Update self-hosted-private-app.mdx

kennyj42 · web-flow · commit 9728283a4183 · 2025-10-14T10:09:00.000-05:00
Adding a call out for how someone can route for a private application that is behind a public IP or Hostname.
diff --git a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx
@@ -19,6 +19,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 - Private IPs and hostnames are reachable over Cloudflare WARP, Magic WAN or Browser Isolation. For more details, refer to [Connect a private network](/cloudflare-one/connections/connect-networks/private-net/).
 - Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/).
 - (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications).
+- Public IP/Domains can be used to define a private application, however the IP or domain *must be routed via [Cloudflare Tunnel](/learning-paths/replace-vpn/connect-private-network/connection-methods/), (WARP Connector)[/learning-paths/replace-vpn/connect-private-network/connection-methods/] or [Magic WAN](/load-balancing/private-network/)*. Any public IP or Hostname added to the private IP/Hostname application definition will be ignored.
 
 ## Add your application to Access
 
@@ -83,4 +84,4 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece
 
 ### Private hostname vs private IP
 
-An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to 	`10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)).
+An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to 	`10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)).
