[ZT] New WARP Connector flow

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx

@@ -0,0 +1,49 @@
+---
+pcx_content_type: concept
+title: WARP Connector
+sidebar:
+  label: Overview
+  order: 5
+  badge:
+    text: Beta
+tableOfContents: false
+---
+
+import { Render, Details} from "~/components";
+
+<Details header="Feature availability">
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| Gateway with WARP                                                                         | All plans                                                     |
+
+| System   | Availability |
+| -------- | ------------ |
+| Windows  | ❌           |
+| macOS    | ❌           |
+| Linux    | ✅           |
+| iOS      | ❌           |
+| Android  | ❌           |
+| ChromeOS | ❌           |
+
+</Details>
+
+Cloudflare WARP Connector is a piece of software [^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 connection between a private network and Cloudflare, allowing you to:
+
+- Connect two or more private networks to each other.
+- Connect IoT devices that cannot run external software, such as printers and IP phones.
+- Filter and log server-initiated traffic, such as VoIP and SIP traffic.
+- Apply Zero Trust security policies based on the source IP of the request.
+
+![Two subnets connected with WARP Connector](~/assets/images/cloudflare-one/connections/connect-apps/warp-connector/overview.png)
+
+As shown in the diagram, WARP Connector acts as a router for a subnet within the private network to on-ramp and off-ramp traffic through Cloudflare. All devices on the subnet can access any services connected to Cloudflare, and all devices connected to Cloudflare can access any services on the subnet. Each subnet runs a WARP Connector on a designated Linux machine (typically the default gateway router), but other devices on the network do not need to install software.
+
+To set up WARP Connector, refer to the guide for your use case:
+
+- **[Site-to-Internet](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet/)**: Send requests from your private network to the Internet.
+- **[Site-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/)**: Send requests between two or more private networks.
+- **[User-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site/)**: Allow WARP client devices to send requests to your private network.
+- **Internet-to-site**: Not supported by WARP Connector. To provide clientless access to applications on your private network, set up a [Cloudflare Tunnel with `cloudflared`](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) and configure a [public hostname route](/cloudflare-one/connections/connect-networks/routing-to-tunnel/).
+
+[^1]: WARP Connector is an extension of the [WARP client](/cloudflare-one/connections/connect-devices/warp/).

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx

@@ -0,0 +1,22 @@
+---
+pcx_content_type: how-to
+title: Connect private network to Internet
+sidebar:
+  label: Site-to-Internet
+  order: 3
+---
+
+import { Render, Details, GlossaryTooltip, TabItem, Tabs } from "~/components";
+
+Forward requests from the private network to the Internet.
+
+```mermaid
+    flowchart LR
+      subgraph subnet1[Subnet 10.0.0.0/24]
+      router1["WARP Connector
+        10.0.0.1"]
+      end
+      router1-->C((Cloudflare))-->I{Internet}
+```
+
+The `10.0.0.0/24` WARP Connector is now routing traffic from the host machine to Cloudflare.

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx

@@ -0,0 +1,221 @@
+---
+pcx_content_type: how-to
+title: Connect two or more private networks
+sidebar:
+  label: Site-to-site
+  order: 3
+---
+
+import { Render, Details, GlossaryTooltip, TabItem, Tabs } from "~/components";
+
+This guide will cover how to connect two independent subnets with WARP Connector. Each subnet must run its own WARP Connector on a Linux host. Installing on your router is the simplest setup, but if you do not have access to the router, you may choose any other machine on the subnet.
+
+```mermaid
+    flowchart LR
+      subgraph subnet1[Subnet 10.0.0.0/24]
+      router1["WARP Connector #1
+        10.0.0.1"]
+      end
+      subgraph subnet2[Subnet 192.168.1.0/24]
+        router2["WARP Connector #2
+        192.168.1.97"]
+      end
+      router1<-->C((Cloudflare))<-->router2
+```
+
+In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and install it on `10.0.0.1`. We will then create a second WARP Connector for subnet `192.168.1.0/24` and install it on `192.168.1.97`.
+
+## Prerequisites
+
+- A Linux host [^1] on each subnet
+- Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
+
+## 1. Install a WARP Connector
+
+<Render file="tunnel/install-warp-connector" />
+
+## 2. (Recommended) Create a device profile
+
+A dedicated [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) allows you to manage the WARP Connector host machine separately from WARP client user devices.
+
+WARP Connector hosts are registered to your Zero Trust organization with the email address `warp_connector@<your-team-name>.cloudflareaccess.com`. To set up a device profile for WARP Connector, [create a new profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/#create-a-new-profile) that matches on the following expression:
+
+| Selector | Operator | Value |
+| -------- | -------- | ----- |
+| User email | is | `warp_connector@<your-team-name>.cloudflareaccess.com` |
+
+## 3. Route traffic from WARP Connector to subnet
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Networks** > **Routes**.
+2. Select **Create route**.
+3. In **CIDR**, enter the private IPv4 address range that you wish to route through this WARP Connector (for example, `10.0.0.0/24`). WARP Connector does not currently support IPv6 routes.
+    :::note
+    If you do not already have a private network range, you can choose a subnet from one of these [pre-defined CIDRs](https://datatracker.ietf.org/doc/html/rfc1918#section-3).
+    :::
+4. For **Tunnel**, select the name of your WARP Connector (_Subnet-10.0.0.0/24_).
+5. Select **Create**.
+6. In your WARP Connector device profile, [configure Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) so that traffic to your private network CIDR (`10.0.0.0/24`) routes through the WARP tunnel. For example, if you are using **Exclude** mode, delete `10.0.0.0/8` from Split Tunnels and re-add the following IPs: `10.0.1.0/24`, `10.0.2.0/23`, `10.0.4.0/22`, `10.0.8.0/21`, `10.0.16.0/20`, `10.0.32.0/19`, `10.0.64.0/18`, `10.0.128.0/17`, `10.1.0.0/16`, `10.2.0.0/15`, `10.4.0.0/14`, `10.8.0.0/13`, `10.16.0.0/12`, `10.32.0.0/11`, `10.64.0.0/10`, `10.128.0.0/9`
+
+The WARP Connector will now forward inbound requests to devices on the subnet.
+
+```mermaid
+    flowchart LR
+      subgraph subnet1[Subnet 10.0.0.0/24]
+      router1["WARP Connector #1
+        10.0.0.1"]
+			device["Device
+        10.0.0.2"]
+      end
+
+      C((Cloudflare))--Requests to 10.0.0.2--> router1 --> device
+
+```
+
+## 4. Route traffic from subnet to WARP Connector
+
+Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
+
+```mermaid
+    flowchart LR
+      subgraph subnet1[Subnet 10.0.0.0/24]
+      router1["WARP Connector #1
+        10.0.0.1"]
+			device["Device
+        10.0.0.2"]
+      end
+
+      device --Requests to
+			192.168.1.0/24 --> router1 --> C((Cloudflare))
+
+```
+
+### Option 1: Default gateway
+
+If you installed WARP Connector on your router, no additional configuration is necessary. All traffic will use the router as the default gateway.
+
+![Default gateway routing configuration](~/assets/images/cloudflare-one/connections/connect-apps/warp-connector/default-gateway.png)
+
+### Option 2: Alternate gateway
+
+If you have access to the router but installed WARP Connector on another machine, you can configure the router to forward traffic to the WARP Connector. This typically involves adding a static route for the destination IPs that you want to connect to through Cloudflare. Refer to your router's documentation for specific instructions on how to add an IP route.
+
+![Alternate gateway routing configuration](~/assets/images/cloudflare-one/connections/connect-apps/warp-connector/alternate-gateway.png)
+
+#### Route from subnet to subnet
+
+For example, if you are on subnet `10.0.0.0/24` and want to reach applications behind subnet `192.168.1.0/24`, add a rule that routes `192.168.1.0/24` to the WARP Connector host machine (`10.0.0.100` in the diagram above). When a device sends a request to `192.168.1.0/24`, the router will first redirect the traffic to the WARP Connector host. WARP Connector encrypts the traffic, changes its destination IP to the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip), and sends it back to the router. The router will now forward this encrypted traffic to Cloudflare.
+
+:::note
+
+Ensure that your routing rules do not forward the [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) back to the WARP Connector.
+:::
+
+### Option 3: Intermediate gateway
+
+If you do not have access to the router, you will need to configure each device on the subnet to egress through the WARP Connector machine instead of the default gateway.
+
+![Intermediate gateway routing configuration](~/assets/images/cloudflare-one/connections/connect-apps/warp-connector/intermediate-gateway.png)
+
+#### Route all traffic
+
+You can configure all traffic on a device to egress through WARP Connector with its local source IP. All traffic will be filtered by your Gateway network policies.
+
+<Tabs> <TabItem label="Linux">
+
+```sh
+sudo ip route add default via <WARP-CONNECTOR-IP> dev eth0 metric 101
+```
+
+Ensure that the `metric` value is lower than other default gateways. To verify that WARP Connector is now the preferred default gateway, run `ip route get <DESTINATION-IP>`.
+
+</TabItem> <TabItem label="macOS">
+
+```sh
+sudo route -n change default <WARP-CONNECTOR-IP> -interface en0
+```
+
+</TabItem>
+
+<TabItem label="Windows">
+
+```bash
+route /p add 0.0.0.0 mask 0.0.0.0 <WARP-CONNECTOR-IP> metric 101
+```
+
+</TabItem> </Tabs>
+
+#### Route specific IPs
+
+You can configure only certain routes to egress through WARP Connector. For example, you may only want to filter traffic destined to internal applications and devices, but allow public Internet traffic to bypass Cloudflare.
+
+<Tabs> <TabItem label="Linux">
+
+```sh
+sudo ip route add <DESTINATION-IP> via <WARP-CONNECTOR-IP> dev eth0
+```
+
+</TabItem> <TabItem label="macOS">
+
+```sh
+sudo route -n add -net <DESTINATION-IP> <WARP-CONNECTOR-IP>
+```
+
+</TabItem>
+
+<TabItem label="Windows">
+
+```bash
+route /p add <DESTINATION-IP> mask 255.255.255.255 <WARP-CONNECTOR-IP>
+```
+
+</TabItem> </Tabs>
+
+
+#### Verify routes
+
+To validate subnet routing, [check your routing table](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#routing-table) and ensure that traffic is routing through the `CloudflareWARP` [virtual interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#virtual-interface).
+
+
+## 5. Install another WARP Connector
+
+Repeat steps 1, 3, and 4 above to install an additional WARP Connector on subnet `192.168.1.0/24`. The device profile created in Step 2 will apply to all WARP Connectors.
+
+```mermaid
+    flowchart LR
+      subgraph subnet1[Subnet 10.0.0.0/24]
+      router1["WARP Connector #1
+        10.0.0.1"]
+      end
+      subgraph subnet2[Subnet 192.168.1.0/24]
+        router2["WARP Connector #2
+        192.168.1.97"]
+      end
+      router1<-->C((Cloudflare))<-->router2
+```
+
+## 6. Test the WARP Connector
+
+You can now test the connection between the two subnets. For example, on the `10.0.0.2` device run `ping 192.168.1.100`.
+
+```mermaid
+    flowchart LR
+      subgraph subnet1[Subnet 10.0.0.0/24]
+        device1["Device
+        10.0.0.2"]--"ping
+        192.168.1.100"-->router1["WARP Connector #1
+        10.0.0.1"]
+      end
+      subgraph subnet2[Subnet 192.168.1.0/24]
+        router2["WARP Connector #2
+        192.168.1.97"]-->device2["Device
+        192.168.1.100"]
+      end
+      router1-->C((Cloudflare))-->router2
+```
+
+:::note
+
+If you are testing with curl using private hostnames, add the `--ipv4` flag to your curl commands.
+:::
+
+[^1]: Check the [system requirements](/cloudflare-one/connections/connect-devices/warp/download-warp/#linux). Package dependencies are the following: `curl`, `gpg`, `iptables`, `iptables-persistent`, `lsb-core`, and `sudo`.

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx

@@ -0,0 +1,24 @@
+---
+pcx_content_type: how-to
+title: Connect WARP clients to private network
+sidebar:
+  label: User-to-site
+  order: 3
+---
+
+import { Render, Details, GlossaryTooltip, TabItem, Tabs } from "~/components";
+
+```mermaid
+    flowchart LR
+      subgraph subnet1[Subnet 10.0.0.0/24]
+      router1["WARP Connector
+        10.0.0.1"]
+      end
+      router1<-->C((Cloudflare))<-->W[WARP client]
+```
+
+#### Route from subnet to WARP clients
+
+`100.96.0.0/12` is the default CIDR for all user devices running the [WARP client](/cloudflare-one/connections/connect-devices/warp/). To connect from the subnet to user devices:
+- On your router, add a rule that routes the destination IP `100.96.0.0/12` to the WARP Connector host machine (`10.0.0.100` in the diagram above).
+- Ensure that CGNAT IP traffic routes through WARP on both the WARP Connector host and WARP client devices. In other words, delete `100.96.0.0/12` from the [Split Tunnel Exclude list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in both device profiles.

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/vpc-deployments.mdx

@@ -0,0 +1,23 @@
+---
+pcx_content_type: reference
+title: Tips for VPC deployments
+sidebar:
+  label: VPC deployments
+  order: 3
+---
+
+When setting up WARP Connector on a virtual private cloud (VPC), you may need to configure additional settings in the cloud service provider.
+
+## GCP
+
+For Google Cloud Project (GCP) deployments, [enable IP forwarding](https://cloud.google.com/vpc/docs/using-routes#canipforward) on the VM instance where you installed WARP Connector.
+
+## AWS
+
+For Amazon Web Services (AWS) deployments:
+- Stop [source/destination checking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) on the EC2 instance where you installed WARP Connector.
+- In your [subnet route table](https://docs.aws.amazon.com/vpc/latest/userguide/subnet-route-tables.html), route all IPv4 traffic to the EC2 instance where you installed WARP Connector. For example,
+
+		| Destination | Target |
+		| ----------- | ------ |
+		| `0.0.0.0/0` | `eni-11223344556677889` |

src/content/glossary/cloudflare-one.yaml

@@ -23,7 +23,7 @@ entries:
 
   - term: CGNAT IP
     general_definition: |-
-      a unique, virtual IP address assigned to each WARP device from the `100.96.0.0/12` range. You can view the CGNAT IP for a device on its **My Team** > **Devices** page.
+      a unique, virtual IP address assigned to each WARP device from the `100.96.0.0/12` range. You can view the CGNAT IP for a device in **My Team** > **Devices** > **Virtual IPv4/IPv6**.
 
   - term: cloudflared
     general_definition: |-
@@ -239,6 +239,10 @@ entries:
     general_definition: |-
       a software abstraction that allows you to logically segregate resources on a private network. Virtual networks are especially useful for exposing resources which have overlapping IP routes.
 
+  - term: Virtual Private Cloud (VPC)
+    general_definition: |-
+      a secure, isolated private network hosted on public cloud infrastructure. Examples of public cloud providers include Google Cloud, AWS, and Microsoft Azure.
+
   - term: Virtual Private Network (VPN)
     general_definition: |-
       a tool that allows users to send and receive data across shared or public networks as if their devices were directly connected to the private network. For example, employees working from home can use a VPN to access files on the corporate network.