diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
index bc2bc1574d2c08..e1efa8d1c1ca09 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
@@ -9,6 +9,7 @@ head:
---
import { Render } from "~/components";
+import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx";
This guide covers how to connect an Amazon Web Services (AWS) virtual machine to Cloudflare using our lightweight connector, `cloudflared`.
@@ -98,7 +99,20 @@ EOF
[Private network routes](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) allow users to connect to your virtual private cloud (VPC) using the WARP client. To add a private network route for your Cloudflare Tunnel:
1. In the **Private Network** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary.
-2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance -- you can use [this calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/) to determine which IP addresses to re-add.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance.
+
+ To determine which IP addresses to re-add, subtract your AWS instance IPs from `172.16.0.0/12`:
+
+
+
+ Add the results back to your Split Tunnel Exclude mode list.
+
3. To test on a user device:
1. [Log in to the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/).
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx
index ecffc674316182..cc0742d11a8b9e 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx
@@ -6,6 +6,7 @@ sidebar:
---
import { Render } from "~/components";
+import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx";
This guide covers how to connect a Google Cloud Project (GCP) virtual machine to Cloudflare using our lightweight connector, `cloudflared`.
@@ -77,7 +78,19 @@ To complete the following procedure, you will need to:
To configure a private network route for your Cloudflare Tunnel:
1. In the **Private Network** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary.
-2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM -- you can use [this calculator](https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/) to determine which IP addresses to re-add.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM.
+
+ To determine which IP addresses to re-add, subtract your GCP instance IPs from `10.0.0.0/8`:
+
+
+
+ Add the results back to your Split Tunnel Exclude mode list.
3. To test on a user device:
1. [Log in to the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/).
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx
index 1baa9e46953b50..267d3dbeeebdcc 100644
--- a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx
@@ -3,14 +3,28 @@ params:
- one
---
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
+import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx";
By default, WARP excludes traffic bound for [RFC 1918 space](https://datatracker.ietf.org/doc/html/rfc1918), which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your , you must configure [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) so that the IP/CIDR of your routes through WARP.
1. First, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include** mode.
2. If you are using **Include** mode, add your 's IP/CIDR range to the list. Your list should also include the [domains necessary for Cloudflare Zero Trust functionality](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains).
3. If you are using **Exclude** mode:
- 1. Delete your 's IP/CIDR range from the list. For example, if your network uses the default AWS range of `172.31.0.0/16`, delete `172.16.0.0/12`.
- 2. Re-add IP/CIDR ranges that are not explicitly used by your . For the AWS example above, you would add new entries for `172.16.0.0/13`, `172.24.0.0/14`, `172.28.0.0/15`, and `172.30.0.0/16`. This ensures that only traffic to `172.31.0.0/16` routes through WARP.
+
+ a. Delete your 's IP/CIDR range from the list. For example, if your network uses the default AWS range of `172.31.0.0/16`, delete `172.16.0.0/12`.
+
+ b. Re-add IP/CIDR ranges that are not explicitly used by your . For the AWS example above, you would add new entries for `172.16.0.0/13`, `172.24.0.0/14`, `172.28.0.0/15`, and `172.30.0.0/16`. This ensures that only traffic to `172.31.0.0/16` routes through WARP.
+
+ You can use the following calculator to determine which IP addresses to re-add:
+
+
+ In **Base CIDR**, enter the RFC 1918 range that you deleted from Split Tunnels. In **Excluded CIDRs**, enter the IP/CIDR range used by your . Re-add the calculator results to your Split Tunnel Exclude mode list.
By tightening the private IP range included in WARP, you reduce the risk of breaking a user's [access to local resources](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-users-to-enable-local-network-exclusion).