cloudflare · ranbel · May 15, 2025 · May 15, 2025 · May 15, 2025 · May 15, 2025
@@ -43,13 +43,16 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
 
 <Render file="access/add-infrastructure-app" />
 
-## 3. Configure the server
+## 3. (Recommended) Modify order of precedence in Gateway
+<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" />
+
+## 4. Configure the server
 
 Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:
 
 - [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#6-configure-ssh-server)
 
-## 4. Connect as a user
+## 5. Connect as a user
 
 Users connect to the target's IP address using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.
 
@@ -117,17 +120,3 @@ The following [Access policy selectors](/cloudflare-one/policies/access/#selecto
 - Authentication method
 - Device posture
 - Entra group, GitHub organization, Google Workspace group, Okta group
-
-## Modify order of precedence in Gateway
-
-By default, Cloudflare will evaluate Access infrastructure application policies after evaluating all Gateway network policies. To evaluate Access infrastructure applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
-
-| Selector                     | Operator | Value     | Action |
-| ---------------------------- | -------- | --------- | ------ |
-| Access Infrastructure Target | is       | _Present_ | Allow  |
-
-You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
-
-:::note
-Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.
-:::
@@ -76,15 +76,4 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece
 <Render file="gateway/client-notifications-os" product="cloudflare-one" />
 
 ## Modify order of precedence in Gateway
-
-By default, Cloudflare will evaluate a private application's Access policies after evaluating all Gateway network policies. To evaluate Access private applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
-
-| Selector           | Operator | Value     | Action |
-| ------------------ | -------- | --------- | ------ |
-| Access Private App | is       | _Present_ | Allow  |
-
-You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
-
-:::note
-Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.
-:::
+<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" />
@@ -97,7 +97,10 @@ If you do not already have a DNS record, [create a new DNS record](/dns/manage-d
 - **IPv6 address**: `100::`
 - **Proxy status**: On
 
-## 5. Connect as a user
+## 5. (Recommended) Modify order of precedence in Gateway
+<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" />
+
+## 6. Connect as a user
 
 To connect to a Windows machine over RDP:
 

@@ -41,7 +41,10 @@ To connect your devices to Cloudflare:
 
 <Render file="access/add-infrastructure-app" />
 
-## 6. Configure SSH server
+## 6. (Recommended) Modify order of precedence in Gateway
+<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" />
+
+## 7. Configure SSH server
 
 Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.
 
@@ -74,7 +77,7 @@ chmod 600 /etc/ssh/ca.pub
 
 <Render file="ssh/restart-server" />
 
-## 7. Connect as a user
+## 8. Connect as a user
 
 Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is [connected to that virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:
 

@@ -135,7 +135,3 @@ The following example requires Cloudflare provider version `>=4.45.0`.
 </Tabs>
 
 The targets in this application are now secured by your infrastructure policies.
-
-:::note
-Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
-:::
@@ -0,0 +1,18 @@
+---
+{}
+
+---
+
+By default, Cloudflare will evaluate Access application policies after evaluating all Gateway network policies. To evaluate Access applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
+
+| Selector                     | Operator | Value     | Logic  | Action |
+| ---------------------------- | -------- | --------- | ------ | ------ |
+| Access Infrastructure Target | is       | _Present_ | Or     | Allow  |
+| Access Private App           | is       | _Present_ |        |        |
+
+You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
+
+:::note
+Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.
+:::
+
-Original file line number
+Diff line change
@@ Expand Up @@
     </Tabs>
     The targets in this application are now secured by your infrastructure policies.
-    :::note
-    Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
-    :::