[Gateway] VNet routing for resolver policies (#16377)

maxvp · web-flow · commit 91c674a22a54 · 2024-08-23T15:44:49.000-04:00
diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx
@@ -8,17 +8,36 @@ sidebar:
 head:
   - tag: title
     content: Resolver policies
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 :::note
-Only available on Enterprise plans. 
+Only available on Enterprise plans.
 :::
 
 By default, Gateway sends DNS requests to [1.1.1.1](/1.1.1.1/), Cloudflare's public DNS resolver, for resolution. Enterprise users can instead create Gateway policies to route DNS queries to custom resolvers.
 
+```mermaid
+flowchart TD
+    %% Accessibility
+    accTitle: How Gateway routes DNS queries
+    accDescr: Flowchart describing the order Cloudflare Gateway routes a DNS query from an endpoint through DNS and resolver policies back to the user.
+
+    %% Flowchart
+    user(["User"])-->endpoint[/"Gateway DNS endpoint"/]
+
+    endpoint-->query["DNS policy (query)"]
+
+    query-->resolver["Resolver policy"]
+
+    resolver--"Routes to </br>custom resolver"-->response["DNS policy (response)"]
+
+    response--"Returns response"-->user
+```
+
+Gateway will route user traffic to your configured DNS resolver based on the matching policy, even if your resolvers' IP addresses overlap.
+
 ## Use cases
 
 You may use resolver policies if you require access to non-publicly routed domains, such as private network services or internal resources. You may also use resolver policies if you need to access a protected DNS service or want to simplify DNS management for multiple locations.
@@ -45,12 +64,12 @@ To enable connections to a private resolver connected to Cloudflare via [Magic W
 
 Resolver policies can route queries for resolution from the following DNS endpoints:
 
-* IPv4
-* IPv6
-* [DNS over HTTPS (DoH)](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/)
-* [DNS over TLS (DoT)](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-tls/)
-* DNS queries generated by Cloudflare [Browser Isolation](/cloudflare-one/policies/browser-isolation/) and [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/)
-* DNS queries generated by [proxy endpoints](/cloudflare-one/connections/connect-devices/agentless/pac-files/)
+- IPv4
+- IPv6
+- [DNS over HTTPS (DoH)](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/)
+- [DNS over TLS (DoT)](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-tls/)
+- DNS queries generated by Cloudflare [Browser Isolation](/cloudflare-one/policies/browser-isolation/) and [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/)
+- DNS queries generated by [proxy endpoints](/cloudflare-one/connections/connect-devices/agentless/pac-files/)
 
 Gateway will filter, resolve, and log your queries regardless of endpoint.
 
diff --git a/src/content/partials/cloudflare-one/gateway/create-resolver-policy.mdx b/src/content/partials/cloudflare-one/gateway/create-resolver-policy.mdx
@@ -1,12 +1,9 @@
 ---
 {}
-
 ---
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Resolver policies**.
-
 2. Select **Add a policy**.
-
 3. Create an expression for your desired traffic. For example, you can resolve a hostname for an internal service:
 
    | Selector | Operator | Value                  |
@@ -15,22 +12,21 @@
 
    Make sure your destination is not subject to [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/#manage-local-domains).
 
-4. In **Select DNS resolver**, choose *Configure custom DNS resolvers*.
-
+4. In **Select DNS resolver**, choose _Configure custom DNS resolvers_.
 5. Enter the IP addresses of your custom DNS resolver.
-
+   :::tip[Search virtual networks]
+   As you enter an IP address, Gateway will search through your [virtual networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) configured in Zero Trust.
+   :::
 6. In **Network**, choose whether to route queries publicly (to the Internet) or privately (to a private network service).
-
 7. (Optional) Enter a custom port for each IP address.
-
 8. Select **Create policy**.
 
 Custom resolvers are saved to your account for future use. You can add up to 10 IPv4 and 10 IPv6 addresses to a policy.
 
 When a user's query matches a resolver policy, Gateway will send the query to your listed resolvers in the following order:
 
 1. Public resolvers
-2. Private resolvers behind the default [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) for your account
+2. Private resolvers behind the default virtual network for your account
 3. Private resolvers behind a custom virtual network
 
 Gateway will cache the fastest resolver for use in subsequent queries. Resolver priority is cached on a per user basis for each data center.
