Add flowchart

Author: maxvp

src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx

@@ -17,7 +17,7 @@ Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/l
 
 When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/).
 
-Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/), including [FedRAMP compliant data centers](#fedramp-compliance). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/).
+Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/).
 
 Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3.
 
@@ -117,24 +117,30 @@ FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/policies/gateway/htt
 
 ## FedRAMP compliance
 
-When using [Cloudflare Regional Services](/data-localization/regional-services/) with the WARP client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic.
+When you use [Cloudflare Regional Services](/data-localization/regional-services/) in the United States and the WARP client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic.
 
 ```mermaid
 flowchart LR
+ %% Accessibility
+ accTitle: How Gateway routes FedRAMP compliant traffic with Regional Services
+ accDescr: Flowchart describing how WARP with Gateway routes traffic to egress from a FedRAMP compliant data center when used with Regional Services in the United States.
+
+ %% Flowchart
  subgraph s1["Non-FedRAMP data center"]
         n2["WARP TLS encryption terminated"]
   end
  subgraph s2["FedRAMP data center"]
         n3["Gateway TLS encryption (FIPS) terminated"]
   end
  subgraph s3["Private internal network"]
-        n5["FedRAMP-compliant cloudflared"]
+        n5["FedRAMP compliant cloudflared"]
         n6(["Private server"])
   end
-    n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS --> n2
-    n2 --> n3
-    n3 --> n4(["HTTPS server"]) & n5
+    n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS (MASQUE) --> n2
+    n2 -- Gateway TLS connection --> n3
+    n3 <-- FIPS tunnel --> n5
     n5 --> n6
+
     n5@{ shape: rect}
 ```