diagrams and concepts

Author: ranbel

src/assets/images/cloudflare-one/connections/private-hostname-route-1.png

@@ -7,7 +7,7 @@ sidebar:
 
 import { Render } from "~/components";
 
-This guide covers how to enable secure remote access to private IP addresses using `cloudflared`. You can connect an entire private network, a subnet, or an application defined by a static IP.
+This guide covers how to enable secure remote access to private IP addresses using `cloudflared` and WARP. You can connect an entire private network, a subnet, or an application defined by a static IP.
 
 ## 1. Connect the server to Cloudflare
 

src/assets/images/cloudflare-one/connections/private-hostname-route-2.png

@@ -0,0 +1,49 @@
+---
+pcx_content_type: how-to
+title: Connect a private hostname
+sidebar:
+  order: 2
+---
+
+import { Render } from "~/components";
+
+`cloudflared` can route to non-HTTP applications on your private network using their private hostname (for example, `wiki.internal.local`). Private hostname routes are especially useful when the application has an unknown or ephemeral IP, which often occurs when infrastructure is provisioned by a third-party cloud provider.
+
+:::note[Availability]
+Hostname routes currently require Gateway resolver policies, an Enterprise-only feature. If you are on a Free or Pay-as-you-go plan, you will need to connect the application using its [IP address](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr) and [configure Local Domain Fallback](/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns/) to resolve its private hostname.
+:::
+
+## Limitations
+
+### Supported user traffic
+
+### Supported network on-ramps
+
+## How private hostname routing works
+
+Private hostname routing with Cloudflare Tunnel consists of three main components:
+
+- The WARP client installs on the user device and forwards network and DNS traffic from the device to Cloudflare Gateway.
+- Gateway resolver policies instruct Gateway to resolve the private hostname using your internal DNS resolver instead of the default public resolver.
+- `cloudflared` installs on a host machine in your private network and proxies traffic from Cloudflare to your internal DNS resolver and internal applications.
+
+Figures 1 and 2 illustrate what happens when a user connects to a private hostname (`wiki.internal.local`) from a WARP device.
+
+![Figure 1: DNS resolution for a private hostname](~/assets/images/cloudflare-one/connections/private-hostname-route-1.png "Figure 1: DNS resolution for private hostname")
+
+1. The WARP client sends the DNS query to the Gateway resolver for resolution.
+2. Based on the configured resolver policies, Gateway determines that `wiki.internal.local` should be resolved by a custom DNS resolver. Therefore, Gateway sends the DNS request down Cloudflare Tunnel to the private network where the custom DNS resolver is located.
+3. `cloudflared` does a DNS lookup to figure out what the origin IP is for `wiki.internal.local`.
+4. The Gateway resolver now knows that the origin IP is `10.0.0.5`.
+5. Rather than responding to the DNS query with the actual origin IP, Gateway responds with a random IP address from the CGNAT range `100.80.0.0/16` (for example, `100.80.0.1`). This CGNAT IP is called the initial resolved IP.
+6. Gateway stores the mapping between the private hostname, CGNAT initial resolved IP, and the actual IP.
+7. The WARP client receives the initial resolved IP (`100.80.0.1`) in the DNS response for `wiki.internal.local`.
+
+As shown in Figure 2 below, the WARP client will now send `wiki.internal.local` traffic to the initial resolved IP through Gateway. Because the destination IP falls within the designated CGNAT range, Gateway knows how it maps to the actual origin IP. Traffic that passes your network policies will now route through Cloudflare Tunnel to the private application.
+
+![Figure 2: Network traffic flow for a private hostname route](~/assets/images/cloudflare-one/connections/private-hostname-route-2.png "Figure 1: Network traffic flow for a private hostname route")
+
+To learn more about the initial resolved IP mechanism, refer to the [Cloudflare blog]().
+
+## Configure a private hostname route
+

src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr.mdx

@@ -13,5 +13,5 @@ On the client side, end users connect to Cloudflare's global network using the C
 ![Diagram displaying connections between a device, Cloudflare, and a private network.](~/assets/images/cloudflare-one/connections/private-ips-diagram.png)
 
 To enable remote access to your private network, refer to the following guides:
-- [**Connect a hostname**](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-hostname/): Route network traffic to an internal application using its private or public hostname.
+- [**Connect a private hostname**](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-hostname/): Route network traffic to an internal application using its hostname.
 - [**Connect an IP/CIDR**](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/): Route traffic to an internal IP address or CIDR range.

src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-hostname.mdx

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: how-to
-title: Resolve private DNS
+title: Private DNS
 sidebar:
   order: 4
 ---

src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx

@@ -0,0 +1,31 @@
+---
+pcx_content_type: how-to
+title: Egress through Cloudflare Tunnel
+sidebar:
+  order: 2
+---
+
+import { Details } from "~/components";
+
+Cloudflare Tunnel can be used for source IP anchoring when you want to use existing egress IPs instead of purchasing [Cloudflare dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). Some third-party websites may have an Access Control List (ACL) that only allow connections from certain source IPs. If you already a non-Cloudflare IP on their allowlist (such an egress IP provided by an ISP or a cloud provider like AWS), you can configure `cloudflared` to anchor user traffic to the same IPs that you use today.
+
+For example, assume that your organization's banking service, `app.bank.com`, expects user traffic to come from an AWS IP. You can install `cloudflared` in your AWS envirionment and add a public hostname route pointing to `app.bank.com`. When users connect to `app.bank.com` using the WARP client, Gateway will route their traffic down the corresponding Cloudflare Tunnel to AWS. The traffic can then egress to the public Internet using your AWS egress IP.
+
+```mermaid
+    flowchart LR
+      subgraph aws["AWS VPC"]
+				cloudflared["cloudflared"]--> rules["Egress rules"]
+      end
+			subgraph cloudflare[Cloudflare]
+			  resolver["Gateway
+				  resolver"]
+			end
+      warp["WARP
+			  clients"]--"app.bank.com"-->resolver
+			resolver-->cloudflared
+			rules--AWS egress IP -->I{Internet}
+```
+
+## Prerequisites
+
+## Configure a public hostname route