From 7c996560d26f2ae995822fd59e9a6d4619b06cd5 Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Mon, 7 Apr 2025 17:14:58 +0100
Subject: [PATCH 1/2] [CF1] amazon vpc details

---
 .../connect-networks/deployment-guides/aws.mdx         | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
index e1efa8d1c1ca096..d6b87177e943018 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
@@ -127,6 +127,16 @@ EOF
 
 You can optionally [create Gateway network policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to control who can access the instance via its private IP.
 
+:::caution
+
+Avoid configuring your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/policies/gateway/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver.
+
+Some AWS endpoints (such as `ssm.us-east-1.amazonaws.com`) are public AWS endpoints that are not resolvable via internal VPC resolution. This can break AWS Console features for users on WARP.
+
+Only route specific Route 53 zones, or VPC Endpoints (such as `vpce.amazonaws.com`), through the internal VPC resolver.
+
+:::
+
 ## Firewall configuration
 
 To secure your AWS instance, you can configure your [Security Group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules.

From a49063a1b6dbbc93dcd88bd86cd9cccb5d066cb9 Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Thu, 10 Apr 2025 11:56:11 +0100
Subject: [PATCH 2/2] final edit

---
 .../configure-warp/route-traffic/local-domains.mdx     |  4 ++++
 .../connect-networks/deployment-guides/aws.mdx         |  6 +-----
 src/content/partials/cloudflare-one/aws-resolver.mdx   | 10 ++++++++++
 3 files changed, 15 insertions(+), 5 deletions(-)
 create mode 100644 src/content/partials/cloudflare-one/aws-resolver.mdx

diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
index 7c16b0be58e345c..e9b2d399f35c408 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
@@ -17,6 +17,10 @@ Local Domain Fallback only applies to devices running the WARP client.
 
 Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first.
 
+### AWS
+
+<Render file="aws-resolver" product="cloudflare-one" />
+
 ## Manage local domains
 
 ### View domains
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
index d6b87177e943018..0d3ee64de4a84e4 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
@@ -129,11 +129,7 @@ You can optionally [create Gateway network policies](/cloudflare-one/connections
 
 :::caution
 
-Avoid configuring your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/policies/gateway/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver.
-
-Some AWS endpoints (such as `ssm.us-east-1.amazonaws.com`) are public AWS endpoints that are not resolvable via internal VPC resolution. This can break AWS Console features for users on WARP.
-
-Only route specific Route 53 zones, or VPC Endpoints (such as `vpce.amazonaws.com`), through the internal VPC resolver.
+<Render file="aws-resolver" product="cloudflare-one" />
 
 :::
 
diff --git a/src/content/partials/cloudflare-one/aws-resolver.mdx b/src/content/partials/cloudflare-one/aws-resolver.mdx
new file mode 100644
index 000000000000000..0b236a221675eef
--- /dev/null
+++ b/src/content/partials/cloudflare-one/aws-resolver.mdx
@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+Avoid configuring your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/policies/gateway/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver.
+
+Some AWS endpoints (such as `ssm.us-east-1.amazonaws.com`) are public AWS endpoints that are not resolvable via internal VPC resolution. This can break AWS Console features for users on WARP.
+
+Only route specific Route 53 zones, or VPC Endpoints (such as `vpce.amazonaws.com`), through the internal VPC resolver.
\ No newline at end of file