diff --git a/src/content/docs/magic-cloud-networking/reference.mdx b/src/content/docs/magic-cloud-networking/reference.mdx
index 978f362aaa24e87..8ef1c1ccdc508ce 100644
--- a/src/content/docs/magic-cloud-networking/reference.mdx
+++ b/src/content/docs/magic-cloud-networking/reference.mdx
@@ -41,7 +41,7 @@ When using Magic Cloud Networking to automatically create on-ramps to your Googl
- Cloudflare will reserve a public Internet routable IP address from GCP.
- Cloudflare will create a VPN Gateway and two VPN Tunnels in the region you specify.
- Cloudflare will create routes for each prefix in your [Magic WAN Address Space](/magic-cloud-networking/cloud-on-ramps/#magic-wan-address-space) within your VPC pointing to the VPN Tunnels.
-- Cloudflare will add routes in Magic WAN for all subnet CIDR prefixes in your VPC. This includes all regions within the VPC. Traffic bound for a region other than the VPN Gateway’s region will be subject to GCP’s [Inter-region Pricing](https://cloud.google.com/vpc/network-pricing#inter-region-data-transfer).
+- Cloudflare will add routes in Magic WAN for all subnet CIDR prefixes in your VPC. This includes all regions within the VPC. Traffic bound for a region other than the VPN Gateway's region will be subject to GCP's [Inter-region Pricing](https://cloud.google.com/vpc/network-pricing#inter-region-data-transfer).
- Traffic sent to and from your VM instances through the VPN Tunnels is still subject to VPC firewall rules, and may [require further configuration](https://cloud.google.com/network-connectivity/docs/vpn/how-to/configuring-firewall-rules#firewall_rules).
## Supported resources
diff --git a/src/content/docs/magic-network-monitoring/get-started.mdx b/src/content/docs/magic-network-monitoring/get-started.mdx
index be9ea7653dc5414..f746a1acae3f5cb 100644
--- a/src/content/docs/magic-network-monitoring/get-started.mdx
+++ b/src/content/docs/magic-network-monitoring/get-started.mdx
@@ -13,7 +13,7 @@ If you are an Enterprise customer, Cloudflare can significantly accelerate the o
## 1. Verify NetFlow or sFlow capabilities
-Verify your routers are capable of exporting NetFlow or sFlow to an IP address on Cloudflare’s network. Magic Network Monitoring supports NetFlow v5, NetFlow v9, IPFIX, and sFlow.
+Verify your routers are capable of exporting NetFlow or sFlow to an IP address on Cloudflare's network. Magic Network Monitoring supports NetFlow v5, NetFlow v9, IPFIX, and sFlow.
Refer to [Supported routers](/magic-network-monitoring/routers/supported-routers) to view a list of supported routers. The list is not exhaustive.
diff --git a/src/content/docs/magic-network-monitoring/index.mdx b/src/content/docs/magic-network-monitoring/index.mdx
index 22e178f90e801c7..255bc6691e14c2a 100644
--- a/src/content/docs/magic-network-monitoring/index.mdx
+++ b/src/content/docs/magic-network-monitoring/index.mdx
@@ -26,7 +26,7 @@ Improve your network visibility and detect DDoS attacks based on traffic flows.
-Magic Network Monitoring provides visibility into your network traffic by analyzing network flow data sent from a customer’s routers. Magic Network Monitoring supports NetFlow v5, NetFlow v9, IPFIX, and sFlow.
+Magic Network Monitoring provides visibility into your network traffic by analyzing network flow data sent from a customer's routers. Magic Network Monitoring supports NetFlow v5, NetFlow v9, IPFIX, and sFlow.
Magic Network Monitoring is generally available to everyone with a Cloudflare account by default. You can log in to your Cloudflare dashboard, select your account, then go to **Analytics & Logs** > **Magic Monitoring** to get started.
diff --git a/src/content/docs/magic-network-monitoring/routers/netflow-ipfix-config.mdx b/src/content/docs/magic-network-monitoring/routers/netflow-ipfix-config.mdx
index 25d375c05351206..7064faf8d139a5e 100644
--- a/src/content/docs/magic-network-monitoring/routers/netflow-ipfix-config.mdx
+++ b/src/content/docs/magic-network-monitoring/routers/netflow-ipfix-config.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 3
head: []
description: A step-by-step configuration guide for exporting NetFlow or IPFIX
- data to Cloudflare’s network.
+ data to Cloudflare's network.
---
diff --git a/src/content/docs/magic-network-monitoring/routers/recommended-sampling-rate.mdx b/src/content/docs/magic-network-monitoring/routers/recommended-sampling-rate.mdx
index 53dcb0127770e29..2bc232a836a2c12 100644
--- a/src/content/docs/magic-network-monitoring/routers/recommended-sampling-rate.mdx
+++ b/src/content/docs/magic-network-monitoring/routers/recommended-sampling-rate.mdx
@@ -4,7 +4,7 @@ pcx_content_type: reference
sidebar:
order: 2
head: []
-description: The best sampling rate recommendations for your network’s traffic volume.
+description: The best sampling rate recommendations for your network's traffic volume.
---
diff --git a/src/content/docs/magic-network-monitoring/routers/sflow-config.mdx b/src/content/docs/magic-network-monitoring/routers/sflow-config.mdx
index 7b3ec26cdc0de12..34caa25627dd24e 100644
--- a/src/content/docs/magic-network-monitoring/routers/sflow-config.mdx
+++ b/src/content/docs/magic-network-monitoring/routers/sflow-config.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 4
head: []
description: A step-by-step configuration guide for exporting sFlow data to
- Cloudflare’s network.
+ Cloudflare's network.
---
diff --git a/src/content/docs/magic-network-monitoring/routers/supported-routers.mdx b/src/content/docs/magic-network-monitoring/routers/supported-routers.mdx
index 96636af2b49cfa2..a3c4a0a7c6268de 100644
--- a/src/content/docs/magic-network-monitoring/routers/supported-routers.mdx
+++ b/src/content/docs/magic-network-monitoring/routers/supported-routers.mdx
@@ -15,7 +15,7 @@ The majority of enterprise-grade routers are capable of exporting packets destined for your network, processes them, and then outputs them to your origin infrastructure.
-The Cloudflare network uses [Border Gateway Protocol (BGP)](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) to announce your company’s IP address space, extending your network presence globally, and anycast to ingest your traffic. Today, Cloudflare’s anycast global network spans [hundreds of cities worldwide](https://www.cloudflare.com/network/).
+The Cloudflare network uses [Border Gateway Protocol (BGP)](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) to announce your company's IP address space, extending your network presence globally, and anycast to ingest your traffic. Today, Cloudflare's anycast global network spans [hundreds of cities worldwide](https://www.cloudflare.com/network/).
-Once packets hit Cloudflare’s network, traffic is inspected for attacks, filtered, steered, accelerated, and sent onward to your origin. Magic Transit connects to your origin infrastructure using anycast Generic Routing Encapsulation (GRE) tunnels over the Internet or, with [Cloudflare Network Interconnect (CNI)](/network-interconnect/), via physical or virtual interconnect.
+Once packets hit Cloudflare's network, traffic is inspected for attacks, filtered, steered, accelerated, and sent onward to your origin. Magic Transit connects to your origin infrastructure using anycast Generic Routing Encapsulation (GRE) tunnels over the Internet or, with [Cloudflare Network Interconnect (CNI)](/network-interconnect/), via physical or virtual interconnect.
Magic Transit users have two options for their implementation: ingress traffic or ingress and [egress traffic](/magic-transit/reference/egress/). Users with an egress implementation will need to set up policy-based routing (PBR) or ensure default routing on their end forwards traffic to Cloudflare via tunnels.
diff --git a/src/content/docs/magic-transit/analytics/network-analytics.mdx b/src/content/docs/magic-transit/analytics/network-analytics.mdx
index 19029b0e3a5b969..be0a4d42d9ceee4 100644
--- a/src/content/docs/magic-transit/analytics/network-analytics.mdx
+++ b/src/content/docs/magic-transit/analytics/network-analytics.mdx
@@ -11,13 +11,13 @@ head:
import { GlossaryTooltip, Render } from "~/components"
-[Network Analytics](/analytics/network-analytics/) gives you real-time visibility into Magic Transit traffic entering and leaving Cloudflare’s network through GRE or IPsec tunnels. Start by inspecting information from the source and destination tunnel panels in Network Analytics to learn more about your data.
+[Network Analytics](/analytics/network-analytics/) gives you real-time visibility into Magic Transit traffic entering and leaving Cloudflare's network through GRE or IPsec tunnels. Start by inspecting information from the source and destination tunnel panels in Network Analytics to learn more about your data.
Source/destination tunnel data in Network Analytics includes:
- A list of your top tunnels by traffic volume.
- Source and destination IP addresses, ports, and protocols of tunnel traffic.
-- Samples of all GRE or IPsec tunnel traffic entering or leaving Cloudflare’s network.
+- Samples of all GRE or IPsec tunnel traffic entering or leaving Cloudflare's network.
- Mitigations applied (such as DDoS and Magic Firewall) to traffic entering Cloudflare.
## Access Magic Tunnel analytics
diff --git a/src/content/docs/magic-transit/get-started.mdx b/src/content/docs/magic-transit/get-started.mdx
index 3c6b3f72b7adc93..926eb56ddcd5ecd 100644
--- a/src/content/docs/magic-transit/get-started.mdx
+++ b/src/content/docs/magic-transit/get-started.mdx
@@ -21,7 +21,7 @@ Before you can begin using Magic Transit, verify that you meet Cloudflare's onbo
### Verify router compatibility
-Magic Transit relies on anycast tunnels to transmit packets from Cloudflare’s global network to your origin network.
+Magic Transit relies on anycast tunnels to transmit packets from Cloudflare's global network to your origin network.
The routers at your tunnel endpoints must meet the following requirements to ensure compatibility with Magic Transit.
@@ -94,7 +94,7 @@ Refer to [Maximum transmission unit and maximum segment size](/magic-transit/ref
## 4. Configure static routes
-Configure [static routes](/magic-transit/how-to/configure-static-routes/) to route traffic from Cloudflare’s global network to your locations.
+Configure [static routes](/magic-transit/how-to/configure-static-routes/) to route traffic from Cloudflare's global network to your locations.
## 5. Run pre-flight checks
diff --git a/src/content/docs/magic-transit/how-to/configure-static-routes.mdx b/src/content/docs/magic-transit/how-to/configure-static-routes.mdx
index e7bdb7162516496..5272b09e50e6800 100644
--- a/src/content/docs/magic-transit/how-to/configure-static-routes.mdx
+++ b/src/content/docs/magic-transit/how-to/configure-static-routes.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 2
head: []
description: Magic Transit uses a static configuration to route your traffic
- through anycast tunnels from Cloudflare’s global network to your locations.
+ through anycast tunnels from Cloudflare's global network to your locations.
Learn how to configure static routes.
---
diff --git a/src/content/docs/magic-transit/network-interconnect.mdx b/src/content/docs/magic-transit/network-interconnect.mdx
index ef3a0838d974939..2292745a66708c1 100644
--- a/src/content/docs/magic-transit/network-interconnect.mdx
+++ b/src/content/docs/magic-transit/network-interconnect.mdx
@@ -10,7 +10,7 @@ head:
import { GlossaryTooltip } from "~/components";
-Cloudflare Network Interconnect (CNI) allows you to connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. With CNI, you can bring Cloudflare’s full suite of network functions to your physical network edge.
+Cloudflare Network Interconnect (CNI) allows you to connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. With CNI, you can bring Cloudflare's full suite of network functions to your physical network edge.
Use Cloudflare Network Interconnect with Magic Transit to improve throughput and harden infrastructure to attack.
diff --git a/src/content/docs/magic-transit/partners/kentik.mdx b/src/content/docs/magic-transit/partners/kentik.mdx
index 7217a72eb8c079a..8fec40d7c7ba343 100644
--- a/src/content/docs/magic-transit/partners/kentik.mdx
+++ b/src/content/docs/magic-transit/partners/kentik.mdx
@@ -26,7 +26,7 @@ You will need the email address associated with your Cloudflare account, Cloudfl
5. Select **Edit** next to the Cloudflare branded mitigation to edit and review the information.
- In the example below under section two, the Cloudflare email address, Account ID, and API token are used to send the API call to Cloudflare to begin advertising routes and turn on Magic Transit for the customer’s network.
+ In the example below under section two, the Cloudflare email address, Account ID, and API token are used to send the API call to Cloudflare to begin advertising routes and turn on Magic Transit for the customer's network.
diff --git a/src/content/docs/magic-transit/reference/traffic-steering.mdx b/src/content/docs/magic-transit/reference/traffic-steering.mdx
index 78a8e5a745afc5f..39d6541043d13bd 100644
--- a/src/content/docs/magic-transit/reference/traffic-steering.mdx
+++ b/src/content/docs/magic-transit/reference/traffic-steering.mdx
@@ -4,7 +4,7 @@ title: Traffic steering
head: []
description: Magic Transit uses a static configuration to route traffic through
anycast tunnels using the Generic Routing Encapsulation (GRE) and Internet
- Protocol Security (IPsec) protocols from Cloudflare’s global network to your
+ Protocol Security (IPsec) protocols from Cloudflare's global network to your
network.
---
diff --git a/src/content/docs/magic-transit/reference/tunnels.mdx b/src/content/docs/magic-transit/reference/tunnels.mdx
index d294fcc459879a3..964691a3c86106d 100644
--- a/src/content/docs/magic-transit/reference/tunnels.mdx
+++ b/src/content/docs/magic-transit/reference/tunnels.mdx
@@ -3,7 +3,7 @@ pcx_content_type: concept
title: GRE and IPsec tunnels
head: []
description: Magic Transit uses Generic Routing Encapsulation (GRE) and IPsec
- tunnels to transmit packets from Cloudflare’s global network to your origin
+ tunnels to transmit packets from Cloudflare's global network to your origin
network.
---
diff --git a/src/content/docs/magic-wan/analytics/index.mdx b/src/content/docs/magic-wan/analytics/index.mdx
index c82021119b15633..f0e247391a98a66 100644
--- a/src/content/docs/magic-wan/analytics/index.mdx
+++ b/src/content/docs/magic-wan/analytics/index.mdx
@@ -31,13 +31,13 @@ Refer to [Magic WAN Network Analytics](/magic-wan/analytics/network-analytics/)
## Traceroutes
-Traceroutes provide a hop by hop breakdown of the Internet path network traffic follows as it traverses from Cloudflare’s network to a customer’s network.
+Traceroutes provide a hop by hop breakdown of the Internet path network traffic follows as it traverses from Cloudflare's network to a customer's network.
Refer to [Traceroutes](/magic-wan/analytics/traceroutes/) to learn more.
## Packet captures
-Packet captures allow customers to analyze the raw packet data that a customer is sending and receiving from Cloudflare’s network.
+Packet captures allow customers to analyze the raw packet data that a customer is sending and receiving from Cloudflare's network.
Refer to [packet captures](/magic-firewall/packet-captures/) to learn more.
diff --git a/src/content/docs/magic-wan/configuration/connector/device-metrics.mdx b/src/content/docs/magic-wan/configuration/connector/device-metrics.mdx
index f63f2be76a2a44a..66554873c9e5072 100644
--- a/src/content/docs/magic-wan/configuration/connector/device-metrics.mdx
+++ b/src/content/docs/magic-wan/configuration/connector/device-metrics.mdx
@@ -22,7 +22,7 @@ To check for Connector metrics:
### Query metrics with GraphQL
-Customers can query Cloudflare’s GraphQL API to fetch their Magic WAN Connector device metrics. The Cloudflare dashboard displays Magic WAN Connector device metrics over the past one hour. Via the GraphQL API, customers can query for up to 30 days of historical Magic WAN Connector device metrics.
+Customers can query Cloudflare's GraphQL API to fetch their Magic WAN Connector device metrics. The Cloudflare dashboard displays Magic WAN Connector device metrics over the past one hour. Via the GraphQL API, customers can query for up to 30 days of historical Magic WAN Connector device metrics.
For example:
diff --git a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx
index 7cb02067a4ebd6f..634e7af0fa76ba5 100644
--- a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx
+++ b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx
@@ -3,12 +3,12 @@ pcx_content_type: how-to
title: Breakout traffic
head: []
description: Breakout traffic allows you to define which applications should
- bypass Cloudflare’s security filtering.
+ bypass Cloudflare's security filtering.
---
import { Render, TabItem, Tabs } from "~/components";
-Breakout traffic allows you to define which applications should bypass Cloudflare’s security filtering, and go directly to the Internet. It works via DNS requests inspection. This means that if your network is caching DNS requests, Breakout traffic will only take effect after you cache entries expire and your client issues a new DNS request that the Magic WAN Connector can detect. This can take several minutes.
+Breakout traffic allows you to define which applications should bypass Cloudflare's security filtering, and go directly to the Internet. It works via DNS requests inspection. This means that if your network is caching DNS requests, Breakout traffic will only take effect after you cache entries expire and your client issues a new DNS request that the Magic WAN Connector can detect. This can take several minutes.
:::caution
Breakout traffic will not work for applications that use DNS-over-HTTPs.
@@ -30,7 +30,7 @@ accTitle: In this example, the applications go directly to the Internet, skippin
_In the graph above, Applications 1 and 2 are configured to bypass Cloudflare's security filtering, and go straight to the Internet_
:::note[A note on security]
-We recommend routing all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare’s security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard.
+We recommend routing all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare's security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard.
Refer to [Traffic steering](/magic-wan/reference/traffic-steering/) to learn how Cloudflare routes traffic.
:::
diff --git a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/index.mdx b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/index.mdx
index 054944d79bc6203..286452043578844 100644
--- a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/index.mdx
+++ b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/index.mdx
@@ -8,11 +8,11 @@ import { DirectoryListing } from "~/components"
In addition to traffic policies based on network-layer attributes like IP and port ranges, the Magic WAN Connector supports the ability to classify traffic based on well-known applications. Application-aware policies provide easier management and more granularity over traffic flows.
-Cloudflare’s implementation of application awareness leverages the intelligence of our global network, using the same categorization/classification already shared across security tools like our [Secure Web Gateway](/cloudflare-one/policies/gateway/), so IT and security teams can expect consistent behavior across routing and inspection decisions.
+Cloudflare's implementation of application awareness leverages the intelligence of our global network, using the same categorization/classification already shared across security tools like our [Secure Web Gateway](/cloudflare-one/policies/gateway/), so IT and security teams can expect consistent behavior across routing and inspection decisions.
For more information, refer to [Applications and app types](/cloudflare-one/policies/gateway/application-app-types/).
-Magic WAN Connector's ability to classify traffic allows you to define which applications should bypass Cloudflare’s security filtering, and go directly to the Internet. You can also give some applications a higher priority, and Connector will process them first. This is useful when your network is at capacity, for example.
+Magic WAN Connector's ability to classify traffic allows you to define which applications should bypass Cloudflare's security filtering, and go directly to the Internet. You can also give some applications a higher priority, and Connector will process them first. This is useful when your network is at capacity, for example.
Refer to the following pages for more information.
diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/configure-static-routes.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/configure-static-routes.mdx
index 084abe492e0b934..3b7d09cdc7758f9 100644
--- a/src/content/docs/magic-wan/configuration/manually/how-to/configure-static-routes.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/how-to/configure-static-routes.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 2
head: []
description: Magic WAN uses a static configuration to route your traffic through
- anycast tunnels from Cloudflare’s global network to your locations.
+ anycast tunnels from Cloudflare's global network to your locations.
---
diff --git a/src/content/docs/magic-wan/get-started.mdx b/src/content/docs/magic-wan/get-started.mdx
index 89615a1228a2839..076b319c528e8c9 100644
--- a/src/content/docs/magic-wan/get-started.mdx
+++ b/src/content/docs/magic-wan/get-started.mdx
@@ -38,7 +38,7 @@ The list of prerequisites below is only for customers planning to connect manual
### Use compatible tunnel endpoint routers
-Magic WAN relies on GRE and IPsec tunnels to transmit packets from Cloudflare’s global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:
+Magic WAN relies on GRE and IPsec tunnels to transmit packets from Cloudflare's global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:
- Allow configuration of at least one tunnel per Internet service provider (ISP).
- Support maximum segment size (MSS) clamping.
diff --git a/src/content/docs/magic-wan/index.mdx b/src/content/docs/magic-wan/index.mdx
index 15429e25c4df8d8..7a482c929e87fd6 100644
--- a/src/content/docs/magic-wan/index.mdx
+++ b/src/content/docs/magic-wan/index.mdx
@@ -27,7 +27,7 @@ import {
Magic WAN provides secure, performant connectivity and routing for your entire corporate networking, reducing cost and operation complexity. [Magic Firewall](/magic-firewall/) integrates smoothly with Magic WAN, enabling you to enforce network firewall policies at Cloudflare's global network, across traffic from any entity within your network.
-With Magic WAN, you can securely connect any traffic source — data centers, offices, devices, cloud properties — to Cloudflare’s network and configure routing policies to get the bits where they need to go, all within one SaaS solution.
+With Magic WAN, you can securely connect any traffic source — data centers, offices, devices, cloud properties — to Cloudflare's network and configure routing policies to get the bits where they need to go, all within one SaaS solution.
Magic WAN supports a variety of on-ramps including any device that supports anycast GRE or IPsec tunnels. To make it easier to onboard your cloud properties, you can use [Magic Cloud Networking](/magic-wan/configuration/magic-cloud-networking/), which automates the process of creating on-ramps from your cloud networks.
diff --git a/src/content/docs/magic-wan/network-interconnect.mdx b/src/content/docs/magic-wan/network-interconnect.mdx
index 99198c7a32c8536..14e01493858a43f 100644
--- a/src/content/docs/magic-wan/network-interconnect.mdx
+++ b/src/content/docs/magic-wan/network-interconnect.mdx
@@ -10,7 +10,7 @@ head:
import { Render } from "~/components";
-Cloudflare Network Interconnect (CNI) allows you to connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. With CNI, you can bring Cloudflare’s full suite of network functions to your physical network edge.
+Cloudflare Network Interconnect (CNI) allows you to connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. With CNI, you can bring Cloudflare's full suite of network functions to your physical network edge.
When working with Magic WAN and Cloudflare Network Interconnect (CNI), there are a few guidelines you should follow.
diff --git a/src/content/docs/magic-wan/on-ramps.mdx b/src/content/docs/magic-wan/on-ramps.mdx
index 98d4c249c98bed2..4f2fff552eb5dc1 100644
--- a/src/content/docs/magic-wan/on-ramps.mdx
+++ b/src/content/docs/magic-wan/on-ramps.mdx
@@ -13,6 +13,6 @@ Additional compatible on-ramps include:
- [Cloudflare Network Interconnect (CNI)](/magic-wan/network-interconnect/): Connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience.
- [Cloudflare Tunnel](/magic-wan/zero-trust/cloudflare-tunnel/): Magic WAN can be used together with Cloudflare Tunnel for easy access between your networks and applications.
-- [WARP](/cloudflare-one/connections/connect-devices/warp/): Protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s global network, where Cloudflare Gateway can apply advanced web filtering.
+- [WARP](/cloudflare-one/connections/connect-devices/warp/): Protect corporate devices by securely and privately sending traffic from those devices to Cloudflare's global network, where Cloudflare Gateway can apply advanced web filtering.
- [Magic Cloud Networking](/magic-wan/configuration/magic-cloud-networking/): Automatically create on-ramps from your cloud networks to Magic WAN.
- [Network on-ramp partnerships](https://www.cloudflare.com/network-onramp-partners/): Refer to our [third-party integration tutorials](/magic-wan/configuration/manually/third-party/) for guidance on configuring the most asked for third-party products.
diff --git a/src/content/docs/magic-wan/reference/bandwidth-measurement.mdx b/src/content/docs/magic-wan/reference/bandwidth-measurement.mdx
index 74326d92345f597..39700a7ded5fc1e 100644
--- a/src/content/docs/magic-wan/reference/bandwidth-measurement.mdx
+++ b/src/content/docs/magic-wan/reference/bandwidth-measurement.mdx
@@ -6,6 +6,6 @@ title: Bandwidth measurement
Cloudflare measures Magic WAN usage based on the 95th percentile of bandwidth utilized by the customer's configured network.
-Configured Magic WAN network's bandwidth refers to the sum of traffic routed in and out of Magic WAN network namespace by measuring and summing each active customer’s configured [GRE](https://www.cloudflare.com/learning/network-layer/what-is-gre-tunneling/), [IPSEC](https://www.cloudflare.com/learning/network-layer/what-is-ipsec/), [Cloudflare Tunnel](/magic-wan/zero-trust/cloudflare-tunnel/) and [Cloudflare Network Interconnect](/network-interconnect/) tunnel's highest P95th percentile (ingress or egress traffic). The usage measurement excludes [WARP](/network-interconnect/) traffic.
+Configured Magic WAN network's bandwidth refers to the sum of traffic routed in and out of Magic WAN network namespace by measuring and summing each active customer's configured [GRE](https://www.cloudflare.com/learning/network-layer/what-is-gre-tunneling/), [IPSEC](https://www.cloudflare.com/learning/network-layer/what-is-ipsec/), [Cloudflare Tunnel](/magic-wan/zero-trust/cloudflare-tunnel/) and [Cloudflare Network Interconnect](/network-interconnect/) tunnel's highest P95th percentile (ingress or egress traffic). The usage measurement excludes [WARP](/network-interconnect/) traffic.
To measure 95th percentile bandwidth at each tunnel, Cloudflare records bandwidth incoming and leaving our global network at five minute intervals, sorts these measurements in descending order, and discards the top 5% of recorded measurements. The highest remaining value constitutes the 95th percentile bandwidth measurement for that time period.
diff --git a/src/content/docs/magic-wan/reference/traffic-steering.mdx b/src/content/docs/magic-wan/reference/traffic-steering.mdx
index ab6173ba652d2da..b8cbdf2d46dd8f7 100644
--- a/src/content/docs/magic-wan/reference/traffic-steering.mdx
+++ b/src/content/docs/magic-wan/reference/traffic-steering.mdx
@@ -4,7 +4,7 @@ title: Traffic steering
head: []
description: Magic WAN uses a static configuration to route traffic through
anycast tunnels using the Generic Routing Encapsulation (GRE) and Internet
- Protocol Security (IPsec) protocols from Cloudflare’s global network to your
+ Protocol Security (IPsec) protocols from Cloudflare's global network to your
network.
---
diff --git a/src/content/docs/magic-wan/reference/tunnels.mdx b/src/content/docs/magic-wan/reference/tunnels.mdx
index 585faac2ba2ed02..675262e005742f0 100644
--- a/src/content/docs/magic-wan/reference/tunnels.mdx
+++ b/src/content/docs/magic-wan/reference/tunnels.mdx
@@ -3,7 +3,7 @@ pcx_content_type: concept
title: GRE and IPsec tunnels
head: []
description: Magic WAN uses Generic Routing Encapsulation (GRE) and IPsec
- tunnels to transmit packets from Cloudflare’s global network to your origin
+ tunnels to transmit packets from Cloudflare's global network to your origin
network.
---
diff --git a/src/content/docs/magic-wan/security.mdx b/src/content/docs/magic-wan/security.mdx
index e25096609d92957..47698ecbff010b4 100644
--- a/src/content/docs/magic-wan/security.mdx
+++ b/src/content/docs/magic-wan/security.mdx
@@ -9,7 +9,7 @@ head:
---
-Magic WAN customers have [automatic access to Magic Firewall](/magic-firewall/plans/). Magic Firewall is Cloudflare’s firewall-as-a-service solution that allows you to protect your infrastructure. Magic Firewall supports layers three and four of the [OSI model](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/), and enables you to allow or block traffic on a variety of packet characteristics.
+Magic WAN customers have [automatic access to Magic Firewall](/magic-firewall/plans/). Magic Firewall is Cloudflare's firewall-as-a-service solution that allows you to protect your infrastructure. Magic Firewall supports layers three and four of the [OSI model](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/), and enables you to allow or block traffic on a variety of packet characteristics.
Refer to [Magic Firewall](/magic-firewall/) for more information about this product.
diff --git a/src/content/docs/magic-wan/zero-trust/warp.mdx b/src/content/docs/magic-wan/zero-trust/warp.mdx
index 16de397e0d386b6..1a7ff03ea9e60dc 100644
--- a/src/content/docs/magic-wan/zero-trust/warp.mdx
+++ b/src/content/docs/magic-wan/zero-trust/warp.mdx
@@ -8,7 +8,7 @@ head:
import { GlossaryTooltip, Render } from "~/components";
-Use [WARP](/cloudflare-one/connections/connect-devices/warp/) as an on-ramp to Magic WAN and route traffic from user devices with WARP installed to any network connected with Cloudflare Tunnel or Magic IP-layer tunnels (anycast GRE, IPsec, or [CNI](/network-interconnect/)). Take advantage of the integration between Magic WAN and [Magic Firewall](/magic-firewall/) and enforce policies at Cloudflare’s global network.
+Use [WARP](/cloudflare-one/connections/connect-devices/warp/) as an on-ramp to Magic WAN and route traffic from user devices with WARP installed to any network connected with Cloudflare Tunnel or Magic IP-layer tunnels (anycast GRE, IPsec, or [CNI](/network-interconnect/)). Take advantage of the integration between Magic WAN and [Magic Firewall](/magic-firewall/) and enforce policies at Cloudflare's global network.
## Prerequisites
@@ -36,7 +36,7 @@ ip route add 100.96.0.0/12 dev gre1
:::note[Note]
-After set up, **HTTP** and **Network logs** in Gateway will show the virtual IP address of your WARP device as the **Source IP**. DNS logs will continue to show the original WARP device IP because DNS traffic is sent over the public Internet to Cloudflare’s public-facing resolver.
+After set up, **HTTP** and **Network logs** in Gateway will show the virtual IP address of your WARP device as the **Source IP**. DNS logs will continue to show the original WARP device IP because DNS traffic is sent over the public Internet to Cloudflare's public-facing resolver.
:::
### 2. Configure Split Tunnels
diff --git a/src/content/docs/network-interconnect/index.mdx b/src/content/docs/network-interconnect/index.mdx
index 5370547db434e97..723f1568224bcfa 100644
--- a/src/content/docs/network-interconnect/index.mdx
+++ b/src/content/docs/network-interconnect/index.mdx
@@ -12,21 +12,21 @@ head:
import { Description, Plan, RelatedProduct } from "~/components"
-Connect your network infrastructure directly to Cloudflare
+Connect your network infrastructure directly to Cloudflare
-Cloudflare Network Interconnect (CNI) allows you to connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. With CNI, you can bring Cloudflare’s full suite of network functions to your physical network edge.
+Cloudflare Network Interconnect (CNI) allows you to connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. With CNI, you can bring Cloudflare's full suite of network functions to your physical network edge.
***
## Related products
-Magic Transit is a network security and performance solution that offers DDoS protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks.
+Magic Transit is a network security and performance solution that offers DDoS protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks.
-Improve security and performance for your entire corporate network, reducing cost and operation complexity.
+Improve security and performance for your entire corporate network, reducing cost and operation complexity.
diff --git a/src/content/docs/network-interconnect/pni-and-peering.mdx b/src/content/docs/network-interconnect/pni-and-peering.mdx
index 29b7c21f5194c4c..d098e58fbab6e1d 100644
--- a/src/content/docs/network-interconnect/pni-and-peering.mdx
+++ b/src/content/docs/network-interconnect/pni-and-peering.mdx
@@ -9,7 +9,7 @@ sidebar:
Cloudflare has an [open peering policy](https://www.cloudflare.com/peering-policy/). There is no requirement to be a Cloudflare customer for public peering, or a Private Network Interconnect (PNI).
-You can use BGP to peer with Cloudflare at any of the Public Internet Exchanges listed on [Cloudflare’s PeeringDB page](https://www.peeringdb.com/net/4224). If you have many users accessing websites protected and proxied by Cloudflare, then peering with Cloudflare may help you remove bandwidth from your Internet transit links, and increase performance by reducing latency to Cloudflare.
+You can use BGP to peer with Cloudflare at any of the Public Internet Exchanges listed on [Cloudflare's PeeringDB page](https://www.peeringdb.com/net/4224). If you have many users accessing websites protected and proxied by Cloudflare, then peering with Cloudflare may help you remove bandwidth from your Internet transit links, and increase performance by reducing latency to Cloudflare.
You may also optionally sign up for the [Cloudflare Peering Portal](https://www.cloudflare.com/partners/peering-portal/), which allows operators of public BGP Autonomous System Number (ASN) listed on PeeringDB to view where their network exchanges traffic with Cloudflare. Finally, if our networks exchange more than 1 Gbps of traffic in a single location, we can move your peering from the Internet Exchange to a Private Network Interconnect (PNI).
diff --git a/src/content/partials/magic-transit/static-routes/static-routes1.mdx b/src/content/partials/magic-transit/static-routes/static-routes1.mdx
index 37a0cac264c5153..85e59f3aece5fcb 100644
--- a/src/content/partials/magic-transit/static-routes/static-routes1.mdx
+++ b/src/content/partials/magic-transit/static-routes/static-routes1.mdx
@@ -8,7 +8,7 @@ params:
import { GlossaryTooltip, Markdown } from "~/components";
-{props.productName} uses a static configuration to route your traffic through anycast tunnels from Cloudflare’s global network to your locations.
+{props.productName} uses a static configuration to route your traffic through anycast tunnels from Cloudflare's global network to your locations.
You must assign a route priority to each tunnel–subnet pair in your configuration, as follows:
diff --git a/src/content/partials/magic-transit/traffic-steering.mdx b/src/content/partials/magic-transit/traffic-steering.mdx
index f71c006f014cb32..c5c44f126ef4a07 100644
--- a/src/content/partials/magic-transit/traffic-steering.mdx
+++ b/src/content/partials/magic-transit/traffic-steering.mdx
@@ -51,7 +51,7 @@ Using ECMP has a number of consequences:
As a result, ECMP provides load balancing across tunnels with the same prefix and priority.
:::note[Note:]
-Packets in the same flow use the same tunnel unless the tunnel priority changes. Packets for different flows can use different tunnels depending on which tunnel the flow’s 4-tuple – source and destination IP and source and destination port – hash to.
+Packets in the same flow use the same tunnel unless the tunnel priority changes. Packets for different flows can use different tunnels depending on which tunnel the flow's 4-tuple – source and destination IP and source and destination port – hash to.
:::
### Examples
diff --git a/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx
index afeabbe3847b98b..02b2ed45cdfc981 100644
--- a/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx
+++ b/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx
@@ -24,8 +24,8 @@ import { Details, Markdown, Render, TabItem, Tabs } from "~/components";
5. In **Name**, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over `i` in the dashboard for more information.
6. Give your tunnel a description in **Description**. You do not have character restrictions here.
-7. In **Interface address**, enter the internal IP address for your tunnel along with the interface’s prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
-8. In **Customer GRE endpoint**, enter your router’s public IP address. This value is not needed if you intend to use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare will provide it.
+7. In **Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
+8. In **Customer GRE endpoint**, enter your router's public IP address. This value is not needed if you intend to use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare will provide it.
9. In **Cloudflare GRE endpoint**, enter the anycast address you received from your account team.
10. Leave the default values for **TTL** and **MTU**.
11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information.
@@ -43,8 +43,8 @@ import { Details, Markdown, Render, TabItem, Tabs } from "~/components";
5. In **Name**, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over `i` in the dashboard for more information.
6. Give your tunnel a description in **Description**. You do not have character restrictions here.
-7. In **Interface address**, enter the internal IP address for your tunnel along with the interface’s prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
-8. In **Customer endpoint**, enter your router’s public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`.
+7. In **Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
+8. In **Customer endpoint**, enter your router's public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`.
9. In **Cloudflare endpoint**, enter the anycast address you received from your account team.
10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks,, your tunnels will appear 100% down in your tunnel health dashboard even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to Tunnel health checks for more information.
11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the **Health check rate** for your tunnel. Available options are _Low_, _Medium_ and _High_.
@@ -190,7 +190,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/ipsec_tunnels/{
}
```
-3. Use the above `psk` value to configure the IPsec tunnel on your equipment. You do not need to take further action to use the PSK on Cloudflare’s side, as this value is automatically set.
+3. Use the above `psk` value to configure the IPsec tunnel on your equipment. You do not need to take further action to use the PSK on Cloudflare's side, as this value is automatically set.
diff --git a/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx b/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx
index 92596538f732f04..90e8907d808dc2f 100644
--- a/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx
+++ b/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx
@@ -6,6 +6,6 @@ params:
import { GlossaryTooltip, Markdown } from "~/components";
-If you use {props.productName} and anycast IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare’s side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
+If you use {props.productName} and anycast IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare's side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
Refer to Anti-replay protection for more information on this topic, or [Add IPsec tunnels](#add-tunnels) below to learn how to enable this feature.
diff --git a/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-mt-network-analytics.mdx b/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-mt-network-analytics.mdx
index 1159fdd8332fdde..285bca1b1bf892f 100644
--- a/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-mt-network-analytics.mdx
+++ b/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-mt-network-analytics.mdx
@@ -5,6 +5,6 @@
## Network Analytics
-Cloudflare’s Network Analytics provides near real-time visibility into network and transport layer traffic patterns and DDoS attacks which can help troubleshoot IP traffic issues. You can also use Network Analytics to view information about the traffic that leaves Cloudflare’s global network by reviewing ingress and egress tunnel traffic over a specific amount of time.
+Cloudflare's Network Analytics provides near real-time visibility into network and transport layer traffic patterns and DDoS attacks which can help troubleshoot IP traffic issues. You can also use Network Analytics to view information about the traffic that leaves Cloudflare's global network by reviewing ingress and egress tunnel traffic over a specific amount of time.
For more information, refer to [Analytics](/magic-transit/analytics/).
diff --git a/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx b/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx
index d7d5068999b6270..a0ad5c498111d69 100644
--- a/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx
+++ b/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx
@@ -210,8 +210,8 @@ The Child SA. Sometimes referred to as Phase 2 as per IKEv1 language.
Additionally, the IKE ID type of `ID_IPV4_ADDR` is supported if the following two conditions are met:
-1. The IPsec tunnel’s `customer_endpoint` value is set.
-2. The combination of `cloudflare_endpoint` and `customer_endpoint` is unique among the customer’s IPsec tunnels.
+1. The IPsec tunnel's `customer_endpoint` value is set.
+2. The combination of `cloudflare_endpoint` and `customer_endpoint` is unique among the customer's IPsec tunnels.
:::caution
Make sure each IPsec tunnel has a unique combination of a Cloudflare endpoint and customer endpoint. If this combination is not unique among your IPsec tunnels, you should use one of the custom IKE formats (`ID_RFC822_ADDR`, `ID_FQDN`, or `ID_KEY_ID`) to specify the tunnel ID and account ID. This helps Cloudflare link the IKE packet to the right IPsec tunnel for tasks like authentication.
diff --git a/src/content/partials/magic-wan/anti-replay-protection.mdx b/src/content/partials/magic-wan/anti-replay-protection.mdx
index 3e412c8ed05a4aa..48dcde84c95cae0 100644
--- a/src/content/partials/magic-wan/anti-replay-protection.mdx
+++ b/src/content/partials/magic-wan/anti-replay-protection.mdx
@@ -6,7 +6,7 @@ params:
import { GlossaryTooltip, Markdown } from "~/components";
-If you use {props.productName} and anycast IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare’s side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
+If you use {props.productName} and anycast IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare's side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
Refer to Add tunnels to learn how to set up replay protection. Review the information below to learn about replay attacks, why we recommend disabling IPsec anti-replay, and related considerations.
@@ -16,9 +16,9 @@ Replay attacks occur when a malicious actor intercepts and records a packet, and
### Example
-For example, consider a poorly designed IOT garage door opener. The device has a simple protocol for operation: A UDP packet contains the garage door password and either `open` or `shut` in its data segment. The data segment is then encrypted with the garage door’s key and sent from the owner’s phone to either open or close the garage door.
+For example, consider a poorly designed IOT garage door opener. The device has a simple protocol for operation: A UDP packet contains the garage door password and either `open` or `shut` in its data segment. The data segment is then encrypted with the garage door's key and sent from the owner's phone to either open or close the garage door.
-An attacker likely cannot open or close the garage door by guessing the encryption key and password. While the attacker cannot see the recorded packet’s encrypted content, if the garage is in their line-of-sight, they could potentially correlate and guess which packets are responsible for opening the garage door. When the attacker wants to open the door, they send the recorded `open` packet, and because the recorded packet would contain the password and already be encrypted with the right key, this door would open.
+An attacker likely cannot open or close the garage door by guessing the encryption key and password. While the attacker cannot see the recorded packet's encrypted content, if the garage is in their line-of-sight, they could potentially correlate and guess which packets are responsible for opening the garage door. When the attacker wants to open the door, they send the recorded `open` packet, and because the recorded packet would contain the password and already be encrypted with the right key, this door would open.
To prevent this replay attack, a user could add a packet number to each command sent to the garage door. The first could be `packet 1`, the second `packet 2` and so on, and the garage door would only accept packets containing the next number in the sequence each time. For example, after the garage door receives `packet 1`, it would only accept packet 2, and if an attacker tries to replay `packet 1`, the request is ignored.
@@ -28,9 +28,9 @@ IPsec anti-replay protection works similarly to the prevention example in the sc
## {props.productName} and anti-replay protection
-Cloudflare’s global anycast network consists of thousands of servers in hundreds of data centers around the world. Similar to Cloudflare’s anycast GRE tunnel implementation, Cloudflare’s IPsec implementation is also anycast, which enables users to enjoy all the benefits of Cloudflare’s anycast network architecture. These benefits include unparalleled performance and low latency, greatly simplified configuration and management, and native network resiliency with automatic failover. By default, any packet for {props.productName} may go through any one of these servers where it will be encrypted and encapsulated with IPsec and sent to our user’s router.
+Cloudflare's global anycast network consists of thousands of servers in hundreds of data centers around the world. Similar to Cloudflare's anycast GRE tunnel implementation, Cloudflare's IPsec implementation is also anycast, which enables users to enjoy all the benefits of Cloudflare's anycast network architecture. These benefits include unparalleled performance and low latency, greatly simplified configuration and management, and native network resiliency with automatic failover. By default, any packet for {props.productName} may go through any one of these servers where it will be encrypted and encapsulated with IPsec and sent to our user's router.
-IPsec anti-replay protection was not designed for such a distributed scenario — the protection scheme is designed for a single sender and single receiver. For a single sender, keeping track of the sequence number is trivial, and the sequence number is stored in memory and incremented for every packet sent. If replay protection is enabled for {props.productName} IPsec tunnels, packets for a single tunnel are routed to one server that keeps track of the sequence number. This means the replay protection mechanism will work correctly, but users lose the benefits of automatically distributing traffic across Cloudflare’s global servers. It also will only be actioned in one direction (Cloudflare to customer network) — packets from the customer network to Cloudflare will not be routed to a single server, and will not have replay protection applied.
+IPsec anti-replay protection was not designed for such a distributed scenario — the protection scheme is designed for a single sender and single receiver. For a single sender, keeping track of the sequence number is trivial, and the sequence number is stored in memory and incremented for every packet sent. If replay protection is enabled for {props.productName} IPsec tunnels, packets for a single tunnel are routed to one server that keeps track of the sequence number. This means the replay protection mechanism will work correctly, but users lose the benefits of automatically distributing traffic across Cloudflare's global servers. It also will only be actioned in one direction (Cloudflare to customer network) — packets from the customer network to Cloudflare will not be routed to a single server, and will not have replay protection applied.
## Additional considerations
@@ -42,4 +42,4 @@ There are several reasons that make replay attacks difficult with tunnel mode:
- Replay attacks are only viable when the same encryption keys are used. After rekeying, old replayed packets will result in dropped packets at the router.
- Most protocols are not susceptible to replay at the packet level. The Internet can duplicate packets, which means TCP and many protocols built on UDP already include sequence numbers or similar to handle duplicate packets coming off the wire. For those, the replay traffic just looks like a duplicate packet and is handled by the end host correctly.
- Anti-replay protection is available in a higher OSI layer. Many modern day applications use secure communication protocols such as SSL/TLS, SSH, or SFTP to transport application data. These secure communication protocols (at a higher OSI layer than network layer) natively support anti-replay protection.
-- The attack surface is reduced which lowers the probability for packet interception. IPsec tunnels are site-to-site VPN tunnels between a user’s site router and Cloudflare’s global network, via dedicated ISP network connections, which are typically very secure. Additionally, the anycast nature of Cloudflare’s IPsec implementation terminates the IPsec tunnel to one of the more than 300 Cloudflare data centers closest to the customer’s edge router, which minimizes the physical distance and footprint the encrypted packets have to traverse.
+- The attack surface is reduced which lowers the probability for packet interception. IPsec tunnels are site-to-site VPN tunnels between a user's site router and Cloudflare's global network, via dedicated ISP network connections, which are typically very secure. Additionally, the anycast nature of Cloudflare's IPsec implementation terminates the IPsec tunnel to one of the more than 300 Cloudflare data centers closest to the customer's edge router, which minimizes the physical distance and footprint the encrypted packets have to traverse.