cloudflare · ranbel · Jan 17, 2025 · Jan 9, 2025 · Jan 9, 2025 · Jan 10, 2025
@@ -79,7 +79,7 @@
 /access/service-auth/mtls/ /cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/ 301
 /access/service-auth/service-token/ /cloudflare-one/identity/service-tokens/ 301
 /access/setting-up-access/ /cloudflare-one/identity/ 301
-/access/setting-up-access/access-groups/ /cloudflare-one/identity/users/groups/ 301
+/access/setting-up-access/access-groups/ /cloudflare-one/policies/access/groups/ 301
 /access/setting-up-access/audit-logs/ /cloudflare-one/insights/ 301
 /access/setting-up-access/configuring-access-policies/ /cloudflare-one/policies/access/policy-management/ 301
 /access/setting-up-access/validate-jwt-tokens/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301
@@ -1634,6 +1634,7 @@
 /cloudflare-one/api-terraform/gateway-api-examples/dns-policy/ /cloudflare-one/policies/gateway/dns-policies/common-policies/ 301
 /cloudflare-one/api-terraform/gateway-api-examples/network-policy/ /cloudflare-one/policies/gateway/network-policies/common-policies/ 301
 /cloudflare-one/api-terraform/gateway-api-examples/http-policy/ /cloudflare-one/policies/gateway/http-policies/common-policies/ 301
+/cloudflare-one/applications/configure-apps/self-hosted-apps/ /cloudflare-one/applications/configure-apps/self-hosted-public-app/ 301
 /cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301
 /cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301
 /cloudflare-one/connections/connect-apps/install-and-setup/setup/ /cloudflare-one/connections/connect-networks/get-started/ 301
@@ -1726,6 +1727,7 @@
 /cloudflare-one/insights/logs/logpush/rdata/ /cloudflare-one/insights/logs/logpush/#parse-logpush-logs 301
 /cloudflare-one/applications/custom-pages/ /cloudflare-one/applications/ 301
 /cloudflare-one/identity/service-auth/service-tokens/ /cloudflare-one/identity/service-tokens/ 301
+/cloudflare-one/identity/users/groups/ /cloudflare-one/policies/access/groups/ 301
 /cloudflare-one/identity/users/short-lived-certificates/ /cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ 301
 /cloudflare-one/identity/users/validating-json/ /cloudflare-one/identity/authorization-cookie/validating-json/ 301
 /cloudflare-one/policies/gateway/configuring-block-page/ /cloudflare-one/policies/gateway/block-page/ 301
@@ -1764,9 +1766,9 @@
 /cloudflare-one/tutorials/block-tld/ /cloudflare-one/policies/gateway/dns-policies/common-policies/#block-sites-by-top-level-domain 301
 /cloudflare-one/tutorials/block-uploads/ /cloudflare-one/policies/gateway/http-policies/common-policies/#block-google-drive-uploads 301
 /cloudflare-one/tutorials/corp-device-tag/ /cloudflare-one/identity/devices/ 301
-/cloudflare-one/tutorials/country-rules/ /cloudflare-one/identity/users/groups/ 301
+/cloudflare-one/tutorials/country-rules/ /cloudflare-one/policies/access/groups/ 301
 /cloudflare-one/tutorials/credentials-only/ /cloudflare-one/connections/connect-networks/get-started/ 301
-/cloudflare-one/tutorials/default-groups/ /cloudflare-one/identity/users/groups/ 301
+/cloudflare-one/tutorials/default-groups/ /cloudflare-one/policies/access/groups/ 301
 /cloudflare-one/tutorials/do-not-decrypt/ /cloudflare-one/policies/gateway/http-policies/common-policies/#skip-inspection-for-groups-of-applications 301
 /cloudflare-one/tutorials/gateway-list/ /cloudflare-one/policies/gateway/lists/ 301
 /cloudflare-one/tutorials/identity-dns/ /cloudflare-one/policies/gateway/dns-policies/common-policies/#restrict-access-to-specific-groups 301

@@ -23,8 +23,7 @@ Cloudflare Access provides visibility and control over who has access to your [c
 2. Go to **Access** > **Applications**.
 3. Select **Add an application** and, for type of application, select **Self-hosted**.
 4. Enter a name for your Access application and, in **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire.
-5. In the **Domain** field, insert the custom hostname (for example, `mycustomhostname.com`) and press enter. The custom hostname will not appear in the dropdown and must be manually entered.
-    :::caution[Domain field validation]
-    Since the custom hostname zone must be managed externally to Cloudflare or in a separate Cloudflare account, it is expected that you find a validation warning `Zone is not associated with the current account`. You can proceed with the configuration despite this message.
-    :::
-6. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-apps/) to publish the application.
+5. Select **Add public hostname**.
+6. For **Input method**, select _Custom_.
+7. In **Hostname**, enter your custom hostname (for example, `mycustomhostname.com`).
+8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application.
@@ -1,13 +1,13 @@
 ---
 type: example
-summary: Use a pre-existing Access group.
+summary: Use a pre-existing rule group.
 tags:
-  - Access group
-title: Access group
+  - Rule group
+title: Rule group
 pcx_content_type: example
 sidebar:
   order: 4
-description: Use a pre-existing Access group.
+description: Use a pre-existing rule group.
 
 ---
 

@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Cloudflare dashboard SSO application
 sidebar:
-  order: 3
+  order: 4
 
 ---
 
@@ -40,7 +40,7 @@ Once your SSO domain is approved, a new **SSO App** application will appear unde
 
 :::note
 
-We recommend noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later. 
+We recommend noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later.
 :::
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.

@@ -6,16 +6,16 @@ sidebar:
 
 ---
 
-Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. Users can only log in to the application if they meet the criteria you want to introduce.
+Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/policies/access/#selectors) to control who can log in to the application.
 
 ![Cloudflare Access verifies a user's identity before granting access to your application.](~/assets/images/cloudflare-one/applications/diagram-saas.jpg)
 
-You can protect two types of web applications: SaaS and self-hosted.
+You can protect the following types of web applications:
 
-* [**SaaS applications**](/cloudflare-one/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
+- [**SaaS applications**](/cloudflare-one/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
 
-* [**Self-hosted applications**](/cloudflare-one/applications/configure-apps/self-hosted-apps/) consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. To secure self-hosted applications, you must use Cloudflare's DNS ([full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/)) and [connect the application](/cloudflare-one/connections/connect-networks/) to Cloudflare.
+- **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
+	- [**Public hostname applications**](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
+	- [**Private network applications**](/cloudflare-one/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/).
 
-* [**Cloudflare Dashboard SSO**](/cloudflare-one/applications/configure-apps/dash-sso-apps/) are a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
-
-* [**Private network applications**](/cloudflare-one/connections/connect-networks/private-net/) are self-hosted applications that do not have public DNS records, meaning they are not reachable from the public Internet. To allow remote users to access these applications, you must [connect the private network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) to Cloudflare.
+- [**Cloudflare Dashboard SSO**](/cloudflare-one/applications/configure-apps/dash-sso-apps/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
@@ -0,0 +1,48 @@
+---
+pcx_content_type: how-to
+title: Publish a self-hosted application to the Internet
+sidebar:
+  order: 2
+  label: Self-hosted public application
+---
+
+import { Render } from "~/components"
+
+You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server.
+
+## Prerequisites
+
+- An [active domain on Cloudflare](/fundamentals/setup/manage-domains/add-site/)
+- Domain uses either a [full setup](/dns/zone-setups/full-setup/) or a [partial (`CNAME`) setup](/dns/zone-setups/partial-setup/)
+
+## 1. Add your application to Access
+
+<Render file="access/self-hosted-app" />
+
+## 2. Connect your origin to Cloudflare
+
+[Set up a Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) to publish your internal application. Only users who match your Access policies will be granted access.
+
+:::note
+We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, public hostname routes in Tunnel are available to anyone on the Internet.
+:::
+
+If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using [other methods](/fundamentals/basic-tasks/protect-your-origin-server/).
+
+## 3. Validate the Access token
+
+<Render file="access/secure-tunnel-with-access" />
+
+Users can now connect to your self-hosted application after authenticating with Cloudflare Access.
+
+## Product compatibility
+
+When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application.
+
+However, the following products are not supported:
+
+* [Automatic Signed Exchanges](/speed/optimization/other/signed-exchanges/)
+* [Automatic Platform Optimization](/automatic-platform-optimization)
+* [Zaraz](/zaraz)
+
+You can disable Automatic Signed Exchanges and Zaraz for a specific application - instead of across your entire zone - using a [Configuration Rule](/rules/configuration-rules/) scoped to the application domain.
@@ -14,9 +14,9 @@ Non-HTTP applications require [connecting your private network](/cloudflare-one/
 
 ## WARP client
 
-Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access the application unless you build policies to allow or block specific users.
+Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route unless they are protected by an Access policy or Gateway firewall rule. To secure the application, you can [create a self-hosted application](/cloudflare-one/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/policies/access/) that allow or block specific users.
 
-If you would like to define how users access specific infrastructure servers within your network, create an infrastructure application in [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/). Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
+If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
 - Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server.
 - Eliminate SSH keys by using short-lived certificates to authenticate users.
 
@@ -42,4 +42,4 @@ To connect to an application over a specific protocol, refer to these tutorials:
 
 * [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/)
 * [SMB](/cloudflare-one/connections/connect-networks/use-cases/smb/)
-* [RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/)
+* [RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/)
@@ -0,0 +1,53 @@
+---
+pcx_content_type: how-to
+title: Private network applications (legacy)
+sidebar:
+  order: 4
+  label: Private network applications (legacy)
+---
+
+:::note
+Not recommended for new deployments. We recommend using a [self-hosted application](/cloudflare-one/applications/non-http/self-hosted-private-app/) to secure a private IP address.
+:::
+
+You can configure a **Private Network** application to manage access to specific applications on your private network.
+
+To create a private network application:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications** > **Add an application**.
+
+2. Select **Private Network**.
+
+3. Name your application.
+
+4. For **Application type**, select _Destination IP_.
+
+5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`).
+   :::note
+   If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/policies/gateway/network-policies/) using the **Destination IP** selector.
+   :::
+
+6. Configure your [App Launcher](/cloudflare-one/applications/app-launcher/) visibility and logo.
+
+7. Select **Next**. You will see two auto-generated Gateway Network policies: one that allows access to the destination IP and another that blocks access.
+
+8. Modify the policies to include additional identity-based conditions. For example:
+
+   - **Policy 1**
+
+     | Selector       | Operator      | Value            | Logic | Action |
+     | -------------- | ------------- | ---------------- | ----- | ------ |
+     | Destination IP | in            | `10.128.0.7`     | And   | Allow  |
+     | User Email     | matches regex | `.*@example.com` |       |        |
+
+   - **Policy 2**
+
+     | Selector       | Operator | Value        | Action |
+     | -------------- | -------- | ------------ | ------ |
+     | Destination IP | in       | `10.128.0.7` | Block  |
+
+   Policies are evaluated in [numerical order](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/policies/gateway/network-policies/).
+
+9. Select **Add application**.
+
+Your application will appear on the **Applications** page.