cloudflare · ranbel · Feb 13, 2025 · Feb 12, 2025 · Feb 13, 2025 · Feb 13, 2025
@@ -122,3 +122,17 @@ The following [Access policy selectors](/cloudflare-one/policies/access/#selecto
 - Authentication method
 - Device posture
 - Entra group, GitHub organization, Google Workspace group, Okta group
+
+## Modify order of precedence in Gateway
+
+By default, Cloudflare will evaluate Access infrastructure application policies after evaluating all Gateway network policies. To evaluate Access infrastructure applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
+
+| Selector               | Operator | Value | Action |
+| ---------------------- | -------- | ----- | ------ |
+| All Access App Targets | is       | on    | Allow  |
+
+You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
+
+:::note
+Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.
+:::
@@ -6,7 +6,7 @@ sidebar:
   label: Add a self-hosted private application
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 You can configure a self-hosted Access application to manage access to specific IPs or hostnames on your private network.
 
@@ -75,12 +75,11 @@ Users can now connect to your private application after authenticating with Clou
 
 By default, Cloudflare will evaluate a private application's Access policies after evaluating all Gateway network policies. To evaluate Access private applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
 
+| Selector                            | Operator | Value | Action |
+| ----------------------------------- | -------- | ----- | ------ |
+| All Access App Private Destinations | is       | on    | Allow  |
 
-| Selector | Operator | Value        | Action |
-| -------- | -------- | ------------ | ------ |
-| All Access Private Apps | is       | `Enabled` | Allow  |
-
-You can now drag and drop this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
+You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
 
 :::note
 Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.

@@ -397,14 +397,20 @@ Policies created using the URL selector are case-sensitive.
 
 Gateway matches HTTP traffic against the following selectors, or criteria:
 
+### All Access Private App Destinations
+
+<Render file="gateway/selectors/all-access-private-app-destinations" />
+
+### All Access App Targets
+
+<Render file="gateway/selectors/all-access-app-targets" />
+
 ### Application
 
 <Render file="gateway/selectors/application" params={{ one: "HTTP" }} />
 
 :::caution[Multiple API selectors required for Terraform]
-
 When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`.
-
 :::
 
 ### Content Categories

@@ -39,6 +39,7 @@ API value: `allow`
 **Traffic**
 
 - [All Access Private Apps](#all-access-private-apps)
+- [All Access App Targets](#all-access-app-targets)
 - [Application](#application)
 - [Content Categories](#content-categories)
 - [Destination Continent IP Geolocation](#destination-continent)
@@ -231,11 +232,11 @@ Gateway matches network traffic against the following selectors, or criteria.
 
 ### All Access Private App Destinations
 
-All destination IPs and hostnames associated with an [Access self-hosted private application](/cloudflare-one/applications/non-http/self-hosted-private-app/#modify-order-of-precedence-in-gateway).
+<Render file="gateway/selectors/all-access-private-app-destinations" />
 
-| UI name     | API example                |
-| ----------- | -------------------------- |
-| All Access Private App Destinations | `access.private_app` |
+### All Access App Targets
+
+<Render file="gateway/selectors/all-access-app-targets" />
 
 ### Application
 

@@ -0,0 +1,9 @@
+---
+{}
+---
+
+All targets secured by an [Access infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/#modify-order-of-precedence-in-gateway).
+
+| UI name                | API example     |
+| ---------------------- | --------------- |
+| All Access App Targets | `access.target` |
@@ -0,0 +1,9 @@
+---
+{}
+---
+
+All destination IPs and hostnames secured by an [Access self-hosted private application](/cloudflare-one/applications/non-http/self-hosted-private-app/#modify-order-of-precedence-in-gateway).
+
+| UI name                             | API example          |
+| ----------------------------------- | -------------------- |
+| All Access Private App Destinations | `access.private_app` |