From aba4cd032f2455584021f05b1080d757fd3c6904 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Oct 2024 14:44:27 -0500 Subject: [PATCH 1/8] Reorder sections --- .../secure-internet-traffic/connect-devices/index.mdx | 9 +++------ .../secure-internet-traffic/initial-setup/index.mdx | 5 ++--- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx index ebb6ed296d51125..be804357af6d138 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx @@ -2,20 +2,17 @@ title: Connect user devices pcx_content_type: overview sidebar: - order: 4 - + order: 2 --- -import { Render } from "~/components" +import { Render } from "~/components"; After setting up your Cloudflare account and Zero Trust organization, you can begin connecting user devices to Cloudflare. :::note - The following steps are identical to [Connect user devices](/learning-paths/replace-vpn/connect-devices/) in the Replace your VPN implementation guide. If you have already completed Replace your VPN, you can skip ahead to [Connect networks to Cloudflare](/learning-paths/secure-internet-traffic/connect-networks/). - ::: ## Objectives @@ -24,4 +21,4 @@ By the end of this module, you will be able to: -* Determine when and how to use PAC files. +- Determine when and how to use PAC files. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/initial-setup/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/initial-setup/index.mdx index 839b0c1f974f64e..ecf44bc6d5b9011 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/initial-setup/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/initial-setup/index.mdx @@ -2,11 +2,10 @@ title: Get started with Zero Trust pcx_content_type: overview sidebar: - order: 2 - + order: 1 --- -import { Render } from "~/components" +import { Render } from "~/components"; Start securing your users and networks with Cloudflare Zero Trust. From d5c3c9c26a0b136603b665da0468ca8d370ba36f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Oct 2024 14:51:48 -0500 Subject: [PATCH 2/8] Add combined on-ramp page --- .../connect-devices/choose-on-ramp.mdx | 69 +++++++++++++++++++ .../connect-devices/index.mdx | 4 +- .../connect-devices/install-agent.mdx | 12 ++-- .../connect-devices/mdm.mdx | 5 +- .../validate-traffic-in-gateway.mdx | 5 +- 5 files changed, 83 insertions(+), 12 deletions(-) create mode 100644 src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx new file mode 100644 index 000000000000000..fb5483f33e78d0d --- /dev/null +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx @@ -0,0 +1,69 @@ +--- +title: Choose an on-ramp +pcx_content_type: learning-unit +sidebar: + order: 1 +--- + +import { GlossaryDefinition, GlossaryTooltip, Badge } from "~/components"; + +Similar to the network onboarding practices in the [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. This guide will quickly explore all of the options to 'on-ramp' traffic to Cloudflare Gateway to inspect, apply policy, and filter. + +## Device on-ramps + +The most common way to protect and filter your end-user traffic is by using a device client. The standard Cloudflare device client supports a number of operating systems and deployment methodologies, but there can still be scenarios in which an alternative path makes sense. + +### Zero Trust Client + +Cloudflare WARP is the most common onramp to send user traffic to Gateway. It is a lightweight device client, which builds proxy tunnels using either Wireguard or MASQUE, and builds a DNS proxy using DNS-over-HTTPS. It supports all major operating systems, supports all common forms of endpoint management tooling, and has a robust series of management parameters and profiles to accurately scope the needs of a diverse user base. It has flexible operating modes and can control device traffic as a proxy, control device DNS traffic as a DNS proxy, or both. It is the most common method to send traffic from user devices to be filtered and decrypted by Cloudflare Gateway. + +### PAC files (Enterprise only) + +Cloudflare supports filtering HTTP/S traffic sent via a PAC file on a user device. PAC files configured to send traffic to Cloudflare target a domain specific to your account tenant, and receive and process all URL traffic for that device that fits the proxy profile. PAC files are most commonly used in scenarios in which the device client is not appropriate or cannot be installed -- specifically Windows pre-2008 and Windows Server 2012, and devices which cannot install client software at all. + +### Clientless Browser Isolation + +Cloudflare Browser Isolation runs a headless, Chromium-based browser for your users to accomplish their secure browsing needs. It can be activated via an Access application, a Gateway policy, or by using link-based isolation (reverse proxy). In this model, your users can connect from any device to a proxy website to browse the Internet while applying your all your Gateway HTTP policies and inspection requirements. + +| | WARP | PAC Files | Clientless Browser Isolation | +| --------------------------------- | ------------------------------------ | -------------- | ------------------------------------- | +| Supported OS | MacOS, Windows, Linux, iOS, Android | All desktop OS | All OS (with HTML5 compliant browser) | +| Configurable via MDM | Yes | Yes | N/A | +| Gateway policy types supported | DNS, Network, HTTP, Resolver, Egress | HTTP | HTTP, Resolver, Egress | +| Identity-based policies supported | Yes | No | Yes | + +## Network on-ramps + +The primary ways to source multi-device or network traffic to Cloudflare Gateway are via Magic WAN using GRE or IPSec tunnels, the [WARP Connector](#warp-connector-) as a software-defined all-ports traffic proxy, or via upstream DNS for a whole network using [DNS filtering locations](#dns-filtering-locations). + +### Magic WAN + +:::note +Only available on Enterprise plans. +::: + +[Magic WAN](/magic-wan/) is Cloudflare's offering most analogous to a traditional SD-WAN. Magic WAN is typically deployed via an IPsec or GRE tunnel terminating on customer devices (such as firewalls or routers), or via our Magic WAN Connector hardware device. You can also be deploy Magic WAN using [Cloudflare Network Interconnect](/network-interconnect/) (CNI) at private peering locations or some public cloud instances (where compatible). + +Magic WAN on-ramps traffic via your connections and can send all network and HTTP traffic through Cloudflare Gateway for inspection. + +For more information on how Magic WAN integrates with Zero Trust, refer to [Zero Trust integration](/magic-wan/zero-trust/). + +### WARP Connector + +[WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), a software agent similar to our device client, functions as a virtual device to establish a connection between your network and the Cloudflare global network. You can install WARP Connector on a dedicated Linux server or virtual machine. + +WARP Connector supports egressing traffic from your private network to the Internet as a gateway. This means it can allow traffic initiated from a network to be on-ramped to Cloudflare for either public or private destinations. You can use WARP Connector to establish a secure egress path for servers or users on a network which may not each be able to run the WARP client and still apply Gateway network and HTTP inspection policies. This connection is most analogous to proxy server connectivity or site-to-site VPN. + +For more information on setting up Cloudflare Tunnel via WARP Connector, refer to [Set up WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/). + +### DNS filtering locations + + + +The fastest way to start filtering DNS queries from a location is by changing the DNS resolvers at the router or updating the upstream resolution to Cloudflare DNS resolution endpoints. This can also be accomplished from individual devices, or an network or subnet which sets resolver IPs for clients via DHCP. + +For more information on setting up DNS locations, refer to [Add locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/). + +| | Magic WAN | WARP Connector | DNS Locations | +| ------------------------------ | --------------------- | --------------------- | ------------- | +| Gateway policy types supported | Network, HTTP, Egress | Network, HTTP, Egress | DNS, Resolver | diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx index be804357af6d138..9f94795dc99ea57 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx @@ -1,5 +1,5 @@ --- -title: Connect user devices +title: Connect devices and networks to Cloudflare pcx_content_type: overview sidebar: order: 2 @@ -7,7 +7,7 @@ sidebar: import { Render } from "~/components"; -After setting up your Cloudflare account and Zero Trust organization, you can begin connecting user devices to Cloudflare. +After setting up your Cloudflare account and Zero Trust organization, you can begin connecting your users' devices and networks to Cloudflare. :::note diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx index 86485203f58495d..c95da6d78c43926 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx @@ -2,10 +2,14 @@ title: Download and install WARP pcx_content_type: learning-unit sidebar: - order: 1 - + order: 2 --- -import { Render } from "~/components" +import { Render } from "~/components"; - + diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx index f70336e68ba0a89..7e8c724a572ac0a 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx @@ -2,10 +2,9 @@ title: MDM deployment pcx_content_type: learning-unit sidebar: - order: 2 - + order: 3 --- -import { Render } from "~/components" +import { Render } from "~/components"; diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx index 90cb1bc86d6c980..36ed083e6416d48 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx @@ -2,11 +2,10 @@ title: Verify device connectivity pcx_content_type: learning-unit sidebar: - order: 3 - + order: 4 --- -import { Render } from "~/components" +import { Render } from "~/components"; From 128482e7a34abc7d4a3d2c4f2315ccfd5d5ab81e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Oct 2024 15:19:37 -0500 Subject: [PATCH 3/8] Remove connect network --- public/_redirects | 5 +++ .../connect-devices/choose-on-ramp.mdx | 2 +- .../connect-networks/choose-on-ramp.mdx | 42 ------------------- .../connect-networks/index.mdx | 16 ------- 4 files changed, 6 insertions(+), 59 deletions(-) delete mode 100644 src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx delete mode 100644 src/content/docs/learning-paths/secure-internet-traffic/connect-networks/index.mdx diff --git a/public/_redirects b/public/_redirects index 81e69ff47b819f8..be0a79d76c28632 100644 --- a/public/_redirects +++ b/public/_redirects @@ -648,6 +648,8 @@ /learning-paths/workers/test/intro-to-observability/ /learning-paths/workers/get-started/ 301 /learning-paths/cybersafe/area1-onboarding/area1-api/ /learning-paths/cybersafe/area1-onboarding/ 301 /learning-paths/cybersafe/area1-onboarding/area1-connection-methods/ /learning-paths/cybersafe/area1-onboarding/area1-inline/ 301 +/learning-paths/secure-internet-traffic/connect-networks/ /learning-paths/secure-internet-traffic/connect-devices-networks/ +/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp/ /learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp/ ## dns-filtering / secure-internet-traffic /learning-paths/dns-filtering/ /learning-paths/secure-internet-traffic/ 301 @@ -1803,6 +1805,9 @@ ## DNS filtering --> Secure your Internet traffic and SaaS apps /learning-paths/dns-filtering/account/* /learning-paths/secure-internet-traffic/initial-setup/:splat 301 /learning-paths/dns-filtering/create-policy/* /learning-paths/secure-internet-traffic/build-dns-policies/:splat 301 +## Secure your Internet Traffic +/learning-paths/secure-internet-traffic/connect-devices/* /learning-paths/secure-internet-traffic/connect-devices-networks/:splat 301 + # Old WAF changelog entries /waf/change-log/2019-* /waf/change-log/historical-2019/ 301 diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx index fb5483f33e78d0d..87a73e84f5d0a43 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx @@ -7,7 +7,7 @@ sidebar: import { GlossaryDefinition, GlossaryTooltip, Badge } from "~/components"; -Similar to the network onboarding practices in the [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. This guide will quickly explore all of the options to 'on-ramp' traffic to Cloudflare Gateway to inspect, apply policy, and filter. +Similar to the network onboarding practices in the [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. This guide will quickly explore all of the options to on-ramp traffic to Cloudflare Gateway to inspect, apply policies, and filter. ## Device on-ramps diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx deleted file mode 100644 index a88d79f549d7452..000000000000000 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Choose an on-ramp -pcx_content_type: learning-unit -sidebar: - order: 2 ---- - -import { GlossaryDefinition, GlossaryTooltip, Badge } from "~/components"; - -Similar to the network onboarding practices in the [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. In our recommended approach to security, you will source traffic from devices that would otherwise go to the Internet through a default route. Relevant targets for this may be branch offices, network subnets that need a secure path to the Internet, or anywhere that you control the Internet paths for groups of devices. - -## Available on-ramps - -The primary ways to source multi-device or network traffic to the Cloudflare network are via the [WARP Connector](#warp-connector-) as an all-ports traffic proxy, or via upstream DNS for a whole network using [DNS filtering locations](#dns-filtering-locations). Alternatively, Enterprise users can add [Magic WAN](#magic-wan) to their plan and configure Magic WAN Connector or a dedicated third-party device. - -### WARP Connector - -[WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), a software agent similar to our device client, functions as a virtual device to establish a connection between your network and the Cloudflare global network. You can install WARP Connector on a dedicated Linux server or virtual machine. - -WARP Connector supports both ingressing and egressing traffic to and from your private network. This means it can proxy traffic initiated from a user running WARP into a private network (like `cloudflared`), or allow traffic initiated from a network to be on-ramped to Cloudflare for either public or private destinations. You can use WARP Connector to establish a secure egress path for servers or users on a network which may not each be able to run the WARP client and still apply Gateway network and HTTP inspection policies. This connection is most analogous to site-to-site VPN or proxy server connectivity. - -For more information on setting up Cloudflare Tunnel via WARP Connector, refer to [Set up WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/). - -### DNS filtering locations - - - -The fastest way to start filtering DNS queries from a location is by changing the DNS resolvers at the router. Alternatively, you can on-ramp devices or specific applications via [DNS over HTTPS](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/) or [DNS over TLS](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-tls/). - -For more information on setting up DNS locations, refer to [Add locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/). - -### Magic WAN - -:::note -Only available on Enterprise plans. -::: - -[Magic WAN](/magic-wan/) is Cloudflare's offering most analogous to a traditional SD-WAN. Magic WAN is typically deployed via an IPsec or GRE tunnel terminating on customer devices (such as firewalls or routers), or via our Magic WAN Connector hardware device. You can also be deploy Magic WAN using [Cloudflare Network Interconnect](/network-interconnect/) (CNI) at private peering locations or some public cloud instances (where compatible). - -Magic WAN on-ramps and off-ramps traffic via your connections after transiting the Cloudflare global network. Gateway can also apply network and HTTP policies to this traffic for secure egress. - -For more information on how Magic WAN integrates with Zero Trust, refer to [Zero Trust integration](/magic-wan/zero-trust/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/index.mdx deleted file mode 100644 index 63132d13b903596..000000000000000 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/index.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Connect networks to Cloudflare -pcx_content_type: overview -sidebar: - order: 5 - ---- - -After connecting your devices to Cloudflare, you can route their traffic through your DNS, network, and HTTP policies. However, not every device can run a Zero Trust client. This module offers detail on connecting your networks to the Cloudflare global network to apply your policies. - -## Objectives - -By the end of this module, you will be able to: - -* Understand the various methods for routing network traffic to Cloudflare. -* Decide which network on-ramp to use for your organization. From eb5659993fcefe4a0c120fc46b5af44956ffb592 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Oct 2024 15:20:11 -0500 Subject: [PATCH 4/8] Rename Connect devices --- .../choose-on-ramp.mdx | 0 .../{connect-devices => connect-devices-networks}/index.mdx | 0 .../install-agent.mdx | 0 .../{connect-devices => connect-devices-networks}/mdm.mdx | 0 .../validate-traffic-in-gateway.mdx | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename src/content/docs/learning-paths/secure-internet-traffic/{connect-devices => connect-devices-networks}/choose-on-ramp.mdx (100%) rename src/content/docs/learning-paths/secure-internet-traffic/{connect-devices => connect-devices-networks}/index.mdx (100%) rename src/content/docs/learning-paths/secure-internet-traffic/{connect-devices => connect-devices-networks}/install-agent.mdx (100%) rename src/content/docs/learning-paths/secure-internet-traffic/{connect-devices => connect-devices-networks}/mdm.mdx (100%) rename src/content/docs/learning-paths/secure-internet-traffic/{connect-devices => connect-devices-networks}/validate-traffic-in-gateway.mdx (100%) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx similarity index 100% rename from src/content/docs/learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp.mdx rename to src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx similarity index 100% rename from src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx rename to src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent.mdx similarity index 100% rename from src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx rename to src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent.mdx diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/mdm.mdx similarity index 100% rename from src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx rename to src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/mdm.mdx diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/validate-traffic-in-gateway.mdx similarity index 100% rename from src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx rename to src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/validate-traffic-in-gateway.mdx From fd760f697139c49abe769fec7e1ed1df51a8b8c8 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Oct 2024 16:23:47 -0400 Subject: [PATCH 5/8] Apply suggestions from code review Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- .../connect-devices-networks/choose-on-ramp.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx index 87a73e84f5d0a43..ffb69d85c6c497f 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx @@ -27,14 +27,14 @@ Cloudflare Browser Isolation runs a headless, Chromium-based browser for your us | | WARP | PAC Files | Clientless Browser Isolation | | --------------------------------- | ------------------------------------ | -------------- | ------------------------------------- | -| Supported OS | MacOS, Windows, Linux, iOS, Android | All desktop OS | All OS (with HTML5 compliant browser) | +| Supported OS | macOS, Windows, Linux, iOS, Android | All desktop OS | All OS (with HTML5 compliant browser) | | Configurable via MDM | Yes | Yes | N/A | | Gateway policy types supported | DNS, Network, HTTP, Resolver, Egress | HTTP | HTTP, Resolver, Egress | | Identity-based policies supported | Yes | No | Yes | ## Network on-ramps -The primary ways to source multi-device or network traffic to Cloudflare Gateway are via Magic WAN using GRE or IPSec tunnels, the [WARP Connector](#warp-connector-) as a software-defined all-ports traffic proxy, or via upstream DNS for a whole network using [DNS filtering locations](#dns-filtering-locations). +The primary ways to source multi-device or network traffic to Cloudflare Gateway are via Magic WAN using GRE or IPsec tunnels, the [WARP Connector](#warp-connector-) as a software-defined all-ports traffic proxy, or via upstream DNS for a whole network using [DNS filtering locations](#dns-filtering-locations). ### Magic WAN From 2df01e031a299a97ef92d4e1dd6b73d81623ecde Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Oct 2024 15:48:39 -0500 Subject: [PATCH 6/8] Move note --- .../connect-devices-networks/choose-on-ramp.mdx | 4 ++++ .../connect-devices-networks/index.mdx | 6 ------ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx index ffb69d85c6c497f..e03746a9a896597 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx @@ -9,6 +9,10 @@ import { GlossaryDefinition, GlossaryTooltip, Badge } from "~/components"; Similar to the network onboarding practices in the [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. This guide will quickly explore all of the options to on-ramp traffic to Cloudflare Gateway to inspect, apply policies, and filter. +:::note +The following steps are identical to [Connect user devices](/learning-paths/replace-vpn/connect-devices/) in the Replace your VPN implementation guide. If you have already completed Replace your VPN, you can skip ahead to [Network on-ramps](#network-on-ramps). +::: + ## Device on-ramps The most common way to protect and filter your end-user traffic is by using a device client. The standard Cloudflare device client supports a number of operating systems and deployment methodologies, but there can still be scenarios in which an alternative path makes sense. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx index 9f94795dc99ea57..f6061b3d4303671 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx @@ -9,12 +9,6 @@ import { Render } from "~/components"; After setting up your Cloudflare account and Zero Trust organization, you can begin connecting your users' devices and networks to Cloudflare. -:::note - -The following steps are identical to [Connect user devices](/learning-paths/replace-vpn/connect-devices/) in the Replace your VPN implementation guide. If you have already completed Replace your VPN, you can skip ahead to [Connect networks to Cloudflare](/learning-paths/secure-internet-traffic/connect-networks/). - -::: - ## Objectives By the end of this module, you will be able to: From 72afa40d9ccb9b795f58c0a527f9caadc54e82df Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Oct 2024 15:50:18 -0500 Subject: [PATCH 7/8] Fix broken links --- .../learning-paths/replace-vpn/connect-devices/index.mdx | 9 ++------- .../build-dns-policies/create-policy.mdx | 2 +- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/content/docs/learning-paths/replace-vpn/connect-devices/index.mdx b/src/content/docs/learning-paths/replace-vpn/connect-devices/index.mdx index cffacf9a8b7f6bd..61bac3bf3441f77 100644 --- a/src/content/docs/learning-paths/replace-vpn/connect-devices/index.mdx +++ b/src/content/docs/learning-paths/replace-vpn/connect-devices/index.mdx @@ -3,19 +3,14 @@ title: Connect user devices pcx_content_type: overview sidebar: order: 5 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Now that your device enrollment policies and WARP profiles are configured, you can begin deploying the WARP client to user devices for testing. :::note - - -The following steps are identical to [Connect user devices](/learning-paths/secure-internet-traffic/connect-devices/) in the Secure your Internet traffic and SaaS apps implementation guide. If you have already completed Secure your Internet traffic and SaaS apps, you can skip ahead to [Build secure access policies](/learning-paths/replace-vpn/build-policies/). - - +The following steps are identical to [Device on-ramps](/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp/#device-on-ramps) in the Secure your Internet traffic and SaaS apps implementation guide. If you have already completed Secure your Internet traffic and SaaS apps, you can skip ahead to [Build secure access policies](/learning-paths/replace-vpn/build-policies/). ::: ## Objectives diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index af26c540b484a90..93d8565fead5904 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -9,7 +9,7 @@ import { Render } from "~/components"; DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP. -You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices/install-agent/). +You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/). To create a new DNS policy: From 5339bd871f6b14f5eefae927be40d016263f5db2 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 29 Oct 2024 12:23:33 -0400 Subject: [PATCH 8/8] Apply suggestions from code review Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- public/_redirects | 4 ++-- .../connect-devices-networks/choose-on-ramp.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/public/_redirects b/public/_redirects index be0a79d76c28632..01d86e22161f4e7 100644 --- a/public/_redirects +++ b/public/_redirects @@ -648,8 +648,8 @@ /learning-paths/workers/test/intro-to-observability/ /learning-paths/workers/get-started/ 301 /learning-paths/cybersafe/area1-onboarding/area1-api/ /learning-paths/cybersafe/area1-onboarding/ 301 /learning-paths/cybersafe/area1-onboarding/area1-connection-methods/ /learning-paths/cybersafe/area1-onboarding/area1-inline/ 301 -/learning-paths/secure-internet-traffic/connect-networks/ /learning-paths/secure-internet-traffic/connect-devices-networks/ -/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp/ /learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp/ +/learning-paths/secure-internet-traffic/connect-networks/ /learning-paths/secure-internet-traffic/connect-devices-networks/ 301 +/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp/ /learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp/ 301 ## dns-filtering / secure-internet-traffic /learning-paths/dns-filtering/ /learning-paths/secure-internet-traffic/ 301 diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx index e03746a9a896597..aeac6f870782eb2 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx @@ -27,7 +27,7 @@ Cloudflare supports filtering HTTP/S traffic sent via a PAC file on a user devic ### Clientless Browser Isolation -Cloudflare Browser Isolation runs a headless, Chromium-based browser for your users to accomplish their secure browsing needs. It can be activated via an Access application, a Gateway policy, or by using link-based isolation (reverse proxy). In this model, your users can connect from any device to a proxy website to browse the Internet while applying your all your Gateway HTTP policies and inspection requirements. +Cloudflare Browser Isolation runs a headless, Chromium-based browser for your users to accomplish their secure browsing needs. It can be activated via an Access application, a Gateway policy, or by using link-based isolation (reverse proxy). In this model, your users can connect from any device to a proxy website to browse the Internet while applying all your Gateway HTTP policies and inspection requirements. | | WARP | PAC Files | Clientless Browser Isolation | | --------------------------------- | ------------------------------------ | -------------- | ------------------------------------- |