diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
index 7060160b33bf7ab..2c321a571eef3a1 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
+++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
@@ -43,13 +43,16 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
-## 3. Configure the server
+## 3. (Recommended) Modify order of precedence in Gateway
+
+
+## 4. Configure the server
Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:
- [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#6-configure-ssh-server)
-## 4. Connect as a user
+## 5. Connect as a user
Users connect to the target's IP address using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.
@@ -117,17 +120,3 @@ The following [Access policy selectors](/cloudflare-one/policies/access/#selecto
- Authentication method
- Device posture
- Entra group, GitHub organization, Google Workspace group, Okta group
-
-## Modify order of precedence in Gateway
-
-By default, Cloudflare will evaluate Access infrastructure application policies after evaluating all Gateway network policies. To evaluate Access infrastructure applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
-
-| Selector | Operator | Value | Action |
-| ---------------------------- | -------- | --------- | ------ |
-| Access Infrastructure Target | is | _Present_ | Allow |
-
-You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
-
-:::note
-Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.
-:::
diff --git a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx
index 5adfd3d2e62d867..9f2b354a1a0dd49 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx
@@ -76,15 +76,4 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece
## Modify order of precedence in Gateway
-
-By default, Cloudflare will evaluate a private application's Access policies after evaluating all Gateway network policies. To evaluate Access private applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
-
-| Selector | Operator | Value | Action |
-| ------------------ | -------- | --------- | ------ |
-| Access Private App | is | _Present_ | Allow |
-
-You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
-
-:::note
-Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.
-:::
+
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx
index 17671f598dc2cad..c4d336d1dfb04c0 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx
@@ -97,7 +97,10 @@ If you do not already have a DNS record, [create a new DNS record](/dns/manage-d
- **IPv6 address**: `100::`
- **Proxy status**: On
-## 5. Connect as a user
+## 5. (Recommended) Modify order of precedence in Gateway
+
+
+## 6. Connect as a user
To connect to a Windows machine over RDP:
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
index 8866148dac251bd..565f821220f2746 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
@@ -41,7 +41,10 @@ To connect your devices to Cloudflare:
-## 6. Configure SSH server
+## 6. (Recommended) Modify order of precedence in Gateway
+
+
+## 7. Configure SSH server
Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.
@@ -74,7 +77,7 @@ chmod 600 /etc/ssh/ca.pub
-## 7. Connect as a user
+## 8. Connect as a user
Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is [connected to that virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:
diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
index 8281dece8096e08..1ed1bd99e0bccba 100644
--- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
+++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
@@ -135,7 +135,3 @@ The following example requires Cloudflare provider version `>=4.45.0`.
The targets in this application are now secured by your infrastructure policies.
-
-:::note
-Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
-:::
diff --git a/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx b/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx
new file mode 100644
index 000000000000000..3925454a68c5b58
--- /dev/null
+++ b/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx
@@ -0,0 +1,18 @@
+---
+params:
+ - selector
+
+---
+
+By default, Cloudflare will evaluate Access application policies after evaluating all Gateway network policies. To evaluate Access applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
+
+| Selector | Operator | Value | Action |
+| ---------------------------- | -------- | --------- | ------ |
+| {props.selector} | is | _Present_ | Allow |
+
+You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
+
+:::note
+Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.
+:::
+