Skip to content

Commit c2e5bdc

Browse files
committed
Add flowchart
1 parent 6cc20bf commit c2e5bdc

File tree

1 file changed

+12
-6
lines changed

1 file changed

+12
-6
lines changed

src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/l
1717

1818
When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/).
1919

20-
Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/), including [FedRAMP compliant data centers](#fedramp-compliance). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/).
20+
Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/).
2121

2222
Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3.
2323

@@ -117,24 +117,30 @@ FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/policies/gateway/htt
117117

118118
## FedRAMP compliance
119119

120-
When using [Cloudflare Regional Services](/data-localization/regional-services/) with the WARP client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic.
120+
When you use [Cloudflare Regional Services](/data-localization/regional-services/) in the United States and the WARP client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic.
121121

122122
```mermaid
123123
flowchart LR
124+
%% Accessibility
125+
accTitle: How Gateway routes FedRAMP compliant traffic with Regional Services
126+
accDescr: Flowchart describing how WARP with Gateway routes traffic to egress from a FedRAMP compliant data center when used with Regional Services in the United States.
127+
128+
%% Flowchart
124129
subgraph s1["Non-FedRAMP data center"]
125130
n2["WARP TLS encryption terminated"]
126131
end
127132
subgraph s2["FedRAMP data center"]
128133
n3["Gateway TLS encryption (FIPS) terminated"]
129134
end
130135
subgraph s3["Private internal network"]
131-
n5["FedRAMP-compliant cloudflared"]
136+
n5["FedRAMP compliant cloudflared"]
132137
n6(["Private server"])
133138
end
134-
n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS --> n2
135-
n2 --> n3
136-
n3 --> n4(["HTTPS server"]) & n5
139+
n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS (MASQUE) --> n2
140+
n2 -- Gateway TLS connection --> n3
141+
n3 <-- FIPS tunnel --> n5
137142
n5 --> n6
143+
138144
n5@{ shape: rect}
139145
```
140146

0 commit comments

Comments
 (0)