cloudflare · deadlypants1973 · Apr 11, 2025 · Apr 7, 2025 · Apr 10, 2025
@@ -17,6 +17,10 @@ Local Domain Fallback only applies to devices running the WARP client.
 
 Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first.
 
+### AWS
+
+<Render file="aws-resolver" product="cloudflare-one" />
+
 ## Manage local domains
 
 ### View domains

@@ -127,6 +127,12 @@ EOF
 
 You can optionally [create Gateway network policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to control who can access the instance via its private IP.
 
+:::caution
+
+<Render file="aws-resolver" product="cloudflare-one" />
+
+:::
+
 ## Firewall configuration
 
 To secure your AWS instance, you can configure your [Security Group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules.

@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+Avoid configuring your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/policies/gateway/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver.
+
+Some AWS endpoints (such as `ssm.us-east-1.amazonaws.com`) are public AWS endpoints that are not resolvable via internal VPC resolution. This can break AWS Console features for users on WARP.
+
+Only route specific Route 53 zones, or VPC Endpoints (such as `vpce.amazonaws.com`), through the internal VPC resolver.