WARP](/c
 
 1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/).
 
-2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `rdp.example.com`).
+2. In the **Published applications** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `rdp.example.com`).
 
 3. For **Service**, select _RDP_ and enter the [RDP listening port](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port) of your server (for example, `localhost:3389`). It will likely be port `3389`.
 
-4. Select **Save hostname**.
+4. Save the configuration.
 
 ## 2. (Recommended) Create an Access application
 
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx
@@ -67,15 +67,17 @@ The public hostname method can be implemented in conjunction with routing over W
 
 1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/).
 
-2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `smb.example.com`).
+2. In the **Published applications** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `smb.example.com`).
 
 3. For **Service**, select _TCP_ and enter the SMB listening port (for example, `localhost:445`). SMB drives listen on port `139` or `445` by default.
 
-4. Select **Save hostname**.
+4. Save the configuration.
 
-5. (Recommended) Add a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access in order to manage access to your server.
+## 2. (Recommended) Create an Access application
 
-### 2. Connect as a user
+By default, anyone on the Internet can connect to the server using its public hostname. To allow or block specific users, create a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
+
+### 3. Connect as a user
 
 1. [Install `cloudflared`](/cloudflare-one/connections/connect-networks/downloads/) on the client machine.
 
diff --git a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
@@ -92,11 +92,11 @@ Your bucket policy will allow your VPC to access your S3 bucket.
 
 A bucket website endpoint will be available at `http://<your-S3-bucket01>.s3-website.<aws-region>.amazonaws.com`. Because of the bucket policy, this website endpoint will only be accessible from the VPC with the VPC endpoint configured.
 
-### 4. Add a new public hostname to the Cloudflare Tunnel
+### 4. Add a published application to the Cloudflare Tunnel
 
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Tunnels**
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**
 2. Select your Tunnel, then select **Configure**.
-3. Go to **Public Hostname**, then select **Add a public hostname**.
+3. Go to **Published applications**, then select **Add a public hostname**.
 4. Enter a subdomain your organization will use to access the S3 bucket. For example, `s3-bucket.<your-domain>.com`.
 5. Under **Service**, choose _HTTP_ for **Type**. In **URL**, enter `<your-S3-bucket01>.s3-website.<aws-region>.amazonaws.com`.
 6. In **Additional application settings** > **HTTP Settings**, input the **HTTP Host Header** as `<your-S3-bucket01>.s3-website.<aws-region>.amazonaws.com`.
diff --git a/src/content/docs/data-localization/compatibility.mdx b/src/content/docs/data-localization/compatibility.mdx
@@ -131,7 +131,7 @@ The table below provides a summary of the Data Localization Suite product's beha
 [^15]: Can be localized to US FedRAMP Moderate Domestic region only.
 [^16]: Customer Metadata Boundary can be used to limit data transfer outside region, but Access User Logs will not be available outside US region.
 [^17]: Currently may only be used with US FedRAMP region.
-[^18]: The only connectivity option is [US FedRAMP Moderate Domestic region](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region). Regional Services only applies when using [Public Hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) set to a region.
+[^18]: The only connectivity option is [US FedRAMP Moderate Domestic region](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region). Regional Services only applies when using [Published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) set to a region.
 [^19]: Uses Gateway HTTP and CASB.
 [^20]: You can [bring your own certificate](https://blog.cloudflare.com/bring-your-certificates-cloudflare-gateway/) to Gateway but these cannot yet be restricted to a specific region.
 [^21]: Gateway HTTP supports Regional Services. Gateway DNS does not yet support regionalization. <br/> ICMP proxy and WARP-to-WARP proxy are not available to Regional Services users.
diff --git a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
@@ -46,9 +46,9 @@ First, create a [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks
 
 ### 1.2. Connect your database using a public hostname
 
-Your tunnel must be configured to use a public hostname so that Hyperdrive can route requests to it. If you don't have a hostname on Cloudflare yet, you will need to [register a new hostname](/registrar/get-started/register-domain/) or [add a zone](/dns/zone-setups/) to Cloudflare to proceed.
+Your tunnel must be configured to use a public hostname on Cloudflare so that Hyperdrive can route requests to it. If you don't have a hostname on Cloudflare yet, you will need to [register a new hostname](/registrar/get-started/register-domain/) or [add a zone](/dns/zone-setups/) to Cloudflare to proceed.
 
-1. In the **Public Hostnames** tab, choose a **Domain** and specify any subdomain or path information. This will be used in your Hyperdrive configuration to route to this tunnel.
+1. In the **Published applications** tab, choose a **Domain** and specify any subdomain or path information. This will be used in your Hyperdrive configuration to route to this tunnel.
 
 2. In the **Service** section, specify **Type** `TCP` and the URL and configured port of your database, such as `localhost:5432` or `my-database-host.database-provider.com:5432`. This address will be used by the tunnel to route requests to your database.
 
diff --git a/src/content/docs/learning-paths/clientless-access/alternative-onramps/index.mdx b/src/content/docs/learning-paths/clientless-access/alternative-onramps/index.mdx
@@ -6,7 +6,7 @@ sidebar:
 
 ---
 
-As discussed in the previous modules, almost everything you do with the Cloudflare reverse proxy requires [adding a site](/learning-paths/clientless-access/initial-setup/add-site/) to Cloudflare. That public DNS record (or its subdomains) becomes the domain on which your users access your private applications. This method is exceptionally secure and transparent; each domain and subdomain has access to the Cloudflare web security portfolio, are inherently DDoS protected, and receive an obfuscated origin IP. For these reasons, [public hostname routing](/learning-paths/clientless-access/connect-private-applications/) is the recommended method to onboard applications for clientless user access.  However, there may be times in which a public DNS record cannot be created, or other situations that prevent administrators from using this method.
+As discussed in the previous modules, almost everything you do with the Cloudflare reverse proxy requires [adding a site](/learning-paths/clientless-access/initial-setup/add-site/) to Cloudflare. That public DNS record (or its subdomains) becomes the domain on which your users access your private applications. This method is exceptionally secure and transparent; each domain and subdomain has access to the Cloudflare web security portfolio, are inherently DDoS protected, and receive an obfuscated origin IP. For these reasons, using a [public hostname on Cloudflare](/learning-paths/clientless-access/connect-private-applications/) is the recommended method to onboard applications for clientless user access.  However, there may be times in which a public DNS record cannot be created, or other situations that prevent administrators from using this method.
 
 ## Objectives
 
diff --git a/src/content/docs/learning-paths/clientless-access/connect-private-applications/create-tunnel.mdx b/src/content/docs/learning-paths/clientless-access/connect-private-applications/create-tunnel.mdx
@@ -8,7 +8,7 @@ sidebar:
 
 import { Render } from "~/components"
 
-To enable clientless access to your applications, you will need to create a Cloudflare Tunnel that contains public hostname routes. A public hostname route creates a public DNS record that routes traffic to a specific address, protocol, and port associated with a private application. For example, you can define a public hostname (`mywebapp.example.com`) to provide access to a web server running on `https://localhost:8080`. When a user goes to `mywebapp.example.com` in their browser, their request will first route to a Cloudflare data center where it is inspected against your configured security policies. Cloudflare will then forward validated requests down your tunnel to the web server.
+To enable clientless access to your applications, you will need to create a Cloudflare Tunnel that publishes applications to a domain on Cloudflare. A published application creates a public DNS record that routes traffic to a specific address, protocol, and port associated with a private application. For example, you can define a public hostname (`mywebapp.example.com`) to provide access to a web server running on `https://localhost:8080`. When a user goes to `mywebapp.example.com` in their browser, their request will first route to a Cloudflare data center where it is inspected against your configured security policies. Cloudflare will then forward validated requests down your tunnel to the web server.
 
 ![How an HTTP request reaches a private application connected with Cloudflare Tunnel](~/assets/images/cloudflare-one/connections/connect-apps/handshake.jpg)
 
@@ -20,7 +20,7 @@ To create a Cloudflare Tunnel:
 
 ## Connect an application
 
-To add a public hostname route to the tunnel:
+To add a published application to the tunnel:
 
 <Render file="tunnel/add-public-hostname" product="cloudflare-one" />
 
diff --git a/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx b/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx
diff --git a/src/content/docs/load-balancing/additional-options/cloudflare-tunnel.mdx b/src/content/docs/load-balancing/additional-options/cloudflare-tunnel.mdx
diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
diff --git a/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
diff --git a/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx b/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
diff --git a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx

Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ The following configuration will modify settings in your Cloudflare account.`
`113`	`113`	`proxied = true`
`114`	`114`	`}`
`115`	`115`
`116`		`- # Configures tunnel with a public hostname route for clientless access.`
	`116`	`+ # Configures tunnel with a published application for clientless access.`
`117`	`117`	`resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {`
`118`	`118`	`tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id`
`119`	`119`	`account_id = var.cloudflare_account_id`