From b8d5fe35ed5270de91911739486654064d6619a5 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 14 Nov 2024 15:34:22 -0600 Subject: [PATCH 1/7] Apply formatting --- .../configure-warp/route-traffic/index.mdx | 38 +++++---------- .../route-traffic/split-tunnels.mdx | 47 +++++++------------ .../warp/add-split-tunnels-route.mdx | 17 +++---- .../warp/change-split-tunnels-mode.mdx | 10 +--- 4 files changed, 38 insertions(+), 74 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx index 4a9aafeb214bb92..e9b0c2d3ad0f60f 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx @@ -3,34 +3,22 @@ pcx_content_type: concept title: Route traffic sidebar: order: 6 - --- -When the WARP client is deployed on a device, Cloudflare processes all DNS requests and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS requests or network traffic from WARP. - -There are three settings you can configure: - -* **Use [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/)** to instruct the WARP client to proxy DNS requests for a specified domain to a resolver that is not Cloudflare Gateway. This is useful when you have private hostnames that would not otherwise resolve on the public Internet. - -:::caution - - -DNS requests to domain names entered here will not be encrypted, monitored or subject to DNS policies by Cloudflare Gateway. - - -::: - -* **Use the [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Exclude mode** to instruct the WARP client to ignore traffic to a specified set of IP addresses or domains. Any traffic that is destined to an IP address or domain defined in the Split Tunnels Exclude configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you want the majority of your traffic encrypted and processed by Gateway, but need to exclude certain routes due to app compatibility, or if you need WARP to run alongside a VPN. - -* **Use the [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Include mode** mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by IP address or domains defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource. - -:::caution - - -Traffic excluded from WARP by Split Tunnel configuration will not be encrypted, managed or monitored by Cloudflare Gateway. +When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver. +There are four options you can configure to exclude traffic from WARP: -::: +- Resolver policies +- **Use [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/)** to instruct the WARP client to proxy DNS requests for a specified domain to a resolver that is not Cloudflare Gateway. This is useful when you have private hostnames that would not otherwise resolve on the public Internet. + :::caution + Gateway will not encrypt, monitor, or apply DNS policies to DNS queries to domain names entered in Local Domain Fallback. + ::: +- **Use the [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Exclude mode** to instruct the WARP client to ignore traffic to a specified set of IP addresses or domains. Any traffic that is destined to an IP address or domain defined in the Split Tunnels Exclude configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you want the majority of your traffic encrypted and processed by Gateway, but need to exclude certain routes due to app compatibility, or if you need WARP to run alongside a VPN. +- **Use the [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Include mode** mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by IP address or domains defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource. + :::caution + Gateway will not encrypt, manage, or monitor traffic excluded from WARP by a Split Tunnel configuration. + ::: ## How the WARP client handles DNS requests @@ -42,7 +30,7 @@ accTitle: WARP traffic is evaluated and routed through various parts of the Clou A[WARP User requests resource] -- Domain does not match Local Domain Fallback --> C{WARP client resolves query according to Gateway DNS policies} A -- Domain matches Local Domain Fallback --> D[WARP client proxies DNS traffic to specified fallback server] D -- Resolver IP included in Tunnel per Split Tunnel configuration --> E[Query sent via WARP Tunnel to be resolved] -D -- Resolver IP not included in Tunnel per Split Tunnel configuration --> F{Query sent to resolver IP outside WARP Tunnel} +D -- Resolver IP not included in Tunnel per Split Tunnel configuration --> F{Query sent to resolver IP outside WARP Tunnel} E -- Matches CF Gateway block policy --> G{Traffic blocked by CF} E -- "Passes CF Gateway network policies (allowed or unblocked)" --> H[Evaluated by Cloudflare Tunnel routes] H -- Tunnel routes do not include resolver IP --> I{CF Gateway proxies query to resolver IP via normal WARP egress route} diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx index fe77b1b1a1dfbfe..70b8b266ac837c9 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx @@ -3,19 +3,14 @@ pcx_content_type: how-to title: Split Tunnels sidebar: order: 3 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Split Tunnels can be configured to exclude or include IP addresses or domains from going through WARP. This feature is commonly used to run WARP alongside a VPN (in Exclude mode) or to provide access to a specific private network (in Include mode). :::caution - - Split Tunnels only impacts the flow of IP traffic. DNS requests are still resolved by Gateway and subject to DNS policies unless you add the domains to your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration. - - ::: Because Split Tunnels controls what Gateway has visibility on at the network level, we recommend testing all changes before rolling out updates to end users. It may take up to 24 hours for changes to propagate to clients, depending on how many devices are connected to your organization. @@ -32,45 +27,42 @@ Because Split Tunnels controls what Gateway has visibility on at the network lev Use Split Tunnels when you need to bypass Gateway entirely for a site or allow traffic through the [firewall that WARP creates](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#system-firewall). Common scenarios include: -* Connect to a third-party application which requires the actual IP address of the end-user device (for example, [Microsoft 365](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#directly-route-microsoft-365-traffic)). -* Optimize voice and video. -* Connect to a [third-party VPN](/cloudflare-one/connections/connect-devices/warp/deployment/vpn/) endpoint. +- Connect to a third-party application which requires the actual IP address of the end-user device (for example, [Microsoft 365](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#directly-route-microsoft-365-traffic)). +- Optimize voice and video. +- Connect to a [third-party VPN](/cloudflare-one/connections/connect-devices/warp/deployment/vpn/) endpoint. ### When not to use Split Tunnels Do not exclude a site from Split Tunnels if you want to see the traffic in your Gateway logs. In particular, we do not recommend using Split Tunnels to: -* Solve connectivity issues with a specific website. For configuration guidance, refer to our [troubleshooting guide](/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues/#cannot-connect-to-a-specific-app-or-website). -* Solve performance issues with a specific website. Since Cloudflare operates within 50 milliseconds of 95% of the Internet-connected population, it is usually faster to send traffic through us. If you are encountering a performance-related issue, it is best to first explore your Gateway policies or reach out to Support. +- Solve connectivity issues with a specific website. For configuration guidance, refer to our [troubleshooting guide](/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues/#cannot-connect-to-a-specific-app-or-website). +- Solve performance issues with a specific website. Since Cloudflare operates within 50 milliseconds of 95% of the Internet-connected population, it is usually faster to send traffic through us. If you are encountering a performance-related issue, it is best to first explore your Gateway policies or reach out to Support. ## Cloudflare Zero Trust domains Many Cloudflare Zero Trust services rely on traffic going through WARP, such as [device posture checks](/cloudflare-one/identity/devices/) and [WARP session durations](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). If you are using Split Tunnels in Include mode, you will need to manually add the following domains in order for these features to function: -* The IdP used to authenticate to Cloudflare Zero Trust -* `.cloudflareaccess.com` -* The application protected by the Access or Gateway policy -* `edge.browser.run` if using [Browser Isolation](/cloudflare-one/policies/browser-isolation/) +- The IdP used to authenticate to Cloudflare Zero Trust +- `.cloudflareaccess.com` +- The application protected by the Access or Gateway policy +- `edge.browser.run` if using [Browser Isolation](/cloudflare-one/policies/browser-isolation/) ## Domain-based Split Tunnels Domain-based split tunneling has a few ramifications you should be aware of before deploying in your organization:. -* Routes excluded or included from WARP and Gateway visibility may change day to day, and may be different for each user depending on where they are. -* You may inadvertently exclude or include additional hostnames that happen to share an IP address. This commonly occurs if you add a domain hosted by a CDN or large Internet provider such as Cloudflare, AWS, or Azure. For example, if you wanted to exclude a VPN hosted on AWS, do not add `*.amazonaws.com` as that will open up your devices to all traffic on AWS. Instead, add the specific VPN endpoint (`*.cvpn-endpoint-.prod.clientvpn.us-west-2.amazonaws.com`). -* Most services are a collection of hostnames. Until Split Tunnels mode supports [App Types](/cloudflare-one/policies/gateway/application-app-types/), you will need to manually add all domains used by a particular app or service. -* WARP must handle the DNS lookup request for the domain. If a DNS result has been previously cached by the operating system or otherwise intercepted (for example, via your browser's secure DNS settings), the IP address will not be dynamically added to your Split Tunnel. +- Routes excluded or included from WARP and Gateway visibility may change day to day, and may be different for each user depending on where they are. +- You may inadvertently exclude or include additional hostnames that happen to share an IP address. This commonly occurs if you add a domain hosted by a CDN or large Internet provider such as Cloudflare, AWS, or Azure. For example, if you wanted to exclude a VPN hosted on AWS, do not add `*.amazonaws.com` as that will open up your devices to all traffic on AWS. Instead, add the specific VPN endpoint (`*.cvpn-endpoint-.prod.clientvpn.us-west-2.amazonaws.com`). +- Most services are a collection of hostnames. Until Split Tunnels mode supports [App Types](/cloudflare-one/policies/gateway/application-app-types/), you will need to manually add all domains used by a particular app or service. +- WARP must handle the DNS lookup request for the domain. If a DNS result has been previously cached by the operating system or otherwise intercepted (for example, via your browser's secure DNS settings), the IP address will not be dynamically added to your Split Tunnel. ### Valid domains - - | Split tunnel domain | Matches | Does not match | | --------------------- | ---------------------------------------------------------------- | ------------------------------------------------------------- | | `example.com` | exact match of `example.com` | subdomains such as `www.example.com` | | `example.example.com` | exact match of `example.example.com` | `example.com` or subdomains such as `www.example.example.com` | | `*.example.com` | subdomains such as `www.example.com` and `sub2.sub1.example.com` | `example.com` | -| | | | ### Platform differences @@ -84,23 +76,18 @@ Clients on these platforms work by dynamically inserting the IP address of the d Due to platform differences, mobile clients can only apply Split Tunnels rules when the tunnel is initially started. This means: -* Domain-based Split Tunnels rules are created when the tunnel is established based on the IP address for that domain at that time. The route is refreshed each time the tunnel is established. - -* Wildcard domain prefixes (for example, `*.example.com`) are supported only if they have valid wildcard DNS records. Other wildcard domains are not supported because the client is unable to match wildcard domains to hostnames when starting up the tunnel. Unsupported wildcard domain prefixes can still exist in your configuration, but they will be ignored on mobile platforms. +- Domain-based Split Tunnels rules are created when the tunnel is established based on the IP address for that domain at that time. The route is refreshed each time the tunnel is established. +- Wildcard domain prefixes (for example, `*.example.com`) are supported only if they have valid wildcard DNS records. Other wildcard domains are not supported because the client is unable to match wildcard domains to hostnames when starting up the tunnel. Unsupported wildcard domain prefixes can still exist in your configuration, but they will be ignored on mobile platforms. ## Remove a route :::caution - -Removing default Split Tunnel entries may cause users to lose Internet connectivity or block their access to local resources. +Removing default Split Tunnel entries may cause users to lose Internet connectivity or block their access to local resources. ::: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. - 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**. - 3. Under **Split Tunnels**. select **Manage**. - 4. Find the IP address or hostname in the list and select **Delete**. If you need to revert to the default Split Tunnel entries recommended by Cloudflare, select **Restore default entries**. diff --git a/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx b/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx index bfe5f9befc2ed53..4d5cd1994aa5ee8 100644 --- a/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx +++ b/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx @@ -1,35 +1,30 @@ --- {} - --- -import { GlossaryTooltip, TabItem, Tabs } from "~/components" +import { GlossaryTooltip, TabItem, Tabs } from "~/components"; 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. - 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**. - 3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**. - 4. Select **Manage**. - 5. You can exclude or include routes based on either their IP address or domain. When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to [Domain-based Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels). - + To add an IP address to Split Tunnels: -1. Select *IP Address*. +1. Select _IP Address_. 2. Enter the IP address or CIDR you want to exclude or include. 3. Select **Save destination**. Traffic to this IP address is now excluded or included from the WARP tunnel. - + To add a domain to Split Tunnels: -1. Select *Domain*. +1. Select _Domain_. 2. Enter a [valid domain](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#valid-domains) to exclude or include. 3. Select **Save destination**. 4. (Optional) If your domain does not have a public DNS record, create a [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) entry to allow a private DNS server to handle domain resolution. @@ -38,6 +33,6 @@ When a user goes to the domain, the domain gets resolved according to your Local -You can add up to 1000 combined Split Tunnel and [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) entries to a given device profile. +You can add up to 1,000 combined Split Tunnel and [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) entries to a given device profile. We recommend keeping the Split Tunnels list short, as each entry takes time for the client to parse. In particular, domains are slower to action than IP addresses because they require on-the-fly IP lookups and routing table / local firewall changes. A shorter list will also make it easier to understand and debug your configuration. diff --git a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx index 7346a92f82f6185..7e9e58946d348bb 100644 --- a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx +++ b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx @@ -1,19 +1,13 @@ --- {} - --- 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. - 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**. - 3. Scroll down to **Split Tunnels**. - 4. (Optional) To view your existing Split Tunnel configuration, select **Manage**. You will see a list of the IPs and domains Cloudflare Zero Trust excludes or includes, depending on the mode you have selected. We recommend making a copy of your Split Tunnel entries, as they will revert to the default upon switching modes. - 5. Under **Split Tunnels**, choose a mode: - - * **Exclude IPs and domains** — (Default) All traffic will be sent to Cloudflare Gateway except for the IPs and domains you specify. - * **Include IPs and Domains** — Only traffic destined to the IPs or domains you specify will be sent to Cloudflare Gateway. All other traffic will bypass Gateway and will no longer be filtered by your network or HTTP policies. In order to use certain features, you will need to manually add [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains). + - **Exclude IPs and domains** — (Default) All traffic will be sent to Cloudflare Gateway except for the IPs and domains you specify. + - **Include IPs and Domains** — Only traffic destined to the IPs or domains you specify will be sent to Cloudflare Gateway. All other traffic will bypass Gateway and will no longer be filtered by your network or HTTP policies. In order to use certain features, you will need to manually add [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains). All clients with this device profile will now switch to the new mode and its default route configuration. Next, [add](#add-a-route) or [remove](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) routes from your Split Tunnel configuration. From a1ee4ffc9397fbb8076573faf1190e1e7b670ab4 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 14 Nov 2024 15:47:41 -0600 Subject: [PATCH 2/7] Add resolver policies --- .../warp/configure-warp/route-traffic/index.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx index e9b0c2d3ad0f60f..73d05d303ae04f5 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx @@ -5,17 +5,17 @@ sidebar: order: 6 --- -When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver. +When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of CLoudflare's [public DNS resolver](1.1.1.1/). There are four options you can configure to exclude traffic from WARP: -- Resolver policies -- **Use [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/)** to instruct the WARP client to proxy DNS requests for a specified domain to a resolver that is not Cloudflare Gateway. This is useful when you have private hostnames that would not otherwise resolve on the public Internet. +- [Resolver policies](/cloudflare-one/policies/gateway/resolver-policies/): Use Gateway resolver policies to route DNS queries to custom resolvers based on matching traffic. Resolver policies are only available on Enterprise plans. +- [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/): Use Local Domain Fallback to instruct the WARP client to proxy DNS requests for a specified domain to a resolver that is not Cloudflare Gateway. This is useful when you have private hostnames that would not otherwise resolve on the public Internet. :::caution Gateway will not encrypt, monitor, or apply DNS policies to DNS queries to domain names entered in Local Domain Fallback. ::: -- **Use the [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Exclude mode** to instruct the WARP client to ignore traffic to a specified set of IP addresses or domains. Any traffic that is destined to an IP address or domain defined in the Split Tunnels Exclude configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you want the majority of your traffic encrypted and processed by Gateway, but need to exclude certain routes due to app compatibility, or if you need WARP to run alongside a VPN. -- **Use the [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Include mode** mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by IP address or domains defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource. +- [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Exclude mode: Use Exclude mode to instruct the WARP client to ignore traffic to a specified set of IP addresses or domains. Any traffic that is destined to an IP address or domain defined in the Split Tunnels Exclude configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you want the majority of your traffic encrypted and processed by Gateway, but need to exclude certain routes due to app compatibility, or if you need WARP to run alongside a VPN. +- [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Include mode: Use Include mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by IP address or domains defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource. :::caution Gateway will not encrypt, manage, or monitor traffic excluded from WARP by a Split Tunnel configuration. ::: From a67020c0a4fa059d958cb048c01f26efe0139ea9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 14 Nov 2024 16:07:21 -0600 Subject: [PATCH 3/7] Revamp diagram --- .../configure-warp/route-traffic/index.mdx | 36 +++++++++++++------ 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx index 73d05d303ae04f5..f9eb140b67d4ac6 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx @@ -22,18 +22,32 @@ There are four options you can configure to exclude traffic from WARP: ## How the WARP client handles DNS requests -When you use the WARP client together with `cloudflared` Tunnels or third-party VPNs, Cloudflare evaluates each request and routes it according to the following traffic flow. +When you use the WARP client together with `cloudflared` Tunnels or third-party VPNs, Cloudflare evaluates each request and routes it according to the following traffic flow: ```mermaid flowchart TD -accTitle: WARP traffic is evaluated and routed through various parts of the Cloudflare network -A[WARP User requests resource] -- Domain does not match Local Domain Fallback --> C{WARP client resolves query according to Gateway DNS policies} -A -- Domain matches Local Domain Fallback --> D[WARP client proxies DNS traffic to specified fallback server] -D -- Resolver IP included in Tunnel per Split Tunnel configuration --> E[Query sent via WARP Tunnel to be resolved] -D -- Resolver IP not included in Tunnel per Split Tunnel configuration --> F{Query sent to resolver IP outside WARP Tunnel} -E -- Matches CF Gateway block policy --> G{Traffic blocked by CF} -E -- "Passes CF Gateway network policies (allowed or unblocked)" --> H[Evaluated by Cloudflare Tunnel routes] -H -- Tunnel routes do not include resolver IP --> I{CF Gateway proxies query to resolver IP via normal WARP egress route} -H -- Tunnel routes include resolver IP --> J[Cloudflare Tunnel advertises route that includes Resolver IP] -J --> L{Private resolver returns IP address to WARP client} + D["WARP client proxies DNS traffic to specified fallback server"] -- Resolver IP included in Tunnel per Split Tunnel configuration --> E["Query sent via WARP Tunnel to be resolved"] + D -- Resolver IP not included in Tunnel per Split Tunnel configuration --> F["Query sent to resolver IP outside WARP Tunnel"] + E -- Blocked by Gateway --> G["Traffic blocked by Cloudflare"] + E -- Allowed by Gateway --> H["Evaluated by Cloudflare Tunnel routes"] + H -- Tunnel routes do not include resolver IP --> I["Gateway proxies query to resolver IP via normal WARP egress route"] + H -- Tunnel routes include resolver IP --> J["Cloudflare Tunnel advertises route that includes Resolver IP"] + J --> L["Private resolver returns IP address to WARP client"] + n1["Local Domain Fallback"] -- Matches domain --> C["WARP client resolves query according to Gateway policies"] + n1 -- Does not match domain --> D + A["WARP user requests resource"] --> n2["Gateway resolver policies"] + n2 -- Does not match traffic --> n1 + n2 -- Matches traffic --> C + + D@{ shape: rect} + E@{ shape: hex} + F@{ shape: terminal} + G@{ shape: terminal} + H@{ shape: hex} + I@{ shape: terminal} + L@{ shape: terminal} + n1@{ shape: proc} + C@{ shape: terminal} + A@{ shape: in-out} + n2@{ shape: proc} ``` From ec6afe595a78a6b2cdf8f7f278a977a1683b0adf Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 14 Nov 2024 17:09:23 -0500 Subject: [PATCH 4/7] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- .../connect-devices/warp/configure-warp/route-traffic/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx index f9eb140b67d4ac6..1b7bb14179eda86 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 6 --- -When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of CLoudflare's [public DNS resolver](1.1.1.1/). +When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's [public DNS resolver](1.1.1.1/). There are four options you can configure to exclude traffic from WARP: From 9e8a15629dd2bfe92b547a0fcbf0fcf70b6d103b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 14 Nov 2024 17:26:29 -0500 Subject: [PATCH 5/7] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx --- .../connect-devices/warp/configure-warp/route-traffic/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx index 1b7bb14179eda86..20fae05f58ad774 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 6 --- -When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's [public DNS resolver](1.1.1.1/). +When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's [public DNS resolver](/1.1.1.1). There are four options you can configure to exclude traffic from WARP: From 8dfaa246dac6a36504e564831602175c925e6f1b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 15 Nov 2024 11:43:25 -0500 Subject: [PATCH 6/7] Apply suggestions from code review Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- .../warp/configure-warp/route-traffic/index.mdx | 4 ++-- .../partials/cloudflare-one/warp/add-split-tunnels-route.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx index 20fae05f58ad774..08b6534f69da210 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 6 --- -When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's [public DNS resolver](/1.1.1.1). +When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's [public DNS resolver](/1.1.1.1/). There are four options you can configure to exclude traffic from WARP: @@ -15,7 +15,7 @@ There are four options you can configure to exclude traffic from WARP: Gateway will not encrypt, monitor, or apply DNS policies to DNS queries to domain names entered in Local Domain Fallback. ::: - [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Exclude mode: Use Exclude mode to instruct the WARP client to ignore traffic to a specified set of IP addresses or domains. Any traffic that is destined to an IP address or domain defined in the Split Tunnels Exclude configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you want the majority of your traffic encrypted and processed by Gateway, but need to exclude certain routes due to app compatibility, or if you need WARP to run alongside a VPN. -- [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Include mode: Use Include mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by IP address or domains defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource. +- [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) Include mode: Use Include mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by an IP address or domain defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource. :::caution Gateway will not encrypt, manage, or monitor traffic excluded from WARP by a Split Tunnel configuration. ::: diff --git a/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx b/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx index 4d5cd1994aa5ee8..8e8053992786423 100644 --- a/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx +++ b/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx @@ -10,7 +10,7 @@ import { GlossaryTooltip, TabItem, Tabs } from "~/components"; 4. Select **Manage**. 5. You can exclude or include routes based on either their IP address or domain. When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to [Domain-based Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels). - + To add an IP address to Split Tunnels: From 9f5030cd265df21b7e7ad373fc088c8b13f696db Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 15 Nov 2024 10:44:36 -0600 Subject: [PATCH 7/7] Change LDF shape --- .../connect-devices/warp/configure-warp/route-traffic/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx index 08b6534f69da210..d0e80283a528edc 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx @@ -46,7 +46,7 @@ flowchart TD H@{ shape: hex} I@{ shape: terminal} L@{ shape: terminal} - n1@{ shape: proc} + n1@{ shape: hex} C@{ shape: terminal} A@{ shape: in-out} n2@{ shape: proc}