diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx index ca5112d86e2fe11..3b7da431ffa9796 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx @@ -40,9 +40,9 @@ When testing against another origin, you may see either an IPv4 or IPv6 address. ## Bring your own IP address (BYOIP) -Enterprise users can use their own authority-provided IPv4 and IPv6 addresses as dedicated egress IPs. Gateway supports bringing your own IPv4 and IPv6 addresses. +Enterprise users can use their own authority-provided IPv4 and IPv6 addresses as dedicated egress IPs. Gateway supports bringing your own IPv4 and IPv6 addresses. To obtain an IPv6 range, refer to [American Registry for Internet Numbers (ARIN)](https://www.arin.net/resources/guide/ipv6/first_request/) or [Regional Internet Registry for Europe, Middle East and Central Asia (RIPE NCC)](https://www.ripe.net/manage-ips-and-asns/ipv6/request-ipv6/). -After you onboard your IP addresses, the IP addresses will appear when you create a [egress policy](/cloudflare-one/policies/gateway/egress-policies/) and choose **Use dedicated egress IPs (Cloudflare or BYOIP)** as the [egress method](/cloudflare-one/policies/gateway/egress-policies/#egress-methods). BYOIP dedicate egress IPs do not support [IP geolocation](#ip-geolocation). +After you onboard your IP addresses, the IP addresses will appear when you create a [egress policy](/cloudflare-one/policies/gateway/egress-policies/) and choose **Use dedicated egress IPs (Cloudflare or BYOIP)** as the [egress method](/cloudflare-one/policies/gateway/egress-policies/#egress-methods). BYOIP dedicated egress IPs do not support [IP geolocation](#ip-geolocation). For more information, refer to [Cloudflare BYOIP](/byoip/) or contact your account team. diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 41843a06ccb179e..b025370f18cbdfa 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -21,7 +21,7 @@ Cloudflare does not publish WARP egress IP ranges. WARP egress IPs are not docum ## Load balancing -Gateway traffic that does not match an egress policy will egress from the closest Cloudflare data center with a default Gateway egress IP. If there are two data centers of equal distance from the user, Gateway will split the traffic between the two data centers, and the load balancer will retain the same user selection and egress IP regardless of data center. This logic applies to both the default Cloudflare egress IPs and any dedicated egress IPs. +When using either the default Cloudflare egress IPs or any dedicated egress IPs, Gateway traffic that does not match an egress policy will egress from the closest Cloudflare data center with a default Gateway egress IP. If there are two data centers of equal distance from the user, Gateway will split the traffic between the two data centers, and the load balancer will retain the same user selection and egress IP regardless of data center. ## Force IP version @@ -254,7 +254,6 @@ Additionally, to use these selectors to filter traffic onboarded with WARP, you 2. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode: - 1. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list. 2. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: - `100.64.0.0/12` @@ -265,7 +264,6 @@ Additionally, to use these selectors to filter traffic onboarded with WARP, you - `100.96.0.0/11` - 1. Add the required [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list. 2. [Add a route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include the IP address `100.80.0.0/16`. diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx index 87191d52418c492..819ffd8062859a7 100644 --- a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx +++ b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx @@ -24,7 +24,7 @@ flowchart TB http1{{"Do Not Inspect policies"}} http2["Isolate policies
(with Browser Isolation add-on)"] http3["Allow, Block, Do Not Scan, Quarantine, and Redirect policies, DLP, and anti-virus scanning"] - https["HTTP (port 80) or
HTTPS (port 443)?"] + https["HTTP or HTTPS?"] end subgraph Proxy["Proxy"] HTTP @@ -204,12 +204,10 @@ When a user goes to `https://test.example.com`, Gateway performs the following o 1. Evaluate DNS request against DNS policies: 2. Evaluate HTTPS request against HTTP policies: - 1. Policy #2 is evaluated first because Do Not Inspect [always takes precedence](#http-policies) over Allow and Block. Since there is no match, move on to check Policy #1. 2. Policy #1 does not match `test.example.com`. Since there are no matching Block policies, the request passes the HTTP filter and moves on to network policy evaluation. 3. Evaluate HTTPS request against network policies: - 1. Policy #1 does not match because port 80 is used for standard HTTP, not HTTPS. 2. Policy #2 matches, so the request is allowed and proxied to the upstream server. 3. Policy #3 is not evaluated because there has already been an explicit match.