clean up prereqs

ranbel · ranbel · commit eda090482170 · 2025-09-12T16:18:10.000-04:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx
@@ -7,7 +7,7 @@ sidebar:
     text: Beta
 ---
 
-import { Render, Details, GlossaryTooltip } from "~/components";
+import { Render, Details, GlossaryTooltip, Checkbox } from "~/components";
 
 :::note[Availability]
 Hostname routes are currently available in closed beta to Enterprise customers. To request access, contact your account team.
@@ -31,7 +31,7 @@ Figures 1 and 2 illustrate the flow of DNS and network traffic when a user conne
 2. Gateway determines that `wiki.internal.local` should be resolved by a custom DNS resolver.
 3. Gateway does a DNS lookup for `wiki.internal.local` through Cloudflare Tunnel, and the custom DNS resolver returns the origin IP (`10.0.0.5`).
 4. Rather than responding to the DNS query with the actual origin IP, Gateway responds with a random IP address from the following CGNAT range:
-	<Render file="gateway/egress-selector-cgnat-ips" />
+	<Render file="gateway/egress-selector-cgnat-ips" product="cloudflare-one"/>
 
 	The selected CGNAT IP is called the initial resolved IP.
 5. Gateway's network engine stores the mapping between the private hostname (`wiki.internal.local`), initial resolved IP (`100.80.0.1`), and the actual IP (`10.0.0.5`).
@@ -43,13 +43,71 @@ As shown in Figure 2 below, the WARP client will now send `wiki.internal.local`
 
 The initial resolved IP mechanism is required because Gateway's network engine operates at L3/L4 and can only see IPs (not hostnames) when processing the connection. Because the packet's destination IP falls within the designated CGNAT range, Gateway knows that it corresponds to a hostname route and can apply hostname-based policies. Traffic that passes your Gateway policies will route through Cloudflare Tunnel to the application's actual origin IP. When the initial resolved IP expires, WARP will send a new DNS request (Figure 1) to refresh the initial resolved IP.
 
-## Connect to a private hostname
+## Supported on-ramps/off-ramps
+
+The table below summarizes the Cloudflare One products that are compatible with private hostname routing. Refer to the table legend for guidance on interpreting the table.
+
+✅ Product works with no caveats <br/>
+🚧 Product can be used with some caveats <br/>
+❌ Product cannot be used <br/>
+
+### Device connectivity
+
+End users can connect to private hostnames using the following traffic on-ramps:
+
+<Render file="gateway/egress-selector-onramps" product="cloudflare-one" />
+
+### Private network connectivity
+
+Private hostname routing only works for applications connected with `cloudflared`. Other traffic off-ramps require IP-based routes.
+
+| Connector                                                                             | Compatibility |
+| ------------------------------------------------------------------------------------------ | ------------- |
+| [cloudflared](/cloudflare-one/connections/connect-networks/private-net/cloudflared/)                       | ✅           |
+| [WARP-to-WARP](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/)             | ❌            |
+| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | ❌            |
+| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/)                                     | ❌            |
+
+## Connect a private hostname
+
+This section covers how to enable remote access to a private hostname application using `cloudflared`.
+
+### Prerequisites
+
+To connect to private hostnames, your devices must forward the following traffic to Cloudflare:
+
+<Checkbox label="Initial resolved IPs" />
+	<Render file="gateway/egress-selector-cgnat-ips" product="cloudflare-one"/>
+<Checkbox label="Private network CIDR where the application is located" />
+<Checkbox label="Internal DNS resolver IP" />
+<Checkbox label="DNS queries for your private hostname" />
+
+Configuration steps vary depending on your [device on-ramp](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname/#device-connectivity):
+
+<Details header = "WARP clients">
+1. In [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/), ensure that the IPs listed above route through the WARP tunnel. For example, if you are using the default Split Tunnels Exclude configuration and your application and DNS resolver have private IPs in the range `10.0.0.0/8`, delete `100.64.0.0/10` and `10.0.0.0/8` from the Split Tunnels list. We recommend adding back the IPs that are not explicitly used by your network — refer to our [Split Tunnels calculator](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) for details.
+2. In [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/), delete the top-level domain for your private hostname.
+3. In [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/#create-a-resolver-policy), delete any existing entries that match your private hostname.
+</Details>
+
+<Details header="WARP Connector">
+
+1. In your [WARP Connector device profile](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/#3-route-traffic-between-warp-connector-and-cloudflare), ensure that the IPs listed above route through the WARP tunnel.
+2. Depending on where you installed WARP Connector, you may also need to route those destination IPs through WARP Connector and point your DNS resolver to Cloudflare Gateway. Refer to [Route traffic from subnet to WARP Connector](/astro.config.tscloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/#4-route-traffic-from-subnet-to-warp-connector).
+
+</Details>
+
+<Details header="Magic WAN">
+
+1. Ensure that the IPs listed above route through Magic WAN to Cloudflare.
+2. [Point the DNS resolver](/magic-wan/zero-trust/cloudflare-gateway/) for your Magic WAN network to Cloudflare Gateway.
+
+</Details>
 
-This section covers how to enable remote access to a private hostname application using `cloudflared` and WARP.
 
 ### 1. Connect the application to Cloudflare
 
-<Render file="tunnel/create-tunnel"/>
+<Render file="tunnel/create-tunnel" product="cloudflare-one"/>
 
 9. In the **Hostname routes** tab, enter the fully qualified domain name (FDQN) that represents your application (for example, `wiki.internal.local`).
 
@@ -94,42 +152,17 @@ Gateway will automatically resolve DNS queries using your internal DNS server as
 
 3. From the dropdown menu, select the `- Private` routing option and the [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) where the DNS server is located.
 
-### 4. Set up the client
-
-<Render file="gateway/egress-selector-warp-version" />
+### 4. (Recommended) Filter network traffic with Gateway
 
-<Render file="tunnel/warp-to-tunnel-client" />
-
-### 5. Route traffic through WARP
-
-This section details routing requirements for WARP client deployments. For information about WARP Connector and other connectivity methods, refer to [Supported on-ramps](#device-connectivity).
-
-#### Split Tunnels
-
-In your WARP [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) so that the following IPs route through the WARP tunnel:
-
-- <GlossaryTooltip term="initial resolved IP">Initial resolved IP</GlossaryTooltip> CGNAT range:
-	<Render file="gateway/egress-selector-cgnat-ips" />
-- Private network CIDR where the application is located
-- Internal DNS resolver IP
-
-For example, if you are using the default Split Tunnels Exclude configuration and your application and DNS resolver have private IPs in the range `10.0.0.0/8`, delete `100.64.0.0/10` and `10.0.0.0/8` from the Split Tunnels list. We recommend adding back the IPs that are not explicitly used by your network — refer to our [Split Tunnels calculator](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) for details.
-
-#### Local Domain Fallback
-
-By default, the WARP client uses the local DNS resolver on the device to resolve common local domains (such as `.internal` and `local`). These top-level domains are on your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) list and bypass the Gateway resolver. To resolve a private hostname with Gateway, [delete its domain](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/#delete-a-domain) from Local Domain Fallback.
-
-### 6. (Recommended) Filter network traffic with Gateway
-
-<Render file="tunnel/filter-network-traffic" />
+<Render file="tunnel/filter-network-traffic" product="cloudflare-one"/>
 
 #### Enable the Gateway proxy
 
-<Render file="tunnel/enable-gateway-proxy" />
+<Render file="tunnel/enable-gateway-proxy" product="cloudflare-one"/>
 
 #### Zero Trust policies
 
-<Render file="tunnel/catch-all-policy" />
+<Render file="tunnel/catch-all-policy" product="cloudflare-one"/>
 
 ##### HTTPS applications
 
@@ -178,9 +211,9 @@ Access policies and Gateway network policies only support hostname-based filteri
 			<Render file="gateway/policies/restrict-access-to-private-networks-dns" product="cloudflare-one" />
 		</Details>
 
-### 7. Test the connection
+### 5. Test the connection
 
-WARP users can now reach the application by going to its private hostname. For example, to connect to a private web application, open a browser and go to `wiki.internal.local`.
+End users can now reach the application by going to its private hostname. For example, to connect to a private web application, open a browser and go to `wiki.internal.local`.
 
 #### Troubleshooting
 
@@ -233,42 +266,3 @@ You can run the following tests to check if private hostname routing is properly
 
 		If the request fails, confirm that the initial resolved IP [routes through the WARP tunnel](#split-tunnels). You can also check your [tunnel logs](/cloudflare-one/connections/connect-networks/monitor-tunnels/logs/) to confirm that requests are routing to the application's private IP.
 
-## Supported on-ramps/off-ramps
-
-The table below summarizes the Cloudflare One products that are compatible with private hostname routing. Refer to the table legend for guidance on interpreting the table.
-
-✅ Product works with no caveats <br/>
-🚧 Product can be used with some caveats <br/>
-❌ Product cannot be used <br/>
-
-### Device connectivity
-
-End users can connect to private hostnames using the following traffic on-ramps:
-
-<Render file="gateway/egress-selector-onramps" />
-
-#### WARP Connector and Magic WAN routes
-
-If devices are behind WARP Connector or Magic WAN, you may need to update the routing table on your device or router to send traffic to Gateway. Ensure that traffic to the following destination IPs route through WARP Connector / Magic WAN:
-
-	- <GlossaryTooltip term="initial resolved IP">Initial resolved IP</GlossaryTooltip> CGNAT range:
-		<Render file="gateway/egress-selector-cgnat-ips" />
-	- Private network CIDR where the application is located (for example, `10.0.0.0/8`)
-	- Internal DNS resolver IP
-	- Gateway DNS resolver IPs:
-		- `172.64.36.1`
-		- `172.64.36.2`
-		:::note
-		Magic WAN customers will also need to configure their DNS resolver to point to these Gateway resolver IPs.
-		:::
-
-### Private network connectivity
-
-Private hostname routing only works for applications connected with `cloudflared`. Other traffic off-ramps require IP-based routes.
-
-| Connector                                                                             | Compatibility |
-| ------------------------------------------------------------------------------------------ | ------------- |
-| [cloudflared](/cloudflare-one/connections/connect-networks/private-net/cloudflared/)                       | ✅           |
-| [WARP-to-WARP](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/)             | ❌            |
-| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | ❌            |
-| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/)                                     | ❌            |
