infra access supports public IPs (#18551)

Author: ranbel

src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

@@ -27,15 +27,15 @@ import { Badge, Details, Tabs, TabItem, Render } from "~/components";
 
 </Details>
 
-Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.
+Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.
 
 :::note
 Access for Infrastructure currently only supports [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/).
 :::
 
 ## Prerequisites
 
-- [Connect your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare using `cloudflared` or WARP Connector.
+- [Connect your infrastructure](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare using `cloudflared` or WARP Connector.
 - [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on user devices in Gateway with WARP mode.
 
 ## 1. Add a target
@@ -54,7 +54,7 @@ Certain protocols require configuring the server to trust connections through Ac
 
 ## 4. Connect as a user
 
-Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.
+Users connect to the target's IP address using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.
 
 ### Connect to different VNET
 

src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx

@@ -20,23 +20,15 @@ To enable remote access to your private network, follow the guide below.
 To connect your infrastructure with Cloudflare Tunnel:
 
 1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network.
-2. In the **Private Networks** tab for the tunnel, enter the IP/CIDR range of your private network (for example `10.0.0.0/8`). This makes the WARP client aware that any requests to this IP range need to be routed to your new tunnel.
-
-:::note
-Cloudflare Tunnel only supports routes in the [private IP address space](https://www.rfc-editor.org/rfc/rfc1918.html#section-3):
-
-- `10.0.0.0` - `10.255.255.255`
-- `172.16.0.0` - `172.31.255.255`
-- `192.168.0.0` - `192.168.255.255`
-  :::
+2. In the **Private Networks** tab for the tunnel, enter the IP/CIDR range that you wish to route through the tunnel (for example `10.0.0.0/8`).
 
 ## 2. Set up the client
 
 <Render file="tunnel/warp-to-tunnel-client" />
 
 ## 3. Route private network IPs through WARP
 
-<Render file="tunnel/warp-to-tunnel-route-ips" />
+<Render file="tunnel/warp-to-tunnel-route-ips" params={{ one: "private network"}}/>
 
 ## 4. (Recommended) Filter network traffic with Gateway
 

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx

@@ -38,7 +38,7 @@ To establish a secure, outbound-only connection to Cloudflare:
 
 ## 3. Route private network IPs through WARP
 
-<Render file="tunnel/warp-to-tunnel-route-ips" />
+<Render file="tunnel/warp-to-tunnel-route-ips" params={{ one: "private network"}} />
 
 ## 4. (Recommended) Create a Gateway policy
 

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp.mdx

@@ -68,7 +68,7 @@ By default, Internet Explorer will be installed and configured in [Enhanced Secu
 
 ### 3. Route private network IPs through WARP
 
-<Render file="tunnel/warp-to-tunnel-route-ips" />
+<Render file="tunnel/warp-to-tunnel-route-ips" params={{ one: "private network"}} />
 
 ### 4. Connect as a user
 

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx

@@ -36,7 +36,7 @@ While SMB was developed for Microsoft Windows, Samba provides SMB connectivity f
 
 ### 3. Route private network IPs through WARP
 
-<Render file="tunnel/warp-to-tunnel-route-ips" />
+<Render file="tunnel/warp-to-tunnel-route-ips" params={{ one: "private network"}} />
 
 ### 4. Connect as a user
 

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx

@@ -18,7 +18,7 @@ import { Tabs, TabItem, Badge, Render } from "~/components";
 
 1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network.
 
-2. In the **Private Networks** tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP).
+2. In the **Private Networks** tab for the tunnel, enter the IP address of your server (or a range that includes the server IP). Typically this would be a private IP, but public IPs are also allowed.
 
 ## 2. Set up the client
 
@@ -28,9 +28,10 @@ To connect your devices to Cloudflare:
 2. [Enable the Gateway proxy for TCP](/cloudflare-one/policies/gateway/proxy/#enable-the-gateway-proxy).
 3. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization.
 
-## 3. Route private network IPs through WARP
+## 3. Route server IPs through WARP
+
+<Render file="tunnel/warp-to-tunnel-route-ips" params={{ one: "SSH server"}} />
 
-<Render file="tunnel/warp-to-tunnel-route-ips" />
 
 ## 4. Add a target
 

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx

@@ -67,7 +67,7 @@ In order to be able to establish an SSH connection, do not enable [OS Login](htt
 
 ## 5. Route private network IPs through WARP
 
-<Render file="tunnel/warp-to-tunnel-route-ips" />
+<Render file="tunnel/warp-to-tunnel-route-ips" params={{ one: "private network"}} />
 
 ## 6. Connect as a user
 

src/content/docs/learning-paths/replace-vpn/configure-device-agent/split-tunnel-settings.mdx

@@ -12,4 +12,4 @@ import { Render } from "~/components"
 
 ## Configure Split Tunnels for private network access
 
-<Render file="tunnel/warp-to-tunnel-route-ips" product="cloudflare-one" />
+<Render file="tunnel/warp-to-tunnel-route-ips" product="cloudflare-one" params={{ one: "private network"}}/>

src/content/partials/cloudflare-one/access/add-target.mdx

@@ -20,10 +20,9 @@ To create a new target:
 			- Contain only alphanumeric characters, `-`, or `.` (no spaces allowed)
 			- Start and end with an alphanumeric character
 	</Details>
-4. In **IP addresses**, enter the private IPv4 and/or IPv6 address of the target resource. If the IP address overlaps across multiple private networks, select the [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.
+4. In **IP addresses**, enter the IPv4 and/or IPv6 address of the target resource. If the IP address overlaps across multiple private networks, select the [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.
 :::note[IP address requirements]
-- Public IPs are not currently supported.
-- The IP address must be reachable through Cloudflare Tunnel.
+- The IP address must route through Cloudflare Tunnel. To verify, confirm that the target IP appears in **Networks** > **Routes**.
 - You must input the full IP address. The selector in the UI does not do partial matches.
 :::
 5. Select **Add target**.

src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx

@@ -1,13 +1,16 @@
 ---
-{}
+params:
+	- one
 ---
 
-By default, WARP excludes traffic bound for [RFC 1918 space](https://datatracker.ietf.org/doc/html/rfc1918), which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) so that the IP/CIDR of your private network routes through WARP.
+import { Markdown } from "~/components"
+
+By default, WARP excludes traffic bound for [RFC 1918 space](https://datatracker.ietf.org/doc/html/rfc1918), which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your <Markdown text={props.one}/>, you must configure [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) so that the IP/CIDR of your <Markdown text={props.one}/> routes through WARP.
 
 1. First, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include** mode.
-2. If you are using **Include** mode, add your network's IP/CIDR range to the list. Your list should also include the [domains necessary for Cloudflare Zero Trust functionality](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains).
+2. If you are using **Include** mode, add your <Markdown text={props.one}/>'s IP/CIDR range to the list. Your list should also include the [domains necessary for Cloudflare Zero Trust functionality](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains).
 3. If you are using **Exclude** mode:
-   1. Delete your network's IP/CIDR range from the list. For example, if your network uses the default AWS range of `172.31.0.0/16`, delete `172.16.0.0/12`.
-   2. Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for `172.16.0.0/13`, `172.24.0.0/14`, `172.28.0.0/15`, and `172.30.0.0/16`. This ensures that only traffic to `172.31.0.0/16` routes through WARP.
+   1. Delete your <Markdown text={props.one}/>'s IP/CIDR range from the list. For example, if your network uses the default AWS range of `172.31.0.0/16`, delete `172.16.0.0/12`.
+   2. Re-add IP/CIDR ranges that are not explicitly used by your <Markdown text={props.one}/>. For the AWS example above, you would add new entries for `172.16.0.0/13`, `172.24.0.0/14`, `172.28.0.0/15`, and `172.30.0.0/16`. This ensures that only traffic to `172.31.0.0/16` routes through WARP.
 
 By tightening the private IP range included in WARP, you reduce the risk of breaking a user's [access to local resources](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-users-to-enable-local-network-exclusion).