From 6cc20bf0830a40be18e080a4a4e60848eba5aec1 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 24 Mar 2025 14:32:31 -0500 Subject: [PATCH 1/2] Re-add section --- .../gateway/http-policies/tls-decryption.mdx | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index 99487e5af329065..74b1f3f25b6d5e2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -17,7 +17,7 @@ Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/l When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/). -Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). +Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/), including [FedRAMP compliant data centers](#fedramp-compliance). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3. @@ -115,6 +115,29 @@ When FIPS compliance is enabled, Gateway will only choose [FIPS-compliant cipher FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/policies/gateway/http-policies/http3/). To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/policies/gateway/http-policies/http3/#enable-http3-inspection). +## FedRAMP compliance + +When using [Cloudflare Regional Services](/data-localization/regional-services/) with the WARP client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic. + +```mermaid +flowchart LR + subgraph s1["Non-FedRAMP data center"] + n2["WARP TLS encryption terminated"] + end + subgraph s2["FedRAMP data center"] + n3["Gateway TLS encryption (FIPS) terminated"] + end + subgraph s3["Private internal network"] + n5["FedRAMP-compliant cloudflared"] + n6(["Private server"]) + end + n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS --> n2 + n2 --> n3 + n3 --> n4(["HTTPS server"]) & n5 + n5 --> n6 + n5@{ shape: rect} +``` + ## Cipher suites From c2e5bdc2203bb85763975a52dbb51e40abe786e6 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 24 Mar 2025 14:58:16 -0500 Subject: [PATCH 2/2] Add flowchart --- .../gateway/http-policies/tls-decryption.mdx | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index 74b1f3f25b6d5e2..b0b023ef999ef77 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -17,7 +17,7 @@ Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/l When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/). -Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/), including [FedRAMP compliant data centers](#fedramp-compliance). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). +Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3. @@ -117,10 +117,15 @@ FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/policies/gateway/htt ## FedRAMP compliance -When using [Cloudflare Regional Services](/data-localization/regional-services/) with the WARP client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic. +When you use [Cloudflare Regional Services](/data-localization/regional-services/) in the United States and the WARP client to on-ramp TLS traffic to Gateway, traffic will egress from a Cloudflare data center within Cloudflare's FedRAMP boundary. If a user's closest data center is non-FedRAMP compliant, their traffic will still egress from a FedRAMP compliant data center, maintaining FedRAMP compliance for the traffic. ```mermaid flowchart LR + %% Accessibility + accTitle: How Gateway routes FedRAMP compliant traffic with Regional Services + accDescr: Flowchart describing how WARP with Gateway routes traffic to egress from a FedRAMP compliant data center when used with Regional Services in the United States. + + %% Flowchart subgraph s1["Non-FedRAMP data center"] n2["WARP TLS encryption terminated"] end @@ -128,13 +133,14 @@ flowchart LR n3["Gateway TLS encryption (FIPS) terminated"] end subgraph s3["Private internal network"] - n5["FedRAMP-compliant cloudflared"] + n5["FedRAMP compliant cloudflared"] n6(["Private server"]) end - n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS --> n2 - n2 --> n3 - n3 --> n4(["HTTPS server"]) & n5 + n1(["User near non-FedRAMP compliant data center"]) -- Gateway TLS connection wrapped with WARP TLS (MASQUE) --> n2 + n2 -- Gateway TLS connection --> n3 + n3 <-- FIPS tunnel --> n5 n5 --> n6 + n5@{ shape: rect} ```