[ZT] Tunnel hostname routes (#22587)

* update private DNS

* Private networks overview and IA

* diagrams and concepts

* outline steps

* fix relative links

* update get started  pages

* public hostnames --> published applications

* hostname format restrictions

* connect server

* set up client

* account limits

* create resolver policy, add IPv6

* update private hostname diagram

* update policy guidelines

* update egress diagram

* add placeholders

* update egress description

* add beta pill

* add split tunnel and policy details

* example policies

* fix example hostname

* tweak availability note

* policy partials

* update policies, testing, troubleshooting

* update availability

* fix relative links

* convert prereqs to partials

* update diagram

* refine egress use case

* add Magic WAN onramp

* tweak initial resolved IP

* mobile WARP client versions

* remove punycode requirement

* public hostname Gateway policies

* more details on initial resolved IPs

* move Tunnel prereq into a step

* magic wan is pending SHIP-8236

* add glossary entry

* add ipv6 range

* update mobile WARP versions

* Apply suggestions from code review

* Update rdp-cloudflared-authentication.mdx

* remove steps formatting

* add mwan and warpconn limitation

* fix package.json

* fix package.json files

* update mwan and warpconn prereq

* add link to CF blog

* add local domain fallback

* fix steps component

* refine wording

* update private network tab name

* update published applications tab name

* update public hostname partial file

* add testing details

* Merge branch 'production' into ranbel/tunnel-onoma

* check token IP in split tunnels

* move troubleshooting link

* use latest package.json files

* DNS config for WARP Connector

* clean up prereqs

* clean up feature availability

* fix package.json files

* fix render component

* fix render component

* fix broken link

* DNS via WARP Connector's IP is not supported

* edit prereqs

* Update src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx

* fix tunnel partial

* Update src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx

Co-authored-by: Max Phillips <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx

Co-authored-by: Max Phillips <[email protected]>

* Apply suggestions from code review

* Update src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx

Co-authored-by: Max Phillips <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx

Co-authored-by: Max Phillips <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx

Co-authored-by: Max Phillips <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx

Co-authored-by: Max Phillips <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx

Co-authored-by: Max Phillips <[email protected]>

* Apply suggestions from code review

Co-authored-by: Max Phillips <[email protected]>

---------

Co-authored-by: Max Phillips <[email protected]>

Author: ranbel

src/assets/images/cloudflare-one/connections/private-hostname-route-1.png

@@ -66,7 +66,7 @@ This page lists the default account limits for rules, applications, fields, and
 | ---------------------------------------- | ----- |
 | `cloudflared` tunnels per account        | 1,000 |
 | WARP Connectors per account              | 10    |
-| IP routes per account                    | 1,000 |
+| Routes per tunnel                       | 1,000 |
 | Active `cloudflared` replicas per tunnel | 25    |
 
 ## Digital Experience Monitoring (DEX)

src/assets/images/cloudflare-one/connections/private-hostname-route-2.png

@@ -27,7 +27,7 @@ You can securely publish internal tools and applications by adding Cloudflare Ac
 [Set up a Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) to publish your internal application. Only users who match your Access policies will be granted access.
 
 :::note
-We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, public hostname routes in Tunnel are available to anyone on the Internet.
+We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, the published application will be available to anyone on the Internet.
 :::
 
 If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using [other methods](/fundamentals/security/protect-your-origin-server/).

src/content/docs/cloudflare-one/account-limits.mdx

@@ -24,7 +24,7 @@ Cloudflare Access short-lived certificates can work with any modern SSH server,
 
 To secure your server behind Cloudflare Access:
 
-1. [Connect the server to Cloudflare](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) as a public hostname route.
+1. [Connect the server to Cloudflare](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) as a published application.
 2. Create a [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for the server.
 
 :::note

src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx

@@ -140,11 +140,11 @@ On Windows, Cloudflare Tunnel installs itself as a system service using the Regi
 
 ## Update origin configuration
 
-To configure how `cloudflared` sends requests to your [public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) services:
+To configure how `cloudflared` sends requests to your [published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**.
 2. Choose a tunnel and select **Configure**.
-3. Select the **Public Hostname** tab.
-4. Choose a route and select **Edit**.
+3. Select the **Published application routes** tab.
+4. Choose an application and select **Edit**.
 5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/).
-6. Select **Save hostname**.
+6. Select **Save**.

src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx

@@ -171,7 +171,7 @@ The timeout after which a TCP keepalive packet is sent on a connection between C
 | ------- | ------------------- |
 | `""`    | Protect with Access |
 
-Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname routes that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header.
+Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname services that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header.
 
 To enable this security control in a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#origin-configuration), [get the AUD tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`:
 

src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx

@@ -113,23 +113,23 @@ The following configuration will modify settings in your Cloudflare account.
         	proxied = true
         }
 
-        # Configures tunnel with a public hostname route for clientless access.
-        resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
-        	tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
-        	account_id = var.cloudflare_account_id
-        	config     = {
-        		ingress 	= [
-        			{
-        				hostname = "http_app.${var.cloudflare_zone}"
-        				service  = "http://localhost:80"
-        			},
-        			{
-        				service  = "http_status:404"
-        			}
-        		]
-        	}
-        }
-        ```
+		# Configures tunnel with a published application for clientless access.
+		resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
+			tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
+			account_id = var.cloudflare_account_id
+			config     = {
+				ingress 	= [
+					{
+						hostname = "http_app.${var.cloudflare_zone}"
+						service  = "http://localhost:80"
+					},
+					{
+						service  = "http_status:404"
+					}
+				]
+			}
+		}
+		```
 
 ### Configure GCP resources
 

src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx

@@ -98,8 +98,8 @@ EOF
 
 [Private network routes](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) allow users to connect to your virtual private cloud (VPC) using the WARP client. To add a private network route for your Cloudflare Tunnel:
 
-1.  In the **Private Network** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary.
-2.  In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance.
+1. In the **CIDR** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in **Exclude** mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance.
 
         To determine which IP addresses to re-add, subtract your AWS instance IPs from `172.16.0.0/12`:
 

src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx

@@ -76,8 +76,8 @@ To complete the following procedure, you will need to:
 
 To configure a private network route for your Cloudflare Tunnel:
 
-1.  In the **Private Network** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary.
-2.  In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM.
+1. In the **CIDR** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in **Exclude** mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM.
 
         To determine which IP addresses to re-add, subtract your GCP instance IPs from `10.0.0.0/8`: