diff --git a/src/assets/images/cloudflare-one/connections/private-hostname-route-1.png b/src/assets/images/cloudflare-one/connections/private-hostname-route-1.png
new file mode 100644
index 000000000000000..473e9b510bc9b72
Binary files /dev/null and b/src/assets/images/cloudflare-one/connections/private-hostname-route-1.png differ
diff --git a/src/assets/images/cloudflare-one/connections/private-hostname-route-2.png b/src/assets/images/cloudflare-one/connections/private-hostname-route-2.png
new file mode 100644
index 000000000000000..1a74dd059426f67
Binary files /dev/null and b/src/assets/images/cloudflare-one/connections/private-hostname-route-2.png differ
diff --git a/src/content/docs/cloudflare-one/account-limits.mdx b/src/content/docs/cloudflare-one/account-limits.mdx
index 94fb0ce63a299e2..36bb0bfdb09062c 100644
--- a/src/content/docs/cloudflare-one/account-limits.mdx
+++ b/src/content/docs/cloudflare-one/account-limits.mdx
@@ -66,7 +66,7 @@ This page lists the default account limits for rules, applications, fields, and
| ---------------------------------------- | ----- |
| `cloudflared` tunnels per account | 1,000 |
| WARP Connectors per account | 10 |
-| IP routes per account | 1,000 |
+| Routes per tunnel | 1,000 |
| Active `cloudflared` replicas per tunnel | 25 |
## Digital Experience Monitoring (DEX)
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx
index e394f2735499d15..b1ef5cc692fb975 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx
+++ b/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx
@@ -27,7 +27,7 @@ You can securely publish internal tools and applications by adding Cloudflare Ac
[Set up a Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) to publish your internal application. Only users who match your Access policies will be granted access.
:::note
-We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, public hostname routes in Tunnel are available to anyone on the Internet.
+We recommend [creating an Access application](#1-add-your-application-to-access) before setting up the tunnel route. If you do not have an Access application in place, the published application will be available to anyone on the Internet.
:::
If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using [other methods](/fundamentals/security/protect-your-origin-server/).
diff --git a/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx b/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx
index 26d040ba1cc4366..456cb88177a1cfc 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx
+++ b/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx
@@ -24,7 +24,7 @@ Cloudflare Access short-lived certificates can work with any modern SSH server,
To secure your server behind Cloudflare Access:
-1. [Connect the server to Cloudflare](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) as a public hostname route.
+1. [Connect the server to Cloudflare](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) as a published application.
2. Create a [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for the server.
:::note
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx
index 026c1fc2c39a35f..1af13d5fd49f913 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/index.mdx
@@ -140,11 +140,11 @@ On Windows, Cloudflare Tunnel installs itself as a system service using the Regi
## Update origin configuration
-To configure how `cloudflared` sends requests to your [public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) services:
+To configure how `cloudflared` sends requests to your [published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**.
2. Choose a tunnel and select **Configure**.
-3. Select the **Public Hostname** tab.
-4. Choose a route and select **Edit**.
+3. Select the **Published application routes** tab.
+4. Choose an application and select **Edit**.
5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/).
-6. Select **Save hostname**.
\ No newline at end of file
+6. Select **Save**.
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx
index 554fa22b40f6d32..f8f6b6071dd4b99 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters.mdx
@@ -171,7 +171,7 @@ The timeout after which a TCP keepalive packet is sent on a connection between C
| ------- | ------------------- |
| `""` | Protect with Access |
-Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname routes that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header.
+Requires `cloudflared` to validate the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) prior to proxying traffic to your origin. You can enforce this check on public hostname services that are protected by an Access application. For all L7 requests to these hostnames, Access will send the JWT to `cloudflared` as a `Cf-Access-Jwt-Assertion` request header.
To enable this security control in a [configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/#origin-configuration), [get the AUD tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application and add the following rule to `originRequest`:
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx
index 196c4d9473a0204..231f1939f6bd7a4 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/ansible.mdx
@@ -113,23 +113,23 @@ The following configuration will modify settings in your Cloudflare account.
proxied = true
}
- # Configures tunnel with a public hostname route for clientless access.
- resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
- tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
- account_id = var.cloudflare_account_id
- config = {
- ingress = [
- {
- hostname = "http_app.${var.cloudflare_zone}"
- service = "http://localhost:80"
- },
- {
- service = "http_status:404"
- }
- ]
- }
- }
- ```
+ # Configures tunnel with a published application for clientless access.
+ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
+ tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
+ account_id = var.cloudflare_account_id
+ config = {
+ ingress = [
+ {
+ hostname = "http_app.${var.cloudflare_zone}"
+ service = "http://localhost:80"
+ },
+ {
+ service = "http_status:404"
+ }
+ ]
+ }
+ }
+ ```
### Configure GCP resources
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
index bb98c0a8f79a2bb..9bff936eb84c9fb 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
@@ -98,8 +98,8 @@ EOF
[Private network routes](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) allow users to connect to your virtual private cloud (VPC) using the WARP client. To add a private network route for your Cloudflare Tunnel:
-1. In the **Private Network** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary.
-2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance.
+1. In the **CIDR** tab, enter the **Private IPv4 address** of your AWS instance (for example, `172.31.19.0`). You can expand the IP range later if necessary.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the private IP is routing through WARP. For example, if you are using Split Tunnels in **Exclude** mode, delete `172.16.0.0/12`. We recommend re-adding the IPs that are not explicitly used by your AWS instance.
To determine which IP addresses to re-add, subtract your AWS instance IPs from `172.16.0.0/12`:
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx
index 9bcfa02d6097203..4d1e6ff16630239 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/google-cloud-platform.mdx
@@ -76,8 +76,8 @@ To complete the following procedure, you will need to:
To configure a private network route for your Cloudflare Tunnel:
-1. In the **Private Network** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary.
-2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in Exclude mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM.
+1. In the **CIDR** tab, enter the **Internal IP** of your GCP VM instance (for example, `10.0.0.2`). You can expand the IP range later if necessary.
+2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route), make sure the internal IP is routing through WARP. For example, if you are using Split Tunnels in **Exclude** mode, delete `10.0.0.0/8`. We recommend re-adding the IPs that are not explicitly used by your GCP VM.
To determine which IP addresses to re-add, subtract your GCP instance IPs from `10.0.0.0/8`:
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/terraform.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/terraform.mdx
index 7be5cea41e94dcf..7c8edbe882a37b7 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/terraform.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/terraform.mdx
@@ -157,22 +157,22 @@ The following configuration will modify settings in your Cloudflare account.
proxied = true
}
- # Configures tunnel with a public hostname route for clientless access.
- resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
- tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
- account_id = var.cloudflare_account_id
- config = {
- ingress = [
- {
- hostname = "http_app.${var.cloudflare_zone}"
- service = "http://httpbin:80"
- },
- {
- service = "http_status:404"
- }
- ]
- }
- }
+ # Configures tunnel with a published application for clientless access.
+ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
+ tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
+ account_id = var.cloudflare_account_id
+ config = {
+ ingress = [
+ {
+ hostname = "http_app.${var.cloudflare_zone}"
+ service = "http://httpbin:80"
+ },
+ {
+ service = "http_status:404"
+ }
+ ]
+ }
+ }
# (Optional) Routes internal IP of GCP instance through the tunnel for private network access using WARP.
resource "cloudflare_zero_trust_tunnel_cloudflared_route" "example_tunnel_route" {
@@ -241,20 +241,20 @@ The following configuration will modify settings in your Cloudflare account.
proxied = true
}
- # Configures tunnel with a public hostname route for clientless access.
- resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
- tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
- account_id = var.cloudflare_account_id
- config {
- ingress_rule {
- hostname = "${cloudflare_record.http_app.hostname}"
- service = "http://httpbin:80"
- }
- ingress_rule {
- service = "http_status:404"
- }
- }
- }
+ # Configures tunnel with a published application for clientless access.
+ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" {
+ tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.id
+ account_id = var.cloudflare_account_id
+ config {
+ ingress_rule {
+ hostname = "${cloudflare_record.http_app.hostname}"
+ service = "http://httpbin:80"
+ }
+ ingress_rule {
+ service = "http_status:404"
+ }
+ }
+ }
# (Optional) Route internal IP of GCP instance through the tunnel for private network access using WARP.
resource "cloudflare_zero_trust_tunnel_route" "example_tunnel_route" {
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel-api.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel-api.mdx
index 51a9813ffae32d9..84bee47c8024155 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel-api.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel-api.mdx
@@ -62,16 +62,16 @@ Make a `POST` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subre
Copy the `id` and `token` values shown in the output. You will need these values to configure and run the tunnel.
-The next steps depend on whether you want to [connect an application](#3a-connect-an-application) or [connect a network](#3b-connect-a-network).
+The next steps depend on whether you want to [publish an application to the Internet](#3a-publish-an-application) or [connect a private network](#3b-connect-a-network).
-## 3a. Connect an application
+## 3a. Publish an application
-Before you connect an application through your tunnel, you must:
+Before you publish an application through your tunnel, you must:
- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/).
- [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/).
-Follow these steps to connect an application through your tunnel. If you are looking to connect a network, skip to the [Connect a network section](#3b-connect-a-network).
+Follow these steps to publish an application to the Internet. If you are looking to connect a private resource, skip to the [Connect a network](#3b-connect-a-network) section.
1. Make a [`PUT` request](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/configurations/methods/update/) to route your local service URL to a public hostname. For example,
@@ -130,7 +130,7 @@ To connect a private network through your tunnel, [add a tunnel route](/api/reso
}}
/>
-To configure Zero Trust policies and connect as a user, refer to [Connect private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
+`cloudflared` can now route traffic to these destination IPs. To configure Zero Trust policies and connect as a user, refer to [Connect private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
## 4. Install and run the tunnel
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx
index 6c824025ba8128d..d2f1ae8515e4520 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel.mdx
@@ -13,30 +13,31 @@ Follow this step-by-step guide to create your first [remotely-managed tunnel](/c
-The next steps depend on whether you want to [connect an application](#2a-connect-an-application) or [connect a network](#2b-connect-a-network).
+The next steps depend on whether you want to [publish an application to the Internet](#2a-publish-an-application) or [connect a private network](#2b-connect-a-network).
-## 2a. Connect an application
+## 2a. Publish an application
-Before you connect an application through your tunnel, you must:
+Before you publish an application through your tunnel, you must:
- [Add a website to Cloudflare](/fundamentals/manage-domains/add-site/).
- [Change your domain nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/).
-Follow these steps to connect an application through your tunnel. If you are looking to connect a network, skip to the [Connect a network section](#2b-connect-a-network).
+Follow these steps to publish an application to the Internet. If you are looking to connect a private resource, skip to the [Connect a network](#2b-connect-a-network) section.
-
+
-The application is now publicly available on the Internet. To allow or block specific users, [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+Anyone on the Internet can now access the application at the specified hostname. To allow or block specific users, [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
## 2b. Connect a network
-Follow these steps to connect a private network through your tunnel.
+To connect a private network through your tunnel:
-1. In the **Private Networks** tab, add the IP or CIDR of your service.
+1. Go to the **CIDR** tab.
+2. In **CIDR**, enter the private IP address or CIDR range of your service (for example, `10.0.0.1` or `10.0.0.0/8`).
-2. Select **Save tunnel**.
+`cloudflared` can now route traffic to these destination IPs. To configure Zero Trust policies and connect as a user, refer to [Connect an IP/CIDR](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
-To configure Zero Trust policies and connect as a user, refer to [Connect private networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/).
+If you would like to route to a private application using its hostname instead of its IP, refer to [Connect a private hostname](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname/).
## 3. View your tunnel
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr.mdx
new file mode 100644
index 000000000000000..1570f25f62eddaf
--- /dev/null
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr.mdx
@@ -0,0 +1,68 @@
+---
+pcx_content_type: how-to
+title: Connect an IP/CIDR
+sidebar:
+ order: 3
+---
+
+import { Render } from "~/components";
+
+This guide covers how to enable secure remote access to private IP addresses using `cloudflared` and WARP. You can connect an entire private network, a subnet, or an application defined by a static IP.
+
+## 1. Connect the server to Cloudflare
+
+To connect your infrastructure with Cloudflare Tunnel:
+
+
+
+2. In the **CIDR** tab for the tunnel, enter the IP/CIDR range that you wish to route through the tunnel (for example `10.0.0.0/8`).
+
+## 2. Set up the client
+
+
+
+## 3. Route private network IPs through WARP
+
+
+
+## 4. (Recommended) Filter network traffic with Gateway
+
+
+
+### Enable the Gateway proxy
+
+
+
+### Zero Trust policies
+
+
+
+If you have applications clearly defined by IPs or hostnames, we recommend [creating an Access application](/cloudflare-one/applications/non-http/self-hosted-private-app/) and managing user access alongside your SaaS and other web apps. Alternatively, if you prefer to secure a private network using a traditional firewall model, you can build Gateway network and DNS policies for IP ranges and domains.
+
+For more information on building Gateway policies, refer to [Secure your first application](/learning-paths/replace-vpn/build-policies/create-policy/) and [Common network policies](/cloudflare-one/policies/gateway/network-policies/common-policies/#restrict-access-to-private-networks).
+
+## 5. Connect as a user
+
+End users can now reach HTTP or TCP-based services on your network by visiting any IP address in the range you have specified.
+
+To allow users to reach the service using its private hostname instead of its IP, refer to [Private DNS](/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns/).
+
+### Troubleshooting
+
+#### Device configuration
+
+To check that their device is properly configured, the user can visit `https://help.teams.cloudflare.com/` to ensure that:
+
+- The page returns **Your network is fully protected**.
+- In **HTTP filtering**, both **WARP** and **Gateway Proxy** are enabled.
+- The **Team name** matches the Zero Trust organization from which you created the tunnel.
+
+#### Router configuration
+
+Check the local IP address of the device and ensure that it does not fall within the IP/CIDR range of your private network. For example, some home routers will make DHCP assignments in the `10.0.0.0/24` range, which overlaps with the `10.0.0.0/8` range used by most corporate private networks. When a user's home network shares the same IP addresses as the routes in your tunnel, their device will be unable to connect to your application.
+
+To resolve the IP conflict, you can either:
+
+- Reconfigure the user's router to use a non-overlapping IP range. Compatible routers typically use `192.168.1.0/24`, `192.168.0.0/24` or `172.16.0.0/24`.
+- Tighten the IP range in your Split Tunnel configuration to exclude the `10.0.0.0/24` range. This will only work if your private network does not have any hosts within `10.0.0.0/24`.
+- Change the IP/CIDR of your private network so that it does not overlap with a range commonly used by home networks.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx
new file mode 100644
index 000000000000000..323d2b61d410003
--- /dev/null
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname.mdx
@@ -0,0 +1,264 @@
+---
+pcx_content_type: how-to
+title: Connect a private hostname
+sidebar:
+ order: 2
+ badge:
+ text: Beta
+---
+
+import { Render, Details, GlossaryTooltip, Checkbox } from "~/components";
+
+`cloudflared` can route to HTTP and non-HTTP applications on your private network using their private hostname (for example, `wiki.internal.local`). Private hostname routes are especially useful when the application has an unknown or ephemeral IP, which often occurs when infrastructure is provisioned by a third-party cloud provider.
+
+## How private hostname routing works
+
+Private hostname routing with Cloudflare Tunnel consists of three main components:
+
+- The WARP client installs on the user device and forwards network and DNS traffic from the device to Cloudflare Gateway.
+- Gateway resolves the private hostname using your internal DNS resolver instead of the default public resolver.
+- `cloudflared` installs on a host machine in your private network and proxies traffic from Cloudflare to your internal DNS resolver and internal applications.
+
+Figures 1 and 2 illustrate the flow of DNS and network traffic when a user connects to a private hostname (`wiki.internal.local`):
+
+
+
+1. The WARP client sends the DNS query to the Gateway resolver for resolution.
+2. Gateway determines that `wiki.internal.local` should be resolved by a custom DNS resolver.
+3. Gateway does a DNS lookup for `wiki.internal.local` through Cloudflare Tunnel, and the custom DNS resolver returns the origin IP (`10.0.0.5`).
+4. Rather than responding to the DNS query with the actual origin IP, Gateway responds with a random IP address from the following CGNAT range:
+
+
+ The selected CGNAT IP is called the initial resolved IP.
+5. Gateway's network engine stores the mapping between the private hostname (`wiki.internal.local`), initial resolved IP (`100.80.0.1`), and the actual IP (`10.0.0.5`).
+6. The WARP client receives the initial resolved IP (`100.80.0.1`) in the DNS response. Each WARP device will receive a unique, ephemeral initial resolved IP.
+
+As shown in Figure 2 below, the WARP client will now send `wiki.internal.local` traffic to the initial resolved IP.
+
+
+
+The initial resolved IP mechanism is required because Gateway's network engine operates at L3/L4 and can only see IPs (not hostnames) when processing the connection. Because the packet's destination IP falls within the designated CGNAT range, Gateway knows that it corresponds to a hostname route and can apply hostname-based policies. Traffic that passes your Gateway policies will route through Cloudflare Tunnel to the application's actual origin IP. When the initial resolved IP expires, WARP will send a new DNS request (Figure 1) to refresh the initial resolved IP.
+
+## Supported on-ramps/off-ramps
+
+The table below summarizes the Cloudflare One products that are compatible with private hostname routing. Refer to the table legend for guidance on interpreting the table.
+
+β
Product works with no caveats
+π§ Product can be used with some caveats
+β Product cannot be used
+
+### Device connectivity
+
+End users can connect to private hostnames using the following traffic on-ramps:
+
+
+
+### Private network connectivity
+
+Private hostname routing only works for applications connected with `cloudflared`. Other traffic off-ramps require IP-based routes.
+
+| Connector | Compatibility |
+| ------------------------------------------------------------------------------------------ | ------------- |
+| [cloudflared](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) | β
|
+| [WARP-to-WARP](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/) | β |
+| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | β |
+| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/) | β |
+
+## Connect a private hostname
+
+This section covers how to enable remote access to a private hostname application using `cloudflared`.
+
+### Prerequisites
+
+To connect to private hostnames, your devices must forward the following traffic to Cloudflare:
+
+
+
+
+
+
+
+Configuration steps vary depending on your [device on-ramp](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname/#device-connectivity):
+
+
+1. In [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/), ensure that the IPs listed above route through the WARP tunnel. For example, if you are using the default Split Tunnels Exclude configuration and your application and DNS resolver have private IPs in the range `10.0.0.0/8`, delete `100.64.0.0/10` and `10.0.0.0/8` from the Split Tunnels list. We recommend adding back the IPs that are not explicitly used by your network β refer to our [Split Tunnels calculator](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) for details.
+2. In [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/), delete the top-level domain for your private hostname. This configures WARP to send the DNS query to Cloudflare Gateway for resolution.
+
+
+
+
+
+1. In your [WARP Connector device profile](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/#3-route-traffic-between-warp-connector-and-cloudflare), ensure that the IPs listed above route through the WARP tunnel.
+2. Depending on where you installed WARP Connector, you may also need to route those destination IPs through WARP Connector and point your DNS resolver to Cloudflare Gateway. Refer to [Route traffic from subnet to WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/#4-route-traffic-from-subnet-to-warp-connector).
+
+
+
+
+
+1. Ensure that the IPs listed above [route through Magic WAN](/magic-wan/configuration/manually/how-to/configure-routes/) to Cloudflare.
+2. [Point the DNS resolver](/magic-wan/zero-trust/cloudflare-gateway/#dns-filtering) for your Magic WAN network to Cloudflare Gateway.
+
+
+
+
+### 1. Connect the application to Cloudflare
+
+
+
+9. In the **Hostname routes** tab, enter the fully qualified domain name (FDQN) that represents your application (for example, `wiki.internal.local`).
+
+
+ - Less than 255 characters
+ - Leading wildcards (`*`) and dots (`.`) are allowed but trimmed off. For example, `*.internal.local` becomes `internal.local`.
+ - Ending dots (`.`) are allowed but trimmed off.
+ - No wildcards (`*`) in the middle. For example, `foo*bar.internal.local` is not allowed.
+
+
+10. Select **Complete setup**.
+
+### 2. Connect the DNS server to Cloudflare
+
+To route your internal DNS resolver through Cloudflare Tunnel:
+
+1. Go to **Networks** > **Routes** > **CIDR**.
+
+2. Select **Create CIDR route**.
+
+3. In **CIDR**, enter the private IP address of your internal DNS resolver.
+
+4. For **Tunnel**, select the Cloudflare Tunnel that is being used to connect the private network to Cloudflare.
+
+5. Select **Create route**.
+
+### 3. (Optional) Create a resolver policy
+
+:::note
+Only available on Enterprise plans
+:::
+
+Gateway will automatically resolve DNS queries using your internal DNS server as long as the DNS server is behind the same Cloudflare Tunnel as your application. If your DNS server is behind a different Cloudflare Tunnel (for example, if you separated DNS traffic into its own tunnel for [high availability](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/system-requirements/#private-dns)), then you need to point Gateway to the correct tunnel and DNS server.
+
+1. [Create a Gateway resolver policy](/cloudflare-one/policies/gateway/resolver-policies/#create-a-resolver-policy) that matches the private hostname for which you are establishing the route:
+
+ | Selector | Operator | Value |
+ | -------- | -------- | ---------------------- |
+ | Host | in | `wiki.internal.local` |
+
+2. Under **Configure custom DNS resolvers**, enter the IPv4 and/or IPv6 address of your internal DNS server. The dropdown menu will not populate until you type in the full IP address.
+
+3. From the dropdown menu, select the `- Private` routing option and the [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) where the DNS server is located.
+
+### 4. (Recommended) Filter network traffic with Gateway
+
+
+
+#### Enable the Gateway proxy
+
+
+
+#### Zero Trust policies
+
+
+
+##### HTTPS applications
+
+If your private hostname points to an HTTPS application on port `443`, you can secure it using either Access or Gateway policies:
+
+ - **Option 1 (Recommended)**: Create an [Access self-hosted private app](/cloudflare-one/applications/non-http/self-hosted-private-app/) to manage user access alongside your SaaS and other web apps.
+
+ - **Option 2**: If you prefer to secure the application using a traditional firewall model, build Gateway network policies using the [SNI](/cloudflare-one/policies/gateway/network-policies/#sni) or [SNI Domain](/cloudflare-one/policies/gateway/network-policies/#sni-domain) selector. For an additional layer of protection, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/policies/gateway/dns-policies/#host) or [Domain](/cloudflare-one/policies/gateway/dns-policies/#domain) from resolving.
+
+
+ The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.
+
+ 1. Allow company employees
+
+
+
+ 2. Catch-all block policy
+
+
+
+
+
+
+
+
+
+
+##### Non-HTTPS applications
+
+Access policies and Gateway network policies only support hostname-based filtering for applications on port `443`. If your application runs on a non-`443` port, you will need to allow or block network traffic using the [Destination IP](/cloudflare-one/policies/gateway/network-policies/#destination-ip) selector. Then, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/policies/gateway/dns-policies/#host) or [Domain](/cloudflare-one/policies/gateway/dns-policies/#domain) from resolving.
+
+ The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.
+
+ 1. Allow company employees
+
+
+
+ 2. Catch-all block policy
+
+
+
+
+
+
+
+
+
+
+### 5. Test the connection
+
+End users can now reach the application by going to its private hostname. For example, to connect to a private web application, open a browser and go to `wiki.internal.local`.
+
+#### Troubleshooting
+
+You can run the following tests to check if private hostname routing is properly configured.
+
+1. From the WARP device, confirm that you can successfully resolve the private hostname using your internal DNS server:
+
+ ```sh
+ nslookup wiki.internal.local 10.0.0.1
+ ```
+
+ ```sh output
+ Server: 10.0.0.1
+ Address: 10.0.0.1#53
+
+ Name: wiki.internal.local
+ Address: 10.0.0.5
+ ```
+
+ If the DNS lookup fails, it means that WARP cannot connect to your internal DNS server through `cloudflared`. Check that you have a [tunnel route](#2-connect-the-dns-server-to-cloudflare) for the internal DNS server IP. Also, confirm that the DNS server IP [routes through the WARP tunnel](#split-tunnels).
+
+ For a general WARP-to-Tunnel troubleshooting procedure, refer to [Troubleshoot private network connectivity](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/private-networks/).
+
+2. Run a standard `nslookup` for the private hostname:
+
+ ```sh
+ nslookup wiki.internal.local
+ ```
+
+ ```sh output
+ Server: 127.0.2.2
+ Address: 127.0.2.2#53
+
+ Non-authoritative answer:
+ Name: wiki.internal.local
+ Address: 100.80.200.48
+ ```
+
+ The query should resolve using [WARP's DNS proxy](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#dns-traffic) and return a Gateway initial resolved IP. If the query fails to resolve or returns a different IP, check your [Local Domain Fallback configuration](#local-domain-fallback) and [Gateway resolver policies](#3-optional-create-a-resolver-policy).
+
+3. When you connect to the application using its private hostname, the device should make a connection to the initial resolved IP:
+ ```sh
+ curl -v4 http://wiki.internal.local
+ ```
+ ```sh output
+ * Trying 100.80.200.48:80...
+ * Connected to wiki.internal.local (100.80.200.48) port 80
+ ...
+ ```
+
+ If the request fails, confirm that the initial resolved IP [routes through the WARP tunnel](#split-tunnels). You can also check your [tunnel logs](/cloudflare-one/connections/connect-networks/monitor-tunnels/logs/) to confirm that requests are routing to the application's private IP.
+
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx
index 660290b0146afd4..d1ff3a987cda3c5 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx
@@ -1,72 +1,17 @@
---
-pcx_content_type: how-to
-title: Connect private networks
+pcx_content_type: concept
+title: Connect with cloudflared
+hidden: false
sidebar:
order: 1
---
-import { Render } from "~/components";
+`cloudflared` is a daemon service that can run on nearly any host machine in your private network and proxies local traffic once validated from the Cloudflare network. The Cloudflare Tunnel created by `cloudflared` is outbound-only, meaning that it will only proxy requests initiated from a user to your private network. Requests made by a service or application running behind the tunnel will use the server's default routing table.
-A private network has two primary components: the server and the client. The server's infrastructure (whether that is a single application, multiple applications, or a network segment) is connected to Cloudflare's global network by Cloudflare Tunnel. This is done by running the `cloudflared` daemon on the server.
+On the client side, end users connect to Cloudflare's global network using the Cloudflare WARP client. The WARP client can be rolled out to your entire organization in just a few minutes using your in-house MDM tooling. When users connect to an IP address or hostname made available through Cloudflare Tunnel, WARP sends their connection through Cloudflare's network and down the corresponding tunnel to the internal service. Traffic to services behind the tunnel will carry the local source IP address of the host machine running the `cloudflared` daemon.
-On the client side, end users connect to Cloudflare's global network using the Cloudflare WARP client. The WARP client can be rolled out to your entire organization in just a few minutes using your in-house MDM tooling. When users connect to an IP made available through Cloudflare Tunnel, WARP sends their connection through Cloudflare's network to the corresponding tunnel.
+
-
-
-To enable remote access to your private network, follow the guide below.
-
-## 1. Connect the server to Cloudflare
-
-To connect your infrastructure with Cloudflare Tunnel:
-
-
-
-2. In the **Private Networks** tab for the tunnel, enter the IP/CIDR range that you wish to route through the tunnel (for example `10.0.0.0/8`).
-
-## 2. Set up the client
-
-
-
-## 3. Route private network IPs through WARP
-
-
-
-## 4. (Recommended) Filter network traffic with Gateway
-
-By default, all WARP devices enrolled in your Zero Trust organization can connect to your private network through Cloudflare Tunnel. You can configure Gateway inspect your network traffic and either block or allow access based on user identity and device posture.
-
-### Enable the Gateway proxy
-
-
-
-### Zero Trust policies
-
-Cloudflare Zero Trust allows you to configure security policies using either Access or Gateway. If you have applications clearly defined by IPs or hostnames, we recommend [creating an Access application](/cloudflare-one/applications/non-http/self-hosted-private-app/) and managing user access alongside your SaaS and other web apps. Alternatively, if you prefer to secure a private network using a traditional firewall model, you can build Gateway [network and DNS policies](/learning-paths/replace-vpn/build-policies/) for IP ranges and domains.
-
-## 5. Connect as a user
-
-End users can now reach HTTP or TCP-based services on your network by visiting any IP address in the range you have specified.
-
-### Troubleshooting
-
-#### Device configuration
-
-To check that their device is properly configured, the user can visit `https://help.teams.cloudflare.com/` to ensure that:
-
-- The page returns **Your network is fully protected**.
-- In **HTTP filtering**, both **WARP** and **Gateway Proxy** are enabled.
-- The **Team name** matches the Zero Trust organization from which you created the tunnel.
-
-#### Router configuration
-
-Check the local IP address of the device and ensure that it does not fall within the IP/CIDR range of your private network. For example, some home routers will make DHCP assignments in the `10.0.0.0/24` range, which overlaps with the `10.0.0.0/8` range used by most corporate private networks. When a user's home network shares the same IP addresses as the routes in your tunnel, their device will be unable to connect to your application.
-
-To resolve the IP conflict, you can either:
-
-- Reconfigure the user's router to use a non-overlapping IP range. Compatible routers typically use `192.168.1.0/24`, `192.168.0.0/24` or `172.16.0.0/24`.
-- Tighten the IP range in your Split Tunnel configuration to exclude the `10.0.0.0/24` range. This will only work if your private network does not have any hosts within `10.0.0.0/24`.
-- Change the IP/CIDR of your private network so that it does not overlap with a range commonly used by home networks.
+To enable remote access to your private network, refer to the following guides:
+- [**Connect a private hostname**](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-private-hostname/): Route network traffic to an internal application using its hostname.
+- [**Connect an IP/CIDR**](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/): Route traffic to an internal IP address or CIDR range.
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/load-balancing.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/load-balancing.mdx
index 936b304dd35c4eb..d78a6ec8c81771f 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/load-balancing.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/load-balancing.mdx
@@ -2,7 +2,7 @@
pcx_content_type: concept
title: Load balancing
sidebar:
- order: 3
+ order: 6
---
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx
index 7ba2feb7061b386..77f3f864ab9ee5f 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns.mdx
@@ -2,30 +2,37 @@
pcx_content_type: how-to
title: Private DNS
sidebar:
- order: 1
+ order: 4
---
-By default, the WARP client sends DNS requests to [1.1.1.1](/1.1.1.1/), Cloudflare's public DNS resolver, for resolution. With Cloudflare Tunnel, you can connect an internal DNS resolver to Cloudflare and use it to resolve non-publicly routed domains.
+import { Render } from "~/components"
+
+By default, all DNS requests on the user device are resolved by Cloudflare's [public DNS resolver](/1.1.1.1/) except for common top level domains used for local resolution (such as `localhost`). You can connect an internal DNS resolver to Cloudflare and use it to resolve non-publicly routed domains.
## Configure private DNS
+To resolve private DNS queries:
+
1. [Connect your private network](/cloudflare-one/connections/connect-networks/get-started/) with Cloudflare Tunnel.
2. Under **Networks** > **Routes**, verify that the IP address of your internal DNS resolver is included in the tunnel.
-3. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy) for TCP and UDP.
+ :::note
+
+ Ensure that **Split Tunnels** are configured to [include traffic to private IPs and hostnames](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp).
-4. Next, [create a Local Domain Fallback entry](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) that points to the internal DNS resolver. For example, you can instruct the WARP client to resolve all requests for `myorg.privatecorp` through an internal resolver at `10.0.0.25` rather than attempting to resolve this publicly.
+ :::
-:::note
+3. Route specific DNS queries to your internal DNS resolver using one of the following options:
-Ensure that **Split Tunnels** are configured to [include traffic to private IPs and hostnames](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#3-route-private-network-ips-through-warp).
+ - [Create a Local Domain Fallback entry](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) that points to the internal DNS resolver. For example, you can instruct the WARP client to resolve all requests for `myorg.privatecorp` through an internal resolver at `10.0.0.25` rather than attempting to resolve this publicly.
+ - Alternatively, [create a resolver policy](/cloudflare-one/policies/gateway/resolver-policies/#create-a-resolver-policy) that points to the internal DNS resolver.
-:::
+4. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy) for TCP and UDP.
5. Finally, ensure that your tunnel uses QUIC as the default [transport protocol](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#protocol). This will enable `cloudflared` to proxy UDP-based traffic which is required in most cases to resolve DNS queries.
-The WARP client will now resolve requests through the internal DNS server you set up in your private network.
+The WARP client will now send DNS queries to your internal DNS resolver for resolution. To learn more, refer to [How the WARP client handles DNS requests](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests).
## Test the setup
@@ -45,7 +52,7 @@ Both `dig` commands will fail if the WARP client is disabled on your end user's
## Troubleshooting
-Use the following troubleshooting strategies if you are running into issues while configuring your private network with Cloudflare Tunnel.
+Use the following troubleshooting strategies if you are running into issues while configuring private DNS with Cloudflare Tunnel.
- Ensure that `cloudflared` is connected to Cloudflare by visiting **Networks** > **Tunnels** in Zero Trust.
@@ -55,10 +62,10 @@ Use the following troubleshooting strategies if you are running into issues whil
- Ensure that end-user devices are enrolled into WARP by visiting [https://help.teams.cloudflare.com](https://help.teams.cloudflare.com).
-- Double-check the precedence of your application policies in the Gateway Network policies tab. Ensure that a more global Block or Allow policy will not supersede the application policies.
+- Double-check the [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) for your [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/). Ensure that a more global Block or Allow policy will not supersede application-specific policies.
-- Check the Gateway Audit Logs Network tab to see whether your UDP DNS resolutions are being allowed or blocked.
+- Check your [Gateway network logs](/cloudflare-one/insights/logs/gateway-logs/#network-logs) to see whether your UDP DNS resolutions are being allowed or blocked.
-- Ensure that your Private DNS resolver is available over a routable private IP address. You can check that by trying the `dig` commands on your machine running `cloudflared`.
+- Ensure that your internal DNS resolver is available over a routable private IP address. You can check that by trying the `dig` command on your machine running `cloudflared`.
- Check your set up by using `dig ... +tcp` to force the DNS resolution to use TCP instead of UDP.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks.mdx
index d0fd5414cb44bc9..748071559f7a1f2 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks.mdx
@@ -2,7 +2,7 @@
pcx_content_type: how-to
title: Virtual networks
sidebar:
- order: 2
+ order: 5
---
import { Details, Render, Tabs, TabItem } from "~/components";
@@ -60,7 +60,7 @@ The following example demonstrates how to add two overlapping IP routes to Cloud
2. Select **Create a tunnel**.
3. Name your tunnel `Staging tunnel` and select **Save tunnel**.
4. Install the connector within your staging environment.
- 5. In the **Private Network** tab, add `10.128.0.1/32`.
+ 5. In the **CIDR** tab, add `10.128.0.1/32`.
6. Select **Additional settings**. Under **Virtual networks**, select *staging-vnet*.
7. Save the tunnel.
8. Repeat Steps 2a-2g to create another tunnel called `Production tunnel`. Be sure to install the connector within your production environment and assign the route to *production-vnet*.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx
index 554f09cc4b6775e..991bdfe977ced5a 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 7
---
-With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare's global network. This involves installing a [connector](#connectors) on the private network, and then [setting up routes](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2b-connect-a-network) which define the IP addresses available in that environment. Unlike [public hostname routes](/cloudflare-one/connections/connect-networks/routing-to-tunnel/), private network routes can expose both HTTP and non-HTTP resources.
+With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare's global network. This involves installing a [connector](#connectors) on the private network, and then [setting up routes](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2b-connect-a-network) which define the IP addresses available in that environment. Unlike [published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/), private network routes can expose both HTTP and non-HTTP resources.
To reach private network IPs, end users must connect their device to Cloudflare and enroll in your Zero Trust organization. The most common method is to install the [WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device, or you can onboard their network traffic to Cloudflare using our [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) or [Magic WAN](/magic-wan/zero-trust/cloudflare-tunnel/).
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx
index 74ef08215e0c926..bfb98ca433fb08a 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/index.mdx
@@ -48,6 +48,6 @@ To set up WARP Connector, refer to the guide for your use case:
- **[Site-to-Internet](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet/)**: Send requests from your private network to the Internet.
- **[Site-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site/)**: Send requests between two or more private networks.
- **[User-to-site](/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site/)**: Allow WARP client devices to send requests to your private network.
-- **Internet-to-site**: Not supported by WARP Connector. To provide clientless access to applications on your private network, set up a [Cloudflare Tunnel with `cloudflared`](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) and configure a [public hostname route](/cloudflare-one/connections/connect-networks/routing-to-tunnel/).
+- **Internet-to-site**: Not supported by WARP Connector. To provide clientless access to applications on your private network, set up a [Cloudflare Tunnel with `cloudflared`](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/) and configure a [published application](/cloudflare-one/connections/connect-networks/routing-to-tunnel/).
[^1]: WARP Connector is an extension of the [WARP client](/cloudflare-one/connections/connect-devices/warp/).
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx
index e74b763e22d9ba4..0e25e1a180cdc80 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet.mdx
@@ -35,7 +35,7 @@ This guide covers how to connect a private network to the Internet using WARP Co
## 3. Route traffic from subnet to WARP Connector
-Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
+The WARP Connector host will automatically forward DNS and network traffic to Cloudflare. Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
### Option 1: Default gateway
@@ -48,7 +48,7 @@ Depending on where you installed the WARP Connector, you may need to configure o
product="cloudflare-one"
/>
-#### Add route to router
+#### Add IP route to router
For example, for all traffic from the subnet to egress through WARP Connector, add a rule on the router that routes `0.0.0.0` to the WARP Connector host machine (`10.0.0.100`).
@@ -57,6 +57,13 @@ For example, for all traffic from the subnet to egress through WARP Connector, a
product="cloudflare-one"
/>
+#### Configure DNS resolver on router
+
+
+
### Option 3: Intermediate gateway
-#### Add route to devices
+#### Add IP route to devices
-#### Verify routes
-
+#### Configure DNS resolver on devices
+
+
+
## 4. Test the WARP Connector
You can now test if traffic from your subnet routes through Cloudflare. For example,
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx
index e6d157eb4fe4b09..ddd861388bcf66b 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-site.mdx
@@ -38,7 +38,7 @@ In this example, we will create a WARP Connector for subnet `10.0.0.0/24` and in
-## 3. Route traffic from WARP Connector to subnet
+## 3. Route traffic between WARP Connector and Cloudflare
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Networks** > **Routes**.
2. Select **Create route**.
@@ -65,9 +65,18 @@ The WARP Connector will now forward inbound requests to devices on the subnet.
```
+### DNS filtering
+
+If you would like to filter private DNS queries using Cloudflare Gateway, check [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) and ensure that the following IPs route through WARP Connector:
+ - Internal DNS resolver IP
+ - Initial resolved IP CGNAT range:
+
+
+When you resolve DNS queries from WARP Connector through Gateway, Gateway will log the queries with the private source IP. You can use the private source IP to create [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) for queries intended for [internal DNS records](/cloudflare-one/policies/gateway/resolver-policies/#internal-dns).
+
## 4. Route traffic from subnet to WARP Connector
-Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
+The WARP Connector host will automatically forward DNS and network traffic to Cloudflare. Depending on where you installed the WARP Connector, you may need to configure other devices on the subnet to route outbound requests through WARP Connector.
```mermaid
flowchart LR
@@ -94,7 +103,7 @@ Depending on where you installed the WARP Connector, you may need to configure o
product="cloudflare-one"
/>
-#### Add route to router
+#### Add IP route to router
For example, for devices on subnet `10.0.0.0/24` to reach applications behind subnet `192.168.1.0/24`, add a rule on the router that routes `192.168.1.0/24` to the WARP Connector host machine (`10.0.0.100`).
@@ -103,6 +112,13 @@ For example, for devices on subnet `10.0.0.0/24` to reach applications behind su
product="cloudflare-one"
/>
+#### Configure DNS resolver on router
+
+
+
### Option 3: Intermediate gateway
-#### Add route to devices
+#### Add IP route to devices
mask 255.255.255.255
-#### Verify routes
-
+#### Configure DNS resolver on devices
+
+
+
## 5. Install another WARP Connector
Repeat steps 1, 3, and 4 above to install an additional WARP Connector on subnet `192.168.1.0/24`. The device profile created in Step 2 will apply to all WARP Connectors.
@@ -183,10 +204,11 @@ You can now test the connection between the two subnets. For example, on the `10
```
:::note
-
If you are testing with curl using private hostnames, add the `--ipv4` flag to your curl commands.
:::
+Your [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/) will show traffic associated with the email `warp_connector@.cloudflareaccess.com`.
+
[^1]:
-#### Add route to router
+#### Add IP route to router
`100.96.0.0/12` is the default CIDR for all user devices running the [WARP client](/cloudflare-one/connections/connect-devices/warp/). On your router, add a rule that routes the destination IP `100.96.0.0/12` to the WARP Connector host machine (`10.0.0.100`).
@@ -75,7 +75,7 @@ Depending on where you installed the WARP Connector, you may need to configure o
product="cloudflare-one"
/>
-#### Add route to devices
+#### Add IP route to devices
To route all CGNAT IP traffic through WARP Connector:
@@ -101,8 +101,6 @@ route /p add 100.96.0.0/12 mask 255.255.255.255
-#### Verify routes
-
## 5. Test the WARP Connector
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx
index de60cce95152736..78a264f11899f94 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/index.mdx
@@ -1,6 +1,6 @@
---
pcx_content_type: concept
-title: Public hostnames
+title: Published applications
sidebar:
order: 8
---
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx
index f93922040d72ad4..b454960edb71388 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx
@@ -34,7 +34,7 @@ To establish a secure, outbound-only connection to Cloudflare:
-2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server.
+2. In the **CIDR** tab for the tunnel, enter the private IP or CIDR address of your server.
## 3. Route private network IPs through WARP
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx
index 586c6147dd6535a..747a17c3989a508 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx
@@ -16,15 +16,15 @@ Client-side `cloudflared` can be used in conjunction with [routing over WARP](/c
1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/).
-2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `rdp.example.com`).
+2. In the **Published application routes** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `rdp.example.com`).
3. For **Service**, select _RDP_ and enter the [RDP listening port](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port) of your server (for example, `localhost:3389`). It will likely be port `3389`.
-4. Select **Save hostname**.
+4. Select **Save**.
## 2. (Recommended) Create an Access application
-By default, anyone on the Internet can connect to the server using its public hostname. To allow or block specific users, create a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
+By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
## 3. Connect as a user
@@ -49,4 +49,4 @@ If the client machine is running Windows, port `3389` may already be consumed lo
4. Double-click the newly added PC.
5. When asked if you want to continue, select **Continue**.
-When the client launches, a browser window will open and prompt the user to authenticate with Cloudflare Access.
\ No newline at end of file
+When the client launches, a browser window will open and prompt the user to authenticate with Cloudflare Access.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel.mdx
index 4610ce4f3f1814b..34e756356c7e53e 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel.mdx
@@ -52,7 +52,7 @@ By default, Internet Explorer will be installed and configured in [Enhanced Secu
-2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server. In GCP, the server IP is the **Internal IP** of the VM instance.
+2. In the **CIDR** tab for the tunnel, enter the private IP or CIDR address of your server. In GCP, the server IP is the **Internal IP** of the VM instance.
3. (Optional) [Set up Zero Trust policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to fine-tune access to your server.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx
index b159cdd9b6a0511..5ee984039e3391e 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx
@@ -26,7 +26,7 @@ You can use Cloudflare Tunnel to create a secure, outbound-only connection from
-2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server.
+2. In the **CIDR** tab for the tunnel, enter the private IP or CIDR address of your server.
3. (Optional) [Set up Zero Trust policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to fine-tune access to your server.
### 2. Set up the client
@@ -71,15 +71,17 @@ The public hostname method can be implemented in conjunction with routing over W
1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/).
-2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `smb.example.com`).
+2. In the **Published application routes** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `smb.example.com`).
3. For **Service**, select _TCP_ and enter the SMB listening port (for example, `localhost:445`). SMB drives listen on port `139` or `445` by default.
-4. Select **Save hostname**.
+4. Select **Save**.
-5. (Recommended) Add a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access in order to manage access to your server.
+## 2. (Recommended) Create an Access application
-### 2. Connect as a user
+By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
+
+### 3. Connect as a user
1. [Install `cloudflared`](/cloudflare-one/connections/connect-networks/downloads/) on the client machine.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx
index 2aeb48e4d30fee5..aa784ea6056c99d 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx
@@ -61,7 +61,7 @@ In order to be able to establish an SSH connection, do not enable [OS Login](htt
-2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server. In GCP, the server IP is the **Internal IP** of the VM instance.
+2. In the **CIDR** tab for the tunnel, enter the private IP or CIDR address of your server. In GCP, the server IP is the **Internal IP** of the VM instance.
3. (Optional) [Set up Zero Trust policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to fine-tune access to your server.
diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared.mdx
new file mode 100644
index 000000000000000..eea4d1c71dffdac
--- /dev/null
+++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared.mdx
@@ -0,0 +1,108 @@
+---
+pcx_content_type: how-to
+title: Egress through Cloudflare Tunnel
+sidebar:
+ order: 2
+ badge:
+ text: Beta
+---
+
+import { Render, Details, GlossaryTooltip } from "~/components";
+
+
+
+Cloudflare Tunnel can be used for source IP anchoring when you want to use existing egress IPs instead of purchasing [Cloudflare dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). Some third-party websites may have an Access Control List (ACL) that only allow connections from certain source IPs. If you already a non-Cloudflare IP on their allowlist (such an egress IP provided by an ISP or a cloud provider like AWS), you can configure `cloudflared` to anchor user traffic to the same IPs that you use today.
+
+For example, assume that your organization's banking service, `app.bank.com`, expects user traffic to come from an AWS IP. You can install `cloudflared` in your AWS environment and add a public hostname route pointing to `app.bank.com`. When users connect to `app.bank.com` using the WARP client, Gateway will apply your network policies and route the filtered traffic down the corresponding Cloudflare Tunnel to AWS. The traffic can then egress to the public Internet using your AWS egress IP.
+
+```mermaid
+ flowchart LR
+ subgraph aws["AWS VPC"]
+ cloudflared["cloudflared"]
+ end
+ subgraph cloudflare[Cloudflare]
+ gateway["Gateway"]
+ end
+ subgraph internet[Internet]
+ resolver[1.1.1.1]
+ app[Application]
+ end
+ warp["WARP
+ clients"]--"app.bank.com"-->gateway--"Network traffic"-->cloudflared
+ gateway<-.DNS lookup.->resolver
+ aws--AWS egress IP -->app
+```
+
+To learn more about how Gateway applies hostname-based egress policies, refer to the [Cloudflare blog](https://blog.cloudflare.com/egress-policies-by-hostname/).
+
+## Prerequisites
+
+User traffic is on-ramped to Gateway using one of the following methods:
+
+
+
+## 1. Connect your private network
+
+[Connect your private network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/) to Cloudflare using `cloudflared`. For example, if you want traffic to egress from AWS, connect the private CIDR block of your AWS VPC.
+
+## 2. Add a public hostname route
+
+To route a public hostname through Cloudflare Tunnel:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Networks** > **Routes** > **Hostname routes**.
+
+2. Select **Create hostname route**.
+
+3. In **Hostname**, enter the public hostname that represents the application (for example, `app.bank.com`). The hostname should be accessible from the public Internet.
+
+4. For **Tunnel**, select the Cloudflare Tunnel that is being used to connect the private network to Cloudflare.
+
+5. Select **Create route**.
+
+## 3. Route network traffic through WARP
+
+In your WARP [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration, route the following IP addresses through the WARP tunnel to Gateway.
+
+### Initial resolved IPs
+
+When users connect to a public hostname route, Gateway will assign an initial resolved IP to the DNS query from the following range:
+
+The initial resolved IP is required because Gateway's network engine operates at L3/L4 and can only see IPs (not hostnames) when processing the connection. If a packet's destination IP falls within the initial resolved IP CGNAT range, Gateway knows that the IP maps to a public hostname route and sends the traffic down the corresponding Cloudflare Tunnel.
+
+To route initial resolved IPs through WARP:
+
+
+
+### Private network IPs
+
+Your private network's CIDR block should also route through the WARP tunnel. For a detailed configuration example, refer to [Connect a private network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp).
+
+## 4. (Optional) Configure network policies
+
+You can build [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) to filter HTTPS traffic to your public hostname on port `443`. For example, suppose that you want to block all WARP users from accessing `app.bank.com` except for a specific set of users or groups. Additionally, those authorized users should only access `app.bank.com` using your AWS egress IP. You can accomplish this using two policies: the first allows specific users to reach `app.bank.com`, and the second blocks all other port `443` traffic to `app.bank.com`.
+
+1. Allow company employees:
+
+
+2. Block everyone else on port `443`:
+
+ | Selector | Operator | Value | Action |
+ | -------------- | -------- | ------------ | ------ |
+ | SNI | in | `app.bank.com` | Block |
+
+Gateway does not currently support hostname-based filtering for traffic on non-`443` ports. To block traffic to `app.bank.com` on all ports, you will need to use the [Destination IP](/cloudflare-one/policies/gateway/network-policies/#destination-ip) selector and specify the public IP space of `app.bank.com`.
+
+## 5. Test the connection
+
+From a WARP device, open a browser and go to `app.bank.com`.
+
+You can search for `app.bank.com` in your [Gateway DNS logs](/cloudflare-one/insights/logs/gateway-logs/); the **DNS response details** section should show the public resolved IPs as well as an initial resolved IP. You can also check your [Cloudflare Tunnel logs](/cloudflare-one/connections/connect-networks/monitor-tunnels/logs/) to confirm that requests are routing through the tunnel to the public resolved IPs.
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx
index c75408404131d4d..e86733c2bbdd20d 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx
@@ -11,6 +11,7 @@ import {
Tabs,
TabItem,
Details,
+ GlossaryTooltip,
APIRequest,
} from "~/components";
@@ -219,34 +220,11 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl
### Selector prerequisites
-
-
-| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
-| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
-| Gateway with WARP | Enterprise |
-
-| System | Availability | Minimum WARP version |
-| -------- | ------------ | -------------------- |
-| Windows | β
| 2025.4.929.0 |
-| macOS | β
| 2025.4.929.0 |
-| Linux | β
| 2025.4.929.0 |
-| iOS | β | |
-| Android | β | |
-| ChromeOS | β | |
-
-
-
The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic on-ramped to Gateway with the following methods:
-| On-ramp method | Compatibility |
-| ------------------------------------------------------------------------------------------ | ------------- |
-| [WARP](/cloudflare-one/connections/connect-devices/warp/) | β
|
-| [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/) | β
|
-| [Browser Isolation](/cloudflare-one/policies/browser-isolation/) | β
|
-| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | β |
-| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/) | β |
+
-When you use these selectors in an egress policy for traffic from a supported on-ramp, Gateway will assign initial resolved IPs in the `100.80.0.0/16` range to the DNS queries, then apply the correct egress IP according to the egress policy. Unsupported traffic will be resolved with your default Gateway settings. Gateway will only overwrite the DNS response when the query matches a condition in the egress policy. If you use [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) to send a DNS query to Gateway with IPv4, IPv6, DoT, or DoH, Gateway will not return the initial resolved IP for supported traffic nor resolve unsupported traffic.
+When you use these selectors in an egress policy for traffic from a supported on-ramp, Gateway will assign initial resolved IPs to the DNS queries, then apply the correct egress IP according to the egress policy. Unsupported traffic will be resolved with your default Gateway settings. Gateway will only overwrite the DNS response when the query matches a condition in the egress policy. If you use [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) to send a DNS query to Gateway with IPv4, IPv6, DoT, or DoH, Gateway will not return the initial resolved IP for supported traffic nor resolve unsupported traffic.
Gateway will overwrite the DNS response for all supported traffic, even if you use identity or device posture selectors to limit which users or devices are affected by the policy. In these cases, while the DNS response is overwritten, Gateway will still apply the correct egress policy.
@@ -288,26 +266,6 @@ Additionally, to use these selectors to filter traffic onboarded with WARP, you
```
-{/* prettier-ignore-start */}
-
-2. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
-
-
- 1. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list.
- 2. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses:
- - `100.64.0.0/12`
- - `100.81.0.0/16`
- - `100.82.0.0/15`
- - `100.84.0.0/14`
- - `100.88.0.0/13`
- - `100.96.0.0/11`
-
-
- 1. Add the required [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/connections/connect-devices/warp/ configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
- 2. [Add a route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include the IP address `100.80.0.0/16`.
-
-
+2.
The WARP client must be set to _Gateway with WARP_ mode for traffic affected by these selectors to route correctly.
-
-{/* prettier-ignore-end */}
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
index fa70179aa2e9bda..e3b23d64c6bd0f2 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
@@ -197,11 +197,7 @@ The following example consists of two policies: the first allows specific users
-| Selector | Operator | Value | Logic | Action |
-| -------------- | ------------- | ---------------- | ----- | ------ |
-| Destination IP | in | `10.0.0.0/8` | And | Allow |
-| User Email | matches regex | `.*@example.com` | | |
-
+
@@ -228,9 +224,7 @@ The following example consists of two policies: the first allows specific users
-| Selector | Operator | Value | Action |
-| -------------- | -------- | ------------ | ------ |
-| Destination IP | in | `10.0.0.0/8` | Block |
+
diff --git a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx
index 32671b0e8b5b622..44ebfda849204a0 100644
--- a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx
@@ -25,7 +25,8 @@ First, install `cloudflared` on a server in your private network:
## Add private network routes
-1. In the **Private Networks** tab, add the following IP addresses:
+1. In the **CIDR** tab, add the following IP addresses:
+
- Private IP/CIDR of your application server (for example, `10.128.0.175/32`)
- Private IP/CIDR of your DNS server
diff --git a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx
index a47f62dbd042bd3..2996dabd67781c6 100644
--- a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx
@@ -26,7 +26,7 @@ Install `cloudflared` on a server in your private network. This server should ha
## Add private network routes
-1. In the **Private Networks** tab, add the following IP addresses:
+1. In the **CIDR** tab, add the following IP addresses:
- Private IP/CIDR of your MySQL server (for example, `10.128.0.175/32`)
- (Optional) Private IP/CIDR of your internal DNS server
diff --git a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
index c82f79fe941eddd..97c7c72026f7bba 100644
--- a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
@@ -92,11 +92,11 @@ Your bucket policy will allow your VPC to access your S3 bucket.
A bucket website endpoint will be available at `http://.s3-website..amazonaws.com`. Because of the bucket policy, this website endpoint will only be accessible from the VPC with the VPC endpoint configured.
-### 4. Add a new public hostname to the Cloudflare Tunnel
+### 4. Add a published application to the Cloudflare Tunnel
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**
2. Select your Tunnel, then select **Configure**.
-3. Go to **Public Hostname**, then select **Add a public hostname**.
+3. Go to **Published applications**, then select **Add a public hostname**.
4. Enter a subdomain your organization will use to access the S3 bucket. For example, `s3-bucket..com`.
5. Under **Service**, choose _HTTP_ for **Type**. In **URL**, enter `.s3-website..amazonaws.com`.
6. In **Additional application settings** > **HTTP Settings**, input the **HTTP Host Header** as `.s3-website..amazonaws.com`.
diff --git a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx
index 2f4536549d64da9..2c6a3dc9aff0423 100644
--- a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx
@@ -72,7 +72,7 @@ After creating your virtual networks, route your private network CIDRs over each
1. Go to **Networks** > **Tunnels**.
2. Select your tunnel routing `10.0.0.0/8`, then select **Configure**.
-3. Go to **Private Network**. Select the `10.0.0.0/8` route.
+3. Go to **Private Networks**. Select the `10.0.0.0/8` route.
4. In **Additional settings**, choose your first virtual network. For example, `vnet-AMER`.
5. Select **Save private network**.
6. To route `10.0.0.0/8` over another virtual network, select **Add a private network**.
diff --git a/src/content/docs/data-localization/compatibility.mdx b/src/content/docs/data-localization/compatibility.mdx
index 4089505cb748cb5..83fe4db69aa9107 100644
--- a/src/content/docs/data-localization/compatibility.mdx
+++ b/src/content/docs/data-localization/compatibility.mdx
@@ -145,9 +145,7 @@ The table below provides a summary of the Data Localization Suite product's beha
[^16]: Customer Metadata Boundary can be used to limit data transfer outside region, but Access User Logs will not be available outside US region. EU customers must use Logpush to retain logs.
[^17]: Currently may only be used with US FedRAMP region.
-
-[^18]: When Cloudflare Tunnel connects to Cloudflare, the connectivity options available are the Global Region (default) and [US FedRAMP Moderate Domestic region](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region). For incoming requests to the Cloudflare Edge, Regional Services only applies when using [Public Hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/). In this case, the region associated with the DNS record will apply.
-
+[^18]: When Cloudflare Tunnel connects to Cloudflare, the connectivity options available are the Global Region (default) and [US FedRAMP Moderate Domestic region](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region). For incoming requests to the Cloudflare Edge, Regional Services only applies when using [published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/). In this case, the region associated with the DNS record will apply.
[^19]: Uses Gateway HTTP and CASB.
[^20]: You can [bring your own certificate](https://blog.cloudflare.com/bring-your-certificates-cloudflare-gateway/) to Gateway but these cannot yet be restricted to a specific region.
diff --git a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
index f468561b7b48199..6c9337109f8a1be 100644
--- a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
+++ b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
@@ -46,15 +46,13 @@ First, create a [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks
### 1.2. Connect your database using a public hostname
-Your tunnel must be configured to use a public hostname so that Hyperdrive can route requests to it. If you don't have a hostname on Cloudflare yet, you will need to [register a new hostname](/registrar/get-started/register-domain/) or [add a zone](/dns/zone-setups/) to Cloudflare to proceed.
+Your tunnel must be configured to use a public hostname on Cloudflare so that Hyperdrive can route requests to it. If you don't have a hostname on Cloudflare yet, you will need to [register a new hostname](/registrar/get-started/register-domain/) or [add a zone](/dns/zone-setups/) to Cloudflare to proceed.
-
-1. In the **Public Hostnames** tab, choose a **Domain** and specify any subdomain or path information. This will be used in your Hyperdrive configuration to route to this tunnel.
+1. In the **Published application routes** tab, choose a **Domain** and specify any subdomain or path information. This will be used in your Hyperdrive configuration to route to this tunnel.
2. In the **Service** section, specify **Type** `TCP` and the URL and configured port of your database, such as `localhost:5432` or `my-database-host.database-provider.com:5432`. This address will be used by the tunnel to route requests to your database.
3. Select **Save tunnel**.
-
:::note
If you are setting up the tunnel through the CLI instead ([locally-managed tunnel](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/)), you will have to complete these steps manually. Follow the Cloudflare Zero Trust documentation to [add a public hostname to your tunnel](/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/) and [configure the public hostname to route to the address of your database](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/configuration-file/).
diff --git a/src/content/docs/learning-paths/clientless-access/alternative-onramps/index.mdx b/src/content/docs/learning-paths/clientless-access/alternative-onramps/index.mdx
index a059f15734c6db9..f33c92ddf8b5ecc 100644
--- a/src/content/docs/learning-paths/clientless-access/alternative-onramps/index.mdx
+++ b/src/content/docs/learning-paths/clientless-access/alternative-onramps/index.mdx
@@ -6,7 +6,7 @@ sidebar:
---
-As discussed in the previous modules, almost everything you do with the Cloudflare reverse proxy requires [adding a site](/learning-paths/clientless-access/initial-setup/add-site/) to Cloudflare. That public DNS record (or its subdomains) becomes the domain on which your users access your private applications. This method is exceptionally secure and transparent; each domain and subdomain has access to the Cloudflare web security portfolio, are inherently DDoS protected, and receive an obfuscated origin IP. For these reasons, [public hostname routing](/learning-paths/clientless-access/connect-private-applications/) is the recommended method to onboard applications for clientless user access. However, there may be times in which a public DNS record cannot be created, or other situations that prevent administrators from using this method.
+As discussed in the previous modules, almost everything you do with the Cloudflare reverse proxy requires [adding a site](/learning-paths/clientless-access/initial-setup/add-site/) to Cloudflare. That public DNS record (or its subdomains) becomes the domain on which your users access your private applications. This method is exceptionally secure and transparent; each domain and subdomain has access to the Cloudflare web security portfolio, are inherently DDoS protected, and receive an obfuscated origin IP. For these reasons, using a [public hostname on Cloudflare](/learning-paths/clientless-access/connect-private-applications/) is the recommended method to onboard applications for clientless user access. However, there may be times in which a public DNS record cannot be created, or other situations that prevent administrators from using this method.
## Objectives
diff --git a/src/content/docs/learning-paths/clientless-access/connect-private-applications/create-tunnel.mdx b/src/content/docs/learning-paths/clientless-access/connect-private-applications/create-tunnel.mdx
index 7fe37db7dd75a42..56ae96e185dd179 100644
--- a/src/content/docs/learning-paths/clientless-access/connect-private-applications/create-tunnel.mdx
+++ b/src/content/docs/learning-paths/clientless-access/connect-private-applications/create-tunnel.mdx
@@ -8,7 +8,7 @@ sidebar:
import { Render } from "~/components"
-To enable clientless access to your applications, you will need to create a Cloudflare Tunnel that contains public hostname routes. A public hostname route creates a public DNS record that routes traffic to a specific address, protocol, and port associated with a private application. For example, you can define a public hostname (`mywebapp.example.com`) to provide access to a web server running on `https://localhost:8080`. When a user goes to `mywebapp.example.com` in their browser, their request will first route to a Cloudflare data center where it is inspected against your configured security policies. Cloudflare will then forward validated requests down your tunnel to the web server.
+To enable clientless access to your applications, you will need to create a Cloudflare Tunnel that publishes applications to a domain on Cloudflare. A published application creates a public DNS record that routes traffic to a specific address, protocol, and port associated with a private application. For example, you can define a public hostname (`mywebapp.example.com`) to provide access to a web server running on `https://localhost:8080`. When a user goes to `mywebapp.example.com` in their browser, their request will first route to a Cloudflare data center where it is inspected against your configured security policies. Cloudflare will then forward validated requests down your tunnel to the web server.
@@ -18,11 +18,11 @@ To create a Cloudflare Tunnel:
-## Connect an application
+## Publish an application
-To add a public hostname route to the tunnel:
+To route an application to a public hostname:
-
+
All users on the Internet can now connect to this application via its public hostname. In [Module 4: Secure your applications](/learning-paths/clientless-access/access-application/), we will discuss how to restrict access to authorized users.
diff --git a/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx b/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx
index 60d0bcf31f48457..449633a6b4ad3a4 100644
--- a/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx
+++ b/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx
@@ -7,7 +7,7 @@ sidebar:
import { Details, Render } from "~/components";
-This guide covers how to use the [Cloudflare Terraform provider](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) to quickly publish and secure a private application. In the following example, we will add a new public hostname route to an existing Cloudflare Tunnel, configure how `cloudflared` proxies traffic to the application, and secure the application with Cloudflare Access.
+This guide covers how to use the [Cloudflare Terraform provider](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) to quickly publish and secure a private application. In the following example, we will add a new published application to an existing Cloudflare Tunnel, configure how `cloudflared` proxies traffic to the application, and secure the application with Cloudflare Access.
## Prerequisites
@@ -73,7 +73,7 @@ To prevent accidentally exposing your Cloudflare credentials, do not save this f
Add the following resources to your Terraform configuration.
-### Add public hostname route to Cloudflare Tunnel
+### Add published application to Cloudflare Tunnel
Using the [`cloudflare_tunnel_config`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/tunnel_config) resource, create an ingress rule that maps your application to a public DNS record. This example makes `localhost:8080` available on `app.mycompany.com`, sets the [Connect Timeout](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#connecttimeout), and enables [Access JWT validation](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#access).
@@ -105,7 +105,7 @@ resource "cloudflare_tunnel_config" "example_config" {
:::note
-Public hostname configurations must include a catch-all ingress rule at the bottom of the file.
+Published application configurations must include a catch-all ingress rule at the bottom of the file.
:::
### Create an Access application
diff --git a/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx b/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx
index 948b6e68733db2b..1cb7f55f722866f 100644
--- a/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx
+++ b/src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx
@@ -20,7 +20,7 @@ To connect your private network:
-9. In the **Private Networks** tab, enter the CIDR of your private network (for example, `10.0.0.0/8`).
+9. In the **CIDR** tab, enter the CIDR of your private network (for example, `10.0.0.0/8`).
10. Select **Save tunnel**.
diff --git a/src/content/docs/load-balancing/additional-options/cloudflare-tunnel.mdx b/src/content/docs/load-balancing/additional-options/cloudflare-tunnel.mdx
index 3cc8dff4d7d4a09..bfd06ddd84588b5 100644
--- a/src/content/docs/load-balancing/additional-options/cloudflare-tunnel.mdx
+++ b/src/content/docs/load-balancing/additional-options/cloudflare-tunnel.mdx
@@ -1,6 +1,6 @@
---
pcx_content_type: navigation
-title: Cloudflare Tunnel (public hostnames)
+title: Cloudflare Tunnel (published applications)
sidebar:
order: 2
head:
diff --git a/src/content/docs/load-balancing/private-network/tunnels-setup.mdx b/src/content/docs/load-balancing/private-network/tunnels-setup.mdx
index a99bcd9f55d21a3..f2d9cb34a807761 100644
--- a/src/content/docs/load-balancing/private-network/tunnels-setup.mdx
+++ b/src/content/docs/load-balancing/private-network/tunnels-setup.mdx
@@ -28,9 +28,9 @@ To assign the virtual network to the tunnel:
1. Go to **Networks** > **Tunnels**.
2. Select the tunnel you created in the previous steps and select **Configure**.
-3. Under **Private Network**, select **Add a private network**.
-4. Specify an IP range under **CIDR** and select the virtual network under **Additional settings**.
-5. Select **Save private network**.
+3. Go to the **CIDR** tab and select **Add a CIDR route**.
+4. Enter an IP range and select the virtual network under **Additional settings**.
+5. Select **Save**.
diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
index 3bd4da303dc5b4a..1e1e0869a6e4909 100644
--- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
+++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
@@ -264,7 +264,7 @@ We recommend using our Cloudflare Access product for remote access to your inter
In a lot of cases, you may even use both products for application access. For example, if you're self-hosting [Sentry](https://sentry.io/) β which is not currently available on the public Internet β follow these steps:
1. Set up a public hostname with Cloudflare Access (which your users would navigate to Sentry on).
-2. Install a Cloudflare Tunnel with an associated Public Hostname route to point to your local Sentry service.
+2. Install a Cloudflare Tunnel with an associated **Published application** to point to your local Sentry service.
3. Integrate Sentry with Access for SaaS as the SSO provider.
Now, users reaching the application from outside your network will already carry the Cloudflare JWT, and will be seamlessly authenticated into your application.
diff --git a/src/content/glossary/cloudflare-one.yaml b/src/content/glossary/cloudflare-one.yaml
index 6d6218f5e508156..1f5b92535c5c1d0 100644
--- a/src/content/glossary/cloudflare-one.yaml
+++ b/src/content/glossary/cloudflare-one.yaml
@@ -107,6 +107,10 @@ entries:
general_definition: |-
an identity provider (IdP) stores and manages users' digital identities, enabling single sign-on and authentication for multiple applications.
+ - term: initial resolved IP
+ general_definition: |-
+ a unique, ephemeral IP address that Gateway assigns to DNS queries when filtering network traffic by hostname. The IP is randomly selected from the `100.80.0.0/16` (IPv4) or `2606:4700:0cf1:4000::/64` (IPv6) range.
+
- term: JSON web token
general_definition: |-
a compact way to securely transmit information between parties as a JSON object, often used for authentication.
diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx
index 6b5dbe4623478eb..b804626c4c5be28 100644
--- a/src/content/partials/cloudflare-one/access/add-target.mdx
+++ b/src/content/partials/cloudflare-one/access/add-target.mdx
@@ -19,7 +19,7 @@ To create a new target:) :
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Targets**.
2. Select **Add a target**.
3. In **Target hostname**, enter a user-friendly name for the target. We recommend using the server hostname, for example `production-server`. The target hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the targets secured by an Access application; they are not used for DNS address resolution.
-
+
- Case insensitive
- Contain no more than 253 characters
- Contain only alphanumeric characters, `-`, or `.` (no spaces allowed)
diff --git a/src/content/partials/cloudflare-one/gateway/egress-selector-cgnat-ips.mdx b/src/content/partials/cloudflare-one/gateway/egress-selector-cgnat-ips.mdx
new file mode 100644
index 000000000000000..ea9c95d04ff8dfe
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/egress-selector-cgnat-ips.mdx
@@ -0,0 +1,7 @@
+---
+{}
+
+---
+
+- **IPv4**: `100.80.0.0/16`
+- **IPv6**: `2606:4700:0cf1:4000::/64`
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/gateway/egress-selector-onramps.mdx b/src/content/partials/cloudflare-one/gateway/egress-selector-onramps.mdx
new file mode 100644
index 000000000000000..0745f646f7d503d
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/egress-selector-onramps.mdx
@@ -0,0 +1,21 @@
+---
+{}
+
+---
+
+import { Render, Details, GlossaryTooltip } from "~/components"
+
+| On-ramp method | Compatibility |
+| ------------------------------------------------------------------------------------------ | ------------- |
+| [WARP](/cloudflare-one/connections/connect-devices/warp/) | β
|
+| [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/) | β
|
+| [Browser Isolation](/cloudflare-one/policies/browser-isolation/) | β
|
+| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | β
|
+| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/) | π§[^1] |
+
+[^1]: Not compatible with [ECMP routing](/magic-wan/reference/traffic-steering/#equal-cost-multi-path-routing). For hostname-based routing to work, DNS queries and the resulting network traffic must reach Cloudflare over the same Magic WAN tunnel.
+
+
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/gateway/egress-selector-split-tunnels.mdx b/src/content/partials/cloudflare-one/gateway/egress-selector-split-tunnels.mdx
new file mode 100644
index 000000000000000..dd94f62232b2967
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/egress-selector-split-tunnels.mdx
@@ -0,0 +1,25 @@
+---
+{}
+---
+
+import { Tabs, TabItem, Render } from "~/components"
+
+In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
+
+
+
+ 1. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list.
+ 2. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses:
+ - `100.64.0.0/12`
+ - `100.81.0.0/16`
+ - `100.82.0.0/15`
+ - `100.84.0.0/14`
+ - `100.88.0.0/13`
+ - `100.96.0.0/11`
+
+
+
+ 1. Add the required [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
+ 2. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include the following IP addresses:
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/egress-selector-warp-version.mdx b/src/content/partials/cloudflare-one/gateway/egress-selector-warp-version.mdx
new file mode 100644
index 000000000000000..78b05755c32e9ea
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/egress-selector-warp-version.mdx
@@ -0,0 +1,22 @@
+---
+{}
+---
+
+import { Details } from "~/components"
+
+
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) |
+| ----------------------------------------------------------------------------------------- |
+| Gateway with WARP |
+
+| System | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows | β
| 2025.4.929.0 |
+| macOS | β
| 2025.4.929.0 |
+| Linux | β
| 2025.4.929.0 |
+| iOS | β
| 1.11 |
+| Android | β
| 2.4.2 |
+| ChromeOS | β
| 2.4.2 |
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-allow.mdx b/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-allow.mdx
new file mode 100644
index 000000000000000..4e453523e39abb5
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-allow.mdx
@@ -0,0 +1,8 @@
+---
+inputParameters: selector;;value
+---
+
+| Selector | Operator | Value | Logic | Action |
+| -------------- | ------------- | ---------------- | ----- | ------ |
+| {props.selector} | in | {props.value} | And | Allow |
+| User Email | matches regex | `.*@example.com` | | |
diff --git a/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-block.mdx b/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-block.mdx
new file mode 100644
index 000000000000000..3b9f11e6ef1ca2b
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-block.mdx
@@ -0,0 +1,7 @@
+---
+{}
+---
+
+| Selector | Operator | Value | Action |
+| -------------- | -------- | ------------ | ------ |
+| Destination IP | in | `10.0.0.0/8` | Block |
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-dns.mdx b/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-dns.mdx
new file mode 100644
index 000000000000000..293b0d23be0ff03
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/restrict-access-to-private-networks-dns.mdx
@@ -0,0 +1,8 @@
+---
+{}
+---
+
+| Selector | Operator | Value | Logic | Action |
+| -------------- | ------------- | ---------------- | ----- | ------ |
+| Host | in | `wiki.internal.local` | And | Allow |
+| User Email | matches regex | `.*@example.com` | | |
diff --git a/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx b/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx
new file mode 100644
index 000000000000000..18e26f0da22632d
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx
@@ -0,0 +1,6 @@
+---
+{}
+
+---
+
+[Resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) provide similar functionality to Local Domain Fallback but occur in Cloudflare Gateway rather than on the local device. This option is recommended if you want more granular control over private DNS resolution. For example, you can ensure that all users in a specific geography use the private DNS server closest to them, ensure that specific conditions are met before resolving private DNS traffic, and apply [Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/) to private DNS traffic.
diff --git a/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
index ac1790edaa43f53..e0c09517e822112 100644
--- a/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
+++ b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
@@ -4,10 +4,10 @@
1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/).
-2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `ssh.example.com`).
+2. In the **Published application routes** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `ssh.example.com`).
3. For **Service**, select _SSH_ and enter `localhost:22`. If the SSH server is on a different machine from where you installed the tunnel, enter `:22`.
-4. Select **Save hostname**.
+4. Select **Save**.
5. (Recommended) Add a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access in order to manage access to your server.
diff --git a/src/content/partials/cloudflare-one/tunnel/add-public-hostname.mdx b/src/content/partials/cloudflare-one/tunnel/add-published-application.mdx
similarity index 86%
rename from src/content/partials/cloudflare-one/tunnel/add-public-hostname.mdx
rename to src/content/partials/cloudflare-one/tunnel/add-published-application.mdx
index b609f6b251b3eda..f11775736d94343 100644
--- a/src/content/partials/cloudflare-one/tunnel/add-public-hostname.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/add-published-application.mdx
@@ -3,7 +3,7 @@
---
-1. In the **Public Hostnames** tab, select **Add a public hostname**.
+1. Go to the **Published application routes** tab.
2. Enter a subdomain and select a **Domain** from the dropdown menu. Specify any subdomain or path information.
:::note
@@ -14,4 +14,4 @@
4. Under **Additional application settings**, specify any [parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/) you would like to add to your tunnel configuration.
-5. Select **Save hostname**.
\ No newline at end of file
+5. Select **Complete setup**.
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/tunnel/catch-all-policy.mdx b/src/content/partials/cloudflare-one/tunnel/catch-all-policy.mdx
new file mode 100644
index 000000000000000..798067db655e6b0
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/catch-all-policy.mdx
@@ -0,0 +1,6 @@
+---
+{}
+---
+
+To prevent WARP users from accessing your entire private network, we recommend creating a [catch-all block policy](/learning-paths/replace-vpn/build-policies/create-policy/#catch-all-policy) for your private IP space. You can then layer on higher priority Allow policies which grant users access to specific applications or IPs.
+
diff --git a/src/content/partials/cloudflare-one/tunnel/cloud-create-tunnel.mdx b/src/content/partials/cloudflare-one/tunnel/cloud-create-tunnel.mdx
index 473e2e17196246c..68ebb4ec9c8c204 100644
--- a/src/content/partials/cloudflare-one/tunnel/cloud-create-tunnel.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/cloud-create-tunnel.mdx
@@ -5,7 +5,7 @@ inputParameters: param1;;param2
import { Markdown } from "~/components"
-Next, we will create a Cloudflare Tunnel in Zero Trust and run the tunnel on the {props.one}.
+Create a Cloudflare Tunnel in Zero Trust and run the tunnel on the {props.one}.
1. Log in to [Zero Trust](https://one.dash.cloudflare.com) and go to **Networks** > **Tunnels**.
diff --git a/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx b/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
index e80fa2c455286fd..6040178579476ec 100644
--- a/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
@@ -3,11 +3,11 @@
---
-[Public hostname routes](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) allow anyone on the Internet to connect to HTTP resources hosted on your virtual private cloud (VPC). To add a public hostname route for your Cloudflare Tunnel:
+[Published applications](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) allow anyone on the Internet to connect to HTTP resources hosted on your virtual private cloud (VPC). To add a published application for your Cloudflare Tunnel:
-1. In the **Public Hostname** tab, enter a hostname for the application (for example, `hellocloudflare..com`).
+1. In the **Published application routes** tab, enter a hostname for the application (for example, `hellocloudflare..com`).
2. Under **Service**, enter `http://localhost:80`.
-3. Select **Save hostname**.
+3. Select **Save**.
4. To test, open a browser and go to `http://hellocloudflare..com`. You should see the **Hello Cloudflare!** test page.
You can optionally [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to control who can access the service.
diff --git a/src/content/partials/cloudflare-one/tunnel/connect-private-network-infra-access.mdx b/src/content/partials/cloudflare-one/tunnel/connect-private-network-infra-access.mdx
index 5b5bc56a5f07b77..6b12ed7d60909da 100644
--- a/src/content/partials/cloudflare-one/tunnel/connect-private-network-infra-access.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/connect-private-network-infra-access.mdx
@@ -2,4 +2,4 @@
{}
---
-2. In the **Private Networks** tab for the tunnel, enter the IP or CIDR address of your server. Typically this would be a private IP, but public IPs are also allowed.
+2. In the **CIDR** tab for the tunnel, enter the IP or CIDR address of your server. Typically this would be a private IP, but public IPs are also allowed.
diff --git a/src/content/partials/cloudflare-one/tunnel/connect-private-network.mdx b/src/content/partials/cloudflare-one/tunnel/connect-private-network.mdx
index 1883b68dbb47e6b..9266f9e09c4980b 100644
--- a/src/content/partials/cloudflare-one/tunnel/connect-private-network.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/connect-private-network.mdx
@@ -2,4 +2,4 @@
{}
---
-1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the [connect an application step](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-connect-an-application) and go straight to connecting a network.
+1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the [publish an application step](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-publish-an-application) and go straight to connecting a network.
diff --git a/src/content/partials/cloudflare-one/tunnel/create-tunnel.mdx b/src/content/partials/cloudflare-one/tunnel/create-tunnel.mdx
index 4877be7689af99e..6fefdf6135e88d5 100644
--- a/src/content/partials/cloudflare-one/tunnel/create-tunnel.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/create-tunnel.mdx
@@ -3,9 +3,6 @@
---
-import { Steps } from "~/components";
-
-
1. Log in to [Zero Trust](https://one.dash.cloudflare.com) and go to **Networks** > **Tunnels**.
2. Select **Create a tunnel**.
@@ -22,5 +19,4 @@ import { Steps } from "~/components";
-8. Select **Next**.
-
+8. Select **Next**.
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx b/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx
index 6360c18268cb3fd..4baad17154aee96 100644
--- a/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx
@@ -4,6 +4,8 @@
import { Tabs, TabItem } from "~/components";
+To start logging and filtering network traffic, turn on the Gateway proxy:
+
1. Go to **Settings** > **Network**.
diff --git a/src/content/partials/cloudflare-one/tunnel/filter-network-traffic.mdx b/src/content/partials/cloudflare-one/tunnel/filter-network-traffic.mdx
new file mode 100644
index 000000000000000..33b8915c0eb4f46
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/filter-network-traffic.mdx
@@ -0,0 +1,5 @@
+---
+{}
+---
+
+By default, all WARP devices enrolled in your Zero Trust organization can connect to your private network through Cloudflare Tunnel. You can configure Gateway to inspect your network traffic and either block or allow access based on user identity and device posture. To learn more about policy design, refer to [Secure your first application](/learning-paths/replace-vpn/build-policies/create-policy/).
diff --git a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx
index 5b075621fcec0b0..014b9dcaa7c3e0e 100644
--- a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx
@@ -20,7 +20,7 @@ If WARP is stuck in the `Disconnected` state or frequently changes between `Conn
## 2. Is the WARP client connecting to your private DNS server?
-This step is only needed if users access your application via a private hostname (for example, `wiki.internal.com`).
+This step is only needed if users access your application via a private hostname (for example, `wiki.internal.local`).
- If you are using [custom resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) to handle private DNS, go to your Gateway DNS logs (**Logs** > **Gateway** > **DNS**) and search for DNS queries to the hostname.
@@ -124,4 +124,4 @@ To troubleshoot TLS inspection:
- **Option 1:** Create a permanent [`Do Not Inspect` HTTP policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this application.
- **Option 2:** Customers who use their [own certificate infrastructure](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) for inspection can opt to create an [Allow _Pass Through_ policy](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) which enables our proxy to accept the TLS negotiation from your application. This will allow requests to flow correctly without the need for a `Do Not Inspect` policy.
- - **Option 3:** If your application uses `HTTPS` or other common protocols, you can add a [public hostname route](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) to your Cloudflare Tunnel and set [noTLSVerify](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) to `true`. This will allow `cloudflared` to trust your self-signed certificate.
+ - **Option 3:** If your application uses `HTTPS` or other common protocols, you can add a [published application](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) to your Cloudflare Tunnel and set [noTLSVerify](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) to `true`. This will allow `cloudflared` to trust your self-signed certificate.
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway-dns.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway-dns.mdx
new file mode 100644
index 000000000000000..74bdd1dcb55c7df
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-alternate-gateway-dns.mdx
@@ -0,0 +1,10 @@
+---
+{}
+---
+
+To forward DNS traffic from the subnet to Cloudflare Gateway, your router should point DNS queries to the shared IP addresses for the Gateway DNS resolver:
+
+- `172.64.36.1`
+- `172.64.36.2`
+
+You will also need to [add an IP route](#add-ip-route-to-router) which routes these Gateway resolver IPs to the WARP Connector host machine.
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-connector-intermediate-gateway-dns.mdx b/src/content/partials/cloudflare-one/tunnel/warp-connector-intermediate-gateway-dns.mdx
new file mode 100644
index 000000000000000..118d44a71c3b6da
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/warp-connector-intermediate-gateway-dns.mdx
@@ -0,0 +1,10 @@
+---
+{}
+---
+
+To filter DNS traffic with Cloudflare Gateway, the DNS resolver on your device should point to the shared IP addresses for the Gateway DNS resolver IPs:
+
+- `172.64.36.1`
+- `172.64.36.2`
+
+You will also need to [add an IP route](#add-ip-route-to-devices) which routes these Gateway resolver IPs to the WARP Connector host machine.
diff --git a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx
index 267d3dbeeebdcc3..5db7ae2e6cecfef 100644
--- a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-route-ips.mdx
@@ -3,18 +3,20 @@ params:
- one
---
-import { Markdown } from "~/components";
+import { Markdown, Details, Tabs, TabItem} from "~/components";
import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx";
By default, WARP excludes traffic bound for [RFC 1918 space](https://datatracker.ietf.org/doc/html/rfc1918), which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your , you must configure [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) so that the IP/CIDR of your routes through WARP.
1. First, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include** mode.
-2. If you are using **Include** mode, add your 's IP/CIDR range to the list. Your list should also include the [domains necessary for Cloudflare Zero Trust functionality](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains).
-3. If you are using **Exclude** mode:
+2. Edit your Split Tunnel routes depending on the mode:
+
- a. Delete your 's IP/CIDR range from the list. For example, if your network uses the default AWS range of `172.31.0.0/16`, delete `172.16.0.0/12`.
+ If you are using **Exclude** mode:
- b. Re-add IP/CIDR ranges that are not explicitly used by your . For the AWS example above, you would add new entries for `172.16.0.0/13`, `172.24.0.0/14`, `172.28.0.0/15`, and `172.30.0.0/16`. This ensures that only traffic to `172.31.0.0/16` routes through WARP.
+ a. [Delete the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) containing your 's IP/CIDR range. For example, if your network uses the default AWS range of `172.31.0.0/16`, delete `172.16.0.0/12`.
+
+ b. [Re-add IP/CIDR ranges](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) that are not explicitly used by your . For the AWS example above, you would add new entries for `172.16.0.0/13`, `172.24.0.0/14`, `172.28.0.0/15`, and `172.30.0.0/16`. This ensures that only traffic to `172.31.0.0/16` routes through WARP.
You can use the following calculator to determine which IP addresses to re-add:
@@ -25,6 +27,18 @@ By default, WARP excludes traffic bound for [RFC 1918 space](https://datatracker
exclude: ["172.31.0.0/16", `172.28.0.0/15`]
}}
/>
- In **Base CIDR**, enter the RFC 1918 range that you deleted from Split Tunnels. In **Excluded CIDRs**, enter the IP/CIDR range used by your . Re-add the calculator results to your Split Tunnel Exclude mode list.
+
+ 1. In **Base CIDR**, enter the RFC 1918 range that you deleted from Split Tunnels.
+ 2. In **Excluded CIDRs**, enter the IP/CIDR range used by your .
+ 3. Re-add the calculator results to your Split Tunnel Exclude mode list.
+
+
+ By tightening the private IP range included in WARP, you reduce the risk of breaking a user's [access to local resources](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-users-to-enable-local-network-exclusion).
+
+
+
+ If you are using **Include** mode:
+ 1. Add the required [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
+ 2. [Add a route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include your 's IP/CIDR range.
-By tightening the private IP range included in WARP, you reduce the risk of breaking a user's [access to local resources](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-users-to-enable-local-network-exclusion).
+
diff --git a/src/content/partials/learning-paths/zero-trust/private-dns.mdx b/src/content/partials/learning-paths/zero-trust/private-dns.mdx
index 2fdfdae53782880..ba44a4839fa386c 100644
--- a/src/content/partials/learning-paths/zero-trust/private-dns.mdx
+++ b/src/content/partials/learning-paths/zero-trust/private-dns.mdx
@@ -11,7 +11,7 @@ By default, all DNS requests on the user device are resolved by Cloudflare's [pu
## Local Domain Fallback
-Local Domain Fallback tells the WARP client to send specific DNS requests to your private DNS resolver instead of to Cloudflareβs public DNS resolver. This method was the primary delivery mechanism for private DNS for a long time, and is the simplest option, but it has two shortcomings: you cannot deterministically route private DNS queries to different resolvers based on specific attributes, and you cannot apply Gateway DNS policies to this traffic because Cloudflare is not resolving it.
+Local Domain Fallback tells the WARP client to send specific DNS requests to your private DNS resolver instead of to Cloudflare's public DNS resolver. This method was the primary delivery mechanism for private DNS for a long time, and is the simplest option, but it has two shortcomings: you cannot deterministically route private DNS queries to different resolvers based on specific attributes, and you cannot apply Gateway DNS policies to this traffic because Cloudflare is not resolving it.
To learn more about how Local Domain Fallback works, refer to [How the WARP client handles DNS requests](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests).
@@ -25,7 +25,7 @@ To learn more about how Local Domain Fallback works, refer to [How the WARP clie
Only available on Enterprise plans.
:::
-[Custom resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) provide similar functionality to Local Domain Fallback but occur in Cloudflare Gateway rather than on the local device. This option is recommended if you want more granular control over private DNS resolution. For example, you can ensure that all users in a specific geography use the private DNS server closest to them, ensure that specific conditions are met before resolving private DNS traffic, and apply [Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/) to private DNS traffic.
+
### Create a resolver policy