diff --git a/public/__redirects b/public/__redirects
index 50c81f147c08cc8..40c933e8be6dddc 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -2391,6 +2391,8 @@
/cloudflare-one/identity/one-time-pin/ /cloudflare-one/integrations/identity-providers/one-time-pin/ 301
/cloudflare-one/identity/idp-integration/* /cloudflare-one/integrations/identity-providers/:splat 301
/cloudflare-one/identity/devices/service-providers/* /cloudflare-one/integrations/service-providers/:splat 301
+/cloudflare-one/applications/configure-apps/* /cloudflare-one/access-controls/applications/configure-apps/:splat 301
+/cloudflare-one/applications/non-http/* /cloudflare-one/access-controls/applications/non-http/:splat 301
# Learning paths
diff --git a/src/content/changelog/access/2024-10-01-ssh-with-access-for-infrastructure.mdx b/src/content/changelog/access/2024-10-01-ssh-with-access-for-infrastructure.mdx
index 0c668cbc1b535dc..b4200fbe9b16d9a 100644
--- a/src/content/changelog/access/2024-10-01-ssh-with-access-for-infrastructure.mdx
+++ b/src/content/changelog/access/2024-10-01-ssh-with-access-for-infrastructure.mdx
@@ -8,7 +8,7 @@ products:
Organizations can now eliminate long-lived credentials from their SSH setup and enable strong multi-factor authentication for SSH access, similar to other Access applications, all while generating access and command logs.
-SSH with [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/) uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-warp-to-tunnel/).
+SSH with [Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-warp-to-tunnel/).
SSH with Access for Infrastructure enables you to:
diff --git a/src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx b/src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx
index f053b1e2dc166c2..dfc6ba3cca6a23f 100644
--- a/src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx
+++ b/src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx
@@ -6,7 +6,7 @@ products:
- access
---
-[Access for SaaS applications](/cloudflare-one/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
+[Access for SaaS applications](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
**SAML and OIDC Field Additions**
diff --git a/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx b/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx
index a10bc34bfaa1014..ac854ff0b5c970b 100644
--- a/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx
+++ b/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx
@@ -8,6 +8,6 @@ products:
You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/access-controls/policies/).
-[Self-hosted applications](/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
+[Self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog.
diff --git a/src/content/changelog/access/2025-08-26-mcp-server-portals.mdx b/src/content/changelog/access/2025-08-26-mcp-server-portals.mdx
index 0e284e5ac74f18e..8e86f8a344fbd24 100644
--- a/src/content/changelog/access/2025-08-26-mcp-server-portals.mdx
+++ b/src/content/changelog/access/2025-08-26-mcp-server-portals.mdx
@@ -8,7 +8,7 @@ products:
-An [MCP server portal](/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
+An [MCP server portal](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
- **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
- **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.
diff --git a/src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx b/src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx
index b378e17784e52a8..207c7dc04d549f2 100644
--- a/src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx
+++ b/src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx
@@ -12,17 +12,17 @@ import { Aside } from '@astrojs/starlight/components';
Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.
### What's New
-- **[Access Applications](https://developers.cloudflare.com/cloudflare-one/applications/)**: Grant admin permissions to specific Access Applications.
-- **[Identity Providers](https://developers.cloudflare.com/cloudflare-one/identity/)**: Grant admin permissions to individual Identity Providers.
-- **[Targets](https://developers.cloudflare.com/cloudflare-one/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets
+- **[Access Applications](https://developers.cloudflare.com/cloudflare-one/applications/)**: Grant admin permissions to specific Access Applications.
+- **[Identity Providers](https://developers.cloudflare.com/cloudflare-one/identity/)**: Grant admin permissions to individual Identity Providers.
+- **[Targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets
-
+
diff --git a/src/content/docs/agents/model-context-protocol/authorization.mdx b/src/content/docs/agents/model-context-protocol/authorization.mdx
index e5c479409ad0738..642f75182f95c4e 100644
--- a/src/content/docs/agents/model-context-protocol/authorization.mdx
+++ b/src/content/docs/agents/model-context-protocol/authorization.mdx
@@ -81,7 +81,7 @@ Remember — [authentication is different from authorization](https://www.cloud
You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/integrations/identity-providers/) or a [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/access-controls/policies/).
-To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
+To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
### (3) Third-party OAuth Provider
diff --git a/src/content/docs/agents/model-context-protocol/mcp-portal.mdx b/src/content/docs/agents/model-context-protocol/mcp-portal.mdx
index 01566056e607eff..5459fdc6089f3cd 100644
--- a/src/content/docs/agents/model-context-protocol/mcp-portal.mdx
+++ b/src/content/docs/agents/model-context-protocol/mcp-portal.mdx
@@ -5,7 +5,7 @@ tags:
- MCP
sidebar:
order: 101
-external_link: /cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/
+external_link: /cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/
description: Centralize multiple MCP servers onto a single endpoint and customize the tools, prompts, and resources available to users.
---
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx
index 16ffdc6ce4c72a7..ec1d926bd0a9790 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx
@@ -25,4 +25,4 @@ Cloudflare Access provides visibility and control over who has access to your [c
5. Select **Add public hostname**.
6. For **Input method**, select _Custom_.
7. In **Hostname**, enter your custom hostname (for example, `mycustomhostname.com`).
-8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application.
+8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/index.mdx
new file mode 100644
index 000000000000000..0b530ad5e94822c
--- /dev/null
+++ b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/index.mdx
@@ -0,0 +1,24 @@
+---
+pcx_content_type: concept
+title: Add web applications
+sidebar:
+ order: 1
+---
+
+import { Render } from "~/components";
+
+Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/access-controls/policies/#selectors) to control who can log in to the application.
+
+
+
+You can protect the following types of web applications:
+
+- [**SaaS applications**](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
+
+- **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
+ - [**Public hostname applications**](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
+ - [**Private network applications**](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).
+
+- [**Model Context Protocol (MCP) servers**](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
+
+- [**Cloudflare Dashboard SSO**](/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/index.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/index.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/index.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps.mdx
similarity index 88%
rename from src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps.mdx
index 147fe8901a86d85..78ca51f016ae532 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps.mdx
@@ -10,7 +10,7 @@ sidebar:
import { Render, GlossaryTooltip, APIRequest } from "~/components";
-Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
+Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](/cloudflare-one/access-controls/policies/#selectors) to ensure that only authorized users can access those applications, either directly or by using an MCP client.
@@ -40,11 +40,11 @@ This guide covers how to use the Cloudflare API to link a self-hosted applicatio
## Prerequisites
-- A [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/)
+- A [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/)
## 1. Secure the MCP server with Access for SaaS
-The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
+The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
## 2. Get the SaaS application ID
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals.mdx
similarity index 98%
rename from src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals.mdx
index ea5aba242c3aa31..f4e341466e7a4b4 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals.mdx
@@ -41,7 +41,7 @@ To add an MCP server:
7. Add [Access policies](/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals.
:::caution
- Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
+ Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
:::
8. Select **Save and connect server**.
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp.mdx
similarity index 95%
rename from src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp.mdx
index 08e24d79683eace..b91086885d1bb6a 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp.mdx
@@ -103,7 +103,7 @@ https://mcp-server-cf-access..workers.dev/callback
- **Authorization endpoint**
- **Key endpoint**
-8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
+8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
9. Configure [Access policies](/cloudflare-one/access-controls/policies/) to define the users who can access the MCP server.
10. Save the application.
@@ -134,7 +134,7 @@ https://mcp-server-cf-access..workers.dev/callback
/>
2. Copy the `client_id` and `client_secret` returned in the response.
-3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access).
+3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access).
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/adobe-sign-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/adobe-sign-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/area-1.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/area-1.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/asana-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/asana-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/atlassian-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/atlassian-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/aws-sso-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/aws-sso-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/braintree-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/braintree-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/coupa-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/coupa-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/digicert-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/digicert-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/docusign-access.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/docusign-access.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/dropbox-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/dropbox-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-saml-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-saml-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/github-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/github-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/google-cloud-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/google-cloud-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/google-workspace-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/google-workspace-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/greenhouse-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/greenhouse-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/hubspot-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/hubspot-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/index.mdx
similarity index 73%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/index.mdx
index 33ec70d537cd3fd..4933b0de0a3143a 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/index.mdx
@@ -10,6 +10,6 @@ import { DirectoryListing } from "~/components"
Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies.
-Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas/) or [generic OIDC](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation.
+Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-saml-saas/) or [generic OIDC](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation.
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/ironclad-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/ironclad-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/jamf-pro-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/jamf-pro-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/miro-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/miro-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/pingboard-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/pingboard-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/slack-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/slack-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/smartsheet-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/smartsheet-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/sparkpost-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/sparkpost-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/tableau-saml-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/tableau-saml-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/workday-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/workday-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/zoom-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/zoom-saas.mdx
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app.mdx
similarity index 96%
rename from src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app.mdx
index e8e3bc211e1e4c3..f468aa82fa19441 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app.mdx
@@ -10,7 +10,7 @@ import { Render } from "~/components";
You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server.
-This guide covers how to make a web application accessible to anyone on the Internet via a public hostname. If you would like to make the application available over a private IP or hostname, refer to [Add a self-hosted private application](/cloudflare-one/applications/non-http/self-hosted-private-app/).
+This guide covers how to make a web application accessible to anyone on the Internet via a public hostname. If you would like to make the application available over a private IP or hostname, refer to [Add a self-hosted private application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/).
## Prerequisites
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/index.mdx
new file mode 100644
index 000000000000000..0fc3e457f92f9cb
--- /dev/null
+++ b/src/content/docs/cloudflare-one/access-controls/applications/index.mdx
@@ -0,0 +1,13 @@
+---
+pcx_content_type: navigation
+title: Applications
+sidebar:
+ order: 1
+ group:
+ hideIndex: true
+---
+
+import { DirectoryListing } from "~/components";
+
+
+
diff --git a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/browser-rendering.mdx
similarity index 94%
rename from src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/browser-rendering.mdx
index 080198fed90f580..5bdcbc6d2bdcd34 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/browser-rendering.mdx
@@ -11,7 +11,7 @@ Cloudflare can render SSH, VNC, and RDP applications in a browser without the ne
## Limitations
-- Browser rendering is only supported for [self-hosted public applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), not private IPs or hostnames.
+- Browser rendering is only supported for [self-hosted public applications](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/), not private IPs or hostnames.
- You can only render a browser-rendered terminal on domains and subdomains, not on specific paths.
-
- Cloudflare uses TLS to secure the egress RDP connection to your Windows server. We do not currently validate the chain of trust.
diff --git a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx
diff --git a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx
diff --git a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/index.mdx
similarity index 92%
rename from src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/index.mdx
index 4c1b853015c6bbc..6c26f7c8f4efc76 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/index.mdx
@@ -12,7 +12,7 @@ Users log in to the application by running a `cloudflared access` command in the
:::note
-Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/access-controls/policies/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances.
+Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/access-controls/policies/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/access-controls/applications/non-http/) in these instances.
:::
For examples of how to connect to Access applications with client-side `cloudflared`, refer to these tutorials:
@@ -22,4 +22,4 @@ For examples of how to connect to Access applications with client-side `cloudfla
- [Connect over SSH with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/) (legacy) -- SSH connections are now managed through [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/).
- [Connect over RDP with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/#connect-to-rdp-server-with-cloudflared-access)
- [Connect over SMB with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/)
-- [Connect over arbitrary TCP with cloudflared](/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/)
+- [Connect over arbitrary TCP with cloudflared](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/)
diff --git a/src/content/docs/cloudflare-one/applications/non-http/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/index.mdx
similarity index 71%
rename from src/content/docs/cloudflare-one/applications/non-http/index.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/index.mdx
index d548c27f9c08268..b4bbb11e474bb16 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/index.mdx
@@ -21,9 +21,9 @@ Non-HTTP applications require [connecting your private network](/cloudflare-one/
## WARP client
-Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route unless they are protected by an Access policy or Gateway firewall rule. To secure the application, you can [create a self-hosted application](/cloudflare-one/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/access-controls/policies/) that allow or block specific users.
+Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route unless they are protected by an Access policy or Gateway firewall rule. To secure the application, you can [create a self-hosted application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/access-controls/policies/) that allow or block specific users.
-If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
+If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including:
- Define fine-grained policies to govern who has access to specific servers and exactly how a user may access that server.
- Eliminate SSH keys by using short-lived certificates to authenticate users.
@@ -35,7 +35,7 @@ Clientless access methods are suited for organizations that cannot deploy the WA
### Browser-rendered terminal
-Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH, RDP, and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. For RDP connections, users must authenticate to the Windows server using their Windows username and password in addition to being authenticated by Cloudflare Access.
+Cloudflare's [browser-based terminal](/cloudflare-one/access-controls/applications/non-http/browser-rendering/) allows users to connect over SSH, RDP, and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. For RDP connections, users must authenticate to the Windows server using their Windows username and password in addition to being authenticated by Cloudflare Access.
### Client-side cloudflared (legacy)
@@ -43,7 +43,7 @@ Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/brow
Not recommended for new deployments.
:::
-Users can log in to the application by installing `cloudflared` on their device and running a hostname-specific command in their terminal. For more information, refer to [cloudflared authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/).
+Users can log in to the application by installing `cloudflared` on their device and running a hostname-specific command in their terminal. For more information, refer to [cloudflared authentication](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/).
## Related resources
diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
similarity index 95%
rename from src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
index 66fd1ac1b25bde3..2e344d9cbda5f83 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
@@ -27,7 +27,7 @@ import { Badge, Details, Tabs, TabItem, Render } from "~/components";
Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.
:::note
-Access for Infrastructure currently only supports [SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). To connect using other protocols, [add a self-hosted private application](/cloudflare-one/applications/non-http/self-hosted-private-app/). For browser-based SSH, RDP, or VNC, refer to [browser-rendered terminal](/cloudflare-one/applications/non-http/browser-rendering/).
+Access for Infrastructure currently only supports [SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). To connect using other protocols, [add a self-hosted private application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). For browser-based SSH, RDP, or VNC, refer to [browser-rendered terminal](/cloudflare-one/access-controls/applications/non-http/browser-rendering/).
:::
## Prerequisites
diff --git a/src/content/docs/cloudflare-one/applications/non-http/legacy-private-network-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx
similarity index 94%
rename from src/content/docs/cloudflare-one/applications/non-http/legacy-private-network-app.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx
index b7a4fa86d234957..a13ee739bd3f50f 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/legacy-private-network-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx
@@ -7,7 +7,7 @@ sidebar:
---
:::note
-Not recommended for new deployments. We recommend using a [self-hosted application](/cloudflare-one/applications/non-http/self-hosted-private-app/) to secure a private IP address.
+Not recommended for new deployments. We recommend using a [self-hosted application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) to secure a private IP address.
:::
You can configure a **Private Network** application to manage access to specific applications on your private network.
diff --git a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
similarity index 96%
rename from src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
index e87bd18bf82b41d..7026dc374600857 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
@@ -11,7 +11,7 @@ import { Render } from "~/components";
You can configure a self-hosted Access application to manage access to specific IPs or hostnames on your private network.
:::note
-This feature replaces the legacy [private network app type](/cloudflare-one/applications/non-http/legacy-private-network-app/).
+This feature replaces the legacy [private network app type](/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/).
:::
## Prerequisites
@@ -66,7 +66,7 @@ Users can now connect to your private application after authenticating with Clou
### HTTPS applications
-If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned off, session management is [handled in the WARP client](#non-https-applications) instead of in the browser.
diff --git a/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx
similarity index 94%
rename from src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx
index 6a5867334db4d94..34ecb33ebe0a46f 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx
@@ -25,7 +25,7 @@ Cloudflare Access short-lived certificates can work with any modern SSH server,
To secure your server behind Cloudflare Access:
1. [Connect the server to Cloudflare](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) as a published application.
-2. Create a [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for the server.
+2. Create a [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for the server.
:::note
If you do not wish to use Access, refer instead to our [SSH proxy instructions](/cloudflare-one/traffic-policies/network-policies/ssh-logging/).
@@ -86,7 +86,7 @@ Match host vm.example.com exec "/usr/local/bin/cloudflared access ssh-gen --host
### Connect through a browser-based terminal
-End users can connect to the SSH session without any configuration by using Cloudflare's browser-based terminal. To enable, refer to [Browser-rendered terminal](/cloudflare-one/applications/non-http/browser-rendering/).
+End users can connect to the SSH session without any configuration by using Cloudflare's browser-based terminal. To enable, refer to [Browser-rendered terminal](/cloudflare-one/access-controls/applications/non-http/browser-rendering/).
By default, the browser-based terminal prompts the user for a username/password login. If you would like to use certificate based authentication, make sure you have [created a short-lived certificate](#3-generate-a-short-lived-certificate-public-key) for the specific Access application configured for browser-rendered SSH.
diff --git a/src/content/docs/cloudflare-one/access-controls/index.mdx b/src/content/docs/cloudflare-one/access-controls/index.mdx
index 091be4c3f1fd27b..b018228c2e6e971 100644
--- a/src/content/docs/cloudflare-one/access-controls/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/index.mdx
@@ -3,10 +3,12 @@ pcx_content_type: navigation
title: Access controls
sidebar:
order: 7
- group:
- hideIndex: true
---
import { DirectoryListing } from "~/components";
+Learn how to secure your self-hosted and SaaS applications with Zero Trust policies.
+
+
+Refer to our [reference architecture](/reference-architecture/architectures/sase/) for an understanding on how to architect a Zero Trust and SASE solution.
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
index a3f52c392385d03..7461895e482ee19 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
@@ -131,7 +131,7 @@ To require only one country and one email ending:
## Selectors
-When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/applications/non-http/) applications.
+When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/access-controls/applications/non-http/) applications.
Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx
index ff8a12b73024f50..af0b19c30575f61 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx
@@ -39,4 +39,4 @@ For example, if your application is hosted on `internal.site.com`, the following
## Product compatibility
-For a list of products that are incompatible with the **Isolate application** feature, refer to [Product Compatibility](/cloudflare-one/applications/configure-apps/self-hosted-public-app/#product-compatibility) .
+For a list of products that are incompatible with the **Isolate application** feature, refer to [Product Compatibility](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/#product-compatibility) .
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx
index 8d3861a83620856..41efdabadc17224 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx
@@ -20,7 +20,7 @@ To enforce an MFA requirement to an application:
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
-2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/applications/configure-apps/).
+2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/access-controls/applications/configure-apps/).
3. Go to **Policies**.
diff --git a/src/content/docs/cloudflare-one/applications/app-library.mdx b/src/content/docs/cloudflare-one/applications/app-library.mdx
index 5e07de6a6fcddcf..37f87bb43e8a3d6 100644
--- a/src/content/docs/cloudflare-one/applications/app-library.mdx
+++ b/src/content/docs/cloudflare-one/applications/app-library.mdx
@@ -34,7 +34,7 @@ The **Findings** tab shows any connected [CASB integrations](/cloudflare-one/app
### Policies
-The **Policies** tab shows any [Gateway](/cloudflare-one/traffic-policies/) and [Access for SaaS](/cloudflare-one/applications/configure-apps/saas-apps/) policies related to the selected application.
+The **Policies** tab shows any [Gateway](/cloudflare-one/traffic-policies/) and [Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) policies related to the selected application.
### Usage
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx
deleted file mode 100644
index 124b7da3c972028..000000000000000
--- a/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx
+++ /dev/null
@@ -1,24 +0,0 @@
----
-pcx_content_type: concept
-title: Add web applications
-sidebar:
- order: 1
----
-
-import { Render } from "~/components";
-
-Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/access-controls/policies/#selectors) to control who can log in to the application.
-
-
-
-You can protect the following types of web applications:
-
-- [**SaaS applications**](/cloudflare-one/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
-
-- **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
- - [**Public hostname applications**](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
- - [**Private network applications**](/cloudflare-one/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).
-
-- [**Model Context Protocol (MCP) servers**](/cloudflare-one/applications/configure-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
-
-- [**Cloudflare Dashboard SSO**](/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
diff --git a/src/content/docs/cloudflare-one/changelog/access.mdx b/src/content/docs/cloudflare-one/changelog/access.mdx
index d955ee7807d30e8..4cf509e0e424f9e 100644
--- a/src/content/docs/cloudflare-one/changelog/access.mdx
+++ b/src/content/docs/cloudflare-one/changelog/access.mdx
@@ -23,13 +23,13 @@ You can now filter Access policies by their action, selectors, rule groups, and
**Private self-hosted applications and reusable policies GA**
-[Private self-hosted applications](/cloudflare-one/applications/non-http/self-hosted-private-app/) and [reusable Access policies](/cloudflare-one/access-controls/policies/policy-management/) are now generally available (GA) for all customers.
+[Private self-hosted applications](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) and [reusable Access policies](/cloudflare-one/access-controls/policies/policy-management/) are now generally available (GA) for all customers.
## 2025-01-21
**Access Applications support private hostnames/IPs and reusable Access policies.**
-Cloudflare Access self-hosted applications can now be defined by [private IPs](/cloudflare-one/applications/non-http/self-hosted-private-app/), [private hostnames](/cloudflare-one/applications/non-http/self-hosted-private-app/) (on port 443) and [public hostnames](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). Additionally, we made Access policies into their own object which can be reused across multiple applications. These updates involved significant updates to the overall Access dashboard experience. The updates will be slowly rolled out to different customer cohorts. If you are an Enterprise customer and would like early access, reach out to your account team.
+Cloudflare Access self-hosted applications can now be defined by [private IPs](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/), [private hostnames](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) (on port 443) and [public hostnames](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). Additionally, we made Access policies into their own object which can be reused across multiple applications. These updates involved significant updates to the overall Access dashboard experience. The updates will be slowly rolled out to different customer cohorts. If you are an Enterprise customer and would like early access, reach out to your account team.
## 2025-01-15
diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
index eaee4ce88e15445..5e7424b665f1019 100644
--- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
+++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
@@ -87,7 +87,7 @@ This error occurs when the identity provider has not included the signing public
## I see `Error 0: Bad Request. Please create a ca for application.` when attempting to connect to SSH with a short-lived certificate.
-This error will appear if a certificate has not been generated for the Access application users are attempting to connect to. For more information on how to generate a certificate for the application on the Access Service Auth SSH page, refer to [these instructions](/cloudflare-one/applications/non-http/short-lived-certificates-legacy/).
+This error will appear if a certificate has not been generated for the Access application users are attempting to connect to. For more information on how to generate a certificate for the application on the Access Service Auth SSH page, refer to [these instructions](/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/).
## Mobile applications warn of an invalid certificate, even though I installed a Cloudflare certificate on my system.
diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx
index 02c4c441f374041..abfd9ec2dd8e2bc 100644
--- a/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx
+++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx
@@ -122,7 +122,7 @@ To avoid having to log in twice, you can create a Cloudflare Worker that automat
- [Workers account](/workers/get-started/guide/)
- `wrangler` installation
-- `example.com` and `api.mysite.com` domains [protected by Access](/cloudflare-one/applications/configure-apps/)
+- `example.com` and `api.mysite.com` domains [protected by Access](/cloudflare-one/access-controls/applications/configure-apps/)
### 1. Generate a service token
diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
index 908a265fbf34628..c60eb43beadaea2 100644
--- a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
+++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
@@ -22,7 +22,7 @@ Access generates two separate `CF_Authorization` tokens depending on the domain:
### Multi-domain applications
-Cloudflare Access allows you to protect and manage multiple domains in a single [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). After a user has successfully authenticated to one domain, Access will automatically issue a `CF_Authorization` cookie when they go to another domain in the same Access application. This means that users only need to authenticate once to a multi-domain application.
+Cloudflare Access allows you to protect and manage multiple domains in a single [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). After a user has successfully authenticated to one domain, Access will automatically issue a `CF_Authorization` cookie when they go to another domain in the same Access application. This means that users only need to authenticate once to a multi-domain application.
For Access applications with five or less domains, Access will preemptively set the cookie for all domains through a series of redirects. This allows single-page applications (SPAs) to retrieve data from other subdomains, even if the user has not explicitly visited those subdomains. Note that we cannot set cookies up-front for a wildcarded subdomain, because we do not know which concrete subdomain to redirect to (wildcarded paths are allowed).
@@ -133,7 +133,7 @@ Binding cookies protect users' `CF_Authorization` cookies from possible maliciou
Do not enable Binding Cookie if:
- You are using the Access application for non-browser based tools (such as SSH or RDP).
-- You have enabled [incompatible Cloudflare products](/cloudflare-one/applications/configure-apps/self-hosted-public-app/#product-compatibility) on the application domain.
+- You have enabled [incompatible Cloudflare products](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/#product-compatibility) on the application domain.
- You have turned on [WARP authentication identity](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/) for the application.
### Cookie Path Attribute
diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx
index ba1e81d362d2208..719f681b7ec8536 100644
--- a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx
+++ b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx
@@ -27,7 +27,7 @@ The mTLS certificate is used only to verify the client certificate. It does not
### Prerequisites
-- An [Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for the hostname that you would like to secure with mTLS.
+- An [Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for the hostname that you would like to secure with mTLS.
- A CA that issues client certificates for your devices.
diff --git a/src/content/docs/cloudflare-one/insights/dex/index.mdx b/src/content/docs/cloudflare-one/insights/dex/index.mdx
index 255b8b2e164ad30..8efca16730fe07b 100644
--- a/src/content/docs/cloudflare-one/insights/dex/index.mdx
+++ b/src/content/docs/cloudflare-one/insights/dex/index.mdx
@@ -13,7 +13,7 @@ With DEX, you can monitor the state of your [WARP client](/cloudflare-one/team-a
Use DEX to troubleshoot other Zero Trust features:
-- Test connectivity to a [SaaS application secured with Access](/cloudflare-one/applications/configure-apps/saas-apps/).
+- Test connectivity to a [SaaS application secured with Access](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/).
- Verify that a website routed through [Gateway](/cloudflare-one/traffic-policies/) is reachable from user devices.
- Confirm that users can successfully reach internal resources after configuring a [Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/).
diff --git a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx
index 32da9d1c097d749..56f39f4e33ca142 100644
--- a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx
+++ b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx
@@ -101,7 +101,7 @@ Identity-based authentication logs contain the following fields:
##### Infrastructure applications
-Cloudflare Access logs the following information when the user authenticates to an [infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/):
+Cloudflare Access logs the following information when the user authenticates to an [infrastructure application](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/):
| Field | Description |
| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
diff --git a/src/content/docs/cloudflare-one/integrations/service-providers/custom.mdx b/src/content/docs/cloudflare-one/integrations/service-providers/custom.mdx
index 4b12ca833c42fcf..f904b68fc6a0562 100644
--- a/src/content/docs/cloudflare-one/integrations/service-providers/custom.mdx
+++ b/src/content/docs/cloudflare-one/integrations/service-providers/custom.mdx
@@ -105,7 +105,7 @@ WARP uses an Access Client ID and Access Client Secret to securely authenticate
Next, secure the external API behind Cloudflare Access so that WARP can authenticate with the service token. To add the API endpoint to Access:
-1. [Create a self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for your API endpoint.
+1. [Create a self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for your API endpoint.
2. Add the following Access policy to the application. Make sure that **Action** is set to _Service Auth_ (not _Allow_).
| Action | Rule type | Selector | Value |
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx
index c557ffb3f855bfb..55129f0a3001705 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx
@@ -178,7 +178,7 @@ Alternatively, you may use operating system (OS)-level firewall rules to block a
Run your tunnel and check that all configured services are still accessible to the outside world via the tunnel, but not via the external IP address of the server.
-You can also [secure your application with Cloudflare Access](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+You can also [secure your application with Cloudflare Access](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
## Test connectivity
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes.mdx
index 0bc85c42fb3b666..7d2df986513ab95 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes.mdx
@@ -330,4 +330,4 @@ Now that the tunnel is up and running, we can use the Zero Trust dashboard to ro
To test, open a new browser tab and go to `httpbin..com`. You should see the httpbin homepage.
-You can optionally [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to control who can access the service.
+You can optionally [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to control who can access the service.
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx
index 1ba734093837697..296c525beb9b5d8 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx
@@ -114,7 +114,7 @@ Follow these steps to publish an application to the Internet. If you are looking
This DNS record allows Cloudflare to proxy `app.example.com` traffic to your Cloudflare Tunnel (`.cfargotunnel.com`).
-This application will be publicly available on the Internet once you [run the tunnel](#4-install-and-run-the-tunnel). To allow or block specific users, [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+This application will be publicly available on the Internet once you [run the tunnel](#4-install-and-run-the-tunnel). To allow or block specific users, [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
## 3b. Connect a network
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel.mdx
index 9c96b7352a0403c..09e528740c14c51 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel.mdx
@@ -26,7 +26,7 @@ Follow these steps to publish an application to the Internet. If you are looking
-Anyone on the Internet can now access the application at the specified hostname. To allow or block specific users, [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+Anyone on the Internet can now access the application at the specified hostname. To allow or block specific users, [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
## 2b. Connect a network
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx
index 9aba6f9b9a3040d..f81c67f3d68ef68 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx
@@ -43,7 +43,7 @@ To connect your infrastructure with Cloudflare Tunnel:
-If you have applications clearly defined by IPs or hostnames, we recommend [creating an Access application](/cloudflare-one/applications/non-http/self-hosted-private-app/) and managing user access alongside your SaaS and other web apps. Alternatively, if you prefer to secure a private network using a traditional firewall model, you can build Gateway network and DNS policies for IP ranges and domains.
+If you have applications clearly defined by IPs or hostnames, we recommend [creating an Access application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) and managing user access alongside your SaaS and other web apps. Alternatively, if you prefer to secure a private network using a traditional firewall model, you can build Gateway network and DNS policies for IP ranges and domains.
For more information on building Gateway policies, refer to [Secure your first application](/learning-paths/replace-vpn/build-policies/create-policy/) and [Common network policies](/cloudflare-one/traffic-policies/network-policies/common-policies/#restrict-access-to-private-networks).
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx
index 8d158da638aa0ca..9e8fb745d2cacb0 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx
@@ -164,7 +164,7 @@ Gateway will automatically resolve DNS queries using your internal DNS server as
If your private hostname points to an HTTPS application on port `443`, you can secure it using either Access or Gateway policies:
- - **Option 1 (Recommended)**: Create an [Access self-hosted private app](/cloudflare-one/applications/non-http/self-hosted-private-app/) to manage user access alongside your SaaS and other web apps.
+ - **Option 1 (Recommended)**: Create an [Access self-hosted private app](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) to manage user access alongside your SaaS and other web apps.
- **Option 2**: If you prefer to secure the application using a traditional firewall model, build Gateway network policies using the [SNI](/cloudflare-one/traffic-policies/network-policies/#sni) or [SNI Domain](/cloudflare-one/traffic-policies/network-policies/#sni-domain) selector. For an additional layer of protection, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/traffic-policies/dns-policies/#host) or [Domain](/cloudflare-one/traffic-policies/dns-policies/#domain) from resolving.
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/index.mdx
index 810a9e91da35935..9e396d555d25609 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/index.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/index.mdx
@@ -11,6 +11,6 @@ Cloudflare can route traffic down your Cloudflare Tunnel using a [DNS record](/c
:::note
-You do not need a paid Cloudflare Access plan to publish an application via Cloudflare Tunnel. [Access seats](/cloudflare-one/identity/users/seat-management/) are only required if you want to [secure the application using Access policies](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), such as requiring users to log in via an identity provider.
+You do not need a paid Cloudflare Access plan to publish an application via Cloudflare Tunnel. [Access seats](/cloudflare-one/identity/users/seat-management/) are only required if you want to [secure the application using Access policies](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/), such as requiring users to log in via an identity provider.
:::
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols.mdx
index c57019d7a309249..3b05315f497600c 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols.mdx
@@ -8,14 +8,14 @@ tableOfContents: false
---
-When you [add a published application route](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-publish-an-application) to a Cloudflare Tunnel, you are instructing Cloudflare to proxy requests for your public hostname to a service running privately behind `cloudflared`. The table below lists the service types that can route to a public hostname. Non-HTTP services will require [installing `cloudflared` on the client](/cloudflare-one/applications/non-http/cloudflared-authentication/) for end users to connect.
+When you [add a published application route](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-publish-an-application) to a Cloudflare Tunnel, you are instructing Cloudflare to proxy requests for your public hostname to a service running privately behind `cloudflared`. The table below lists the service types that can route to a public hostname. Non-HTTP services will require [installing `cloudflared` on the client](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/) for end users to connect.
| Service type | Description | Example `service` value |
| ------------ | ----------- | ---------- |
| HTTP | Incoming requests to Cloudflare over HTTPS are proxied to the local web service via HTTP. | `http://localhost:8000` |
| HTTPS | Incoming requests to Cloudflare over HTTPS are proxied directly to the local web service. You can [disable TLS verification](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) if your origin uses self-signed certificates. | `https://localhost:8000` |
| UNIX | Just like HTTP, but using a Unix socket instead. | `unix:/home/production/echo.sock` |
-| TCP | Enables TCP streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using TCP. To [connect to the public hostname over arbitrary TCP](/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/), the user needs to run `cloudflared access tcp`, and there are no guarantees on how long the TCP tunnel will live. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) instead.| `tcp://localhost:2222` |
+| TCP | Enables TCP streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using TCP. To [connect to the public hostname over arbitrary TCP](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/arbitrary-tcp/), the user needs to run `cloudflared access tcp`, and there are no guarantees on how long the TCP tunnel will live. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/) instead.| `tcp://localhost:2222` |
| SSH | Enables SSH streams over a Websocket connection. `cloudflared` will take the packets received from the Websocket and reach out to the origin using SSH. To [connect to the public hostname over SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/), the client needs to run `cloudflared access ssh`, and there are no guarantees on how long the SSH connection will last. For long-lived connections, we recommend using [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) instead. | `ssh://localhost:22` |
| RDP | Similar to TCP but for RDP streams only. For more information, refer to [Connect to RDP with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication/). | `rdp://localhost:3389` |
| UNIX + TLS | Just like HTTPS, but using a Unix socket instead. | `unix+tls:/home/production/echo.sock` |
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication.mdx
index c56b5586242cde9..82d494fcfbbf601 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication.mdx
@@ -24,7 +24,7 @@ Client-side `cloudflared` can be used in conjunction with [routing over WARP](/c
## 2. (Recommended) Create an Access application
-By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
+By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
## 3. Connect as a user
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb.mdx
index baa7350d0313e08..d296a489d624279 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb.mdx
@@ -79,7 +79,7 @@ The public hostname method can be implemented in conjunction with routing over W
### 2. (Recommended) Create an Access application
-By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
+By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
### 3. Connect as a user
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/index.mdx
index 65905d20787cf31..83590f25d6f2d6a 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/index.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/index.mdx
@@ -16,4 +16,4 @@ Cloudflare offers four ways to secure SSH:
- [Browser-rendered SSH terminal](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-browser-rendering/)
- [SSH with client-side cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/) (legacy)
-For an overview of these connection options, refer to [non-HTTP applications](/cloudflare-one/applications/non-http/).
\ No newline at end of file
+For an overview of these connection options, refer to [non-HTTP applications](/cloudflare-one/access-controls/applications/non-http/).
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-browser-rendering.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-browser-rendering.mdx
index 9e3bc614592929b..71ce066e23b6f26 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-browser-rendering.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-browser-rendering.mdx
@@ -20,6 +20,6 @@ The browser-based terminal can be used in conjunction with [routing over WARP](/
## 2. Connect as a user
-To enable browser-rendering for SSH, refer to [Browser-rendered terminal](/cloudflare-one/applications/non-http/browser-rendering/).
+To enable browser-rendering for SSH, refer to [Browser-rendered terminal](/cloudflare-one/access-controls/applications/non-http/browser-rendering/).
When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser.
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx
index 6c1ad52186acb1f..a2b6b0b6f7418ee 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx
@@ -8,7 +8,7 @@ sidebar:
import { Tabs, TabItem, Badge, Render, APIRequest } from "~/components";
-[Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/) provides granular control over how users can connect to your SSH servers. This feature uses the same deployment model as [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-warp-to-tunnel/) but unlocks more policy options and command logging functionality.
+[Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) provides granular control over how users can connect to your SSH servers. This feature uses the same deployment model as [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-warp-to-tunnel/) but unlocks more policy options and command logging functionality.
@
Access for Infrastructure also supports `scp`, `sftp`, and `rsync` commands. Refer to [Known limitations](#known-limitations) for a list of unsupported SSH commands and features.
-To learn more about user connections, refer to the [Access for Infrastructure documentation](/cloudflare-one/applications/non-http/infrastructure-apps/#4-connect-as-a-user).
+To learn more about user connections, refer to the [Access for Infrastructure documentation](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#4-connect-as-a-user).
## SSH command logs
@@ -214,7 +214,7 @@ You were guided to create an Access policy for your target in [substep 9 of step
#### End users
-As an end user, run [`warp-cli target list`](/cloudflare-one/applications/non-http/infrastructure-apps/#display-available-targets) to verify that you have access to the target.
+As an end user, run [`warp-cli target list`](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#display-available-targets) to verify that you have access to the target.
diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
index 0df76131ae845e3..c2494293c6adbb2 100644
--- a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
+++ b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
@@ -76,6 +76,6 @@ You no longer need to isolate both the Identity Provider (IdP) and Service Provi
## Browser Isolation is not compatible with private IPs on non-`443` ports
-Browser Isolation is not compatible with [self-hosted private applications](/cloudflare-one/applications/non-http/self-hosted-private-app/) that use private IP addresses on ports other than `443`. Trying to access self-hosted applications defined by private IPs on ports other than `443` will result in a Gateway block page.
+Browser Isolation is not compatible with [self-hosted private applications](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) that use private IP addresses on ports other than `443`. Trying to access self-hosted applications defined by private IPs on ports other than `443` will result in a Gateway block page.
-To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](/cloudflare-one/applications/non-http/legacy-private-network-app/) instead.
+To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app/) instead.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx
index 14d6c1e14b47228..a030b9058843a18 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx
@@ -9,7 +9,7 @@ If you are unable to install the WARP client on your devices (for example, Windo
- **[Gateway DNS policies](/cloudflare-one/team-and-resources/devices/agentless/dns/)**
- **[Gateway HTTP policies](/cloudflare-one/team-and-resources/devices/agentless/pac-files/)** without user identity and device posture
-- **[Access policies](/cloudflare-one/access-controls/policies/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and for [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections
+- **[Access policies](/cloudflare-one/access-controls/policies/)** without device posture for [web applications](/cloudflare-one/access-controls/applications/configure-apps/) and for [browser-rendered](/cloudflare-one/access-controls/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections
- **[Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/)** via an [Access policy](/cloudflare-one/access-controls/policies/isolate-application/), [prefixed URLs](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/remote-browser-isolation/setup/non-identity/)
- **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/)**
- **[Data Loss Prevention (DLP)](/cloudflare-one/applications/casb/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx
index 99816e32fa5403d..393b08eb95a8390 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx
@@ -7,7 +7,7 @@ sidebar:
import { Tabs, TabItem, APIRequest } from "~/components";
-Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/remote-browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare.
+Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/remote-browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare.
Zero Trust [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/).
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx
index 2e9d0af9101160b..dcb3af1f1d308e6 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx
@@ -20,7 +20,7 @@ import { TabItem, Tabs, Details, Width, APIRequest } from "~/components";
-Device Information Only mode allows you to enforce device posture rules when a user connects to your [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.
+Device Information Only mode allows you to enforce device posture rules when a user connects to your [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.
## 1. Turn on account settings
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
index d0edd1b762d0eee..aa03a29bf477999 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
@@ -40,7 +40,7 @@ To configure WARP sessions for Access applications:
This timeout value does not apply to [WARP session checks in Gateway policies](#configure-warp-sessions-in-gateway).
:::
-5. (Optional) To enable WARP authentication by default for all existing and new applications, select **Apply to all Access applications**. You can override this default setting on a per-application basis when you [create](/cloudflare-one/applications/configure-apps/) or modify an Access application.
+5. (Optional) To enable WARP authentication by default for all existing and new applications, select **Apply to all Access applications**. You can override this default setting on a per-application basis when you [create](/cloudflare-one/access-controls/applications/configure-apps/) or modify an Access application.
6. Select **Save**.
Users can now authenticate once with WARP and have access to your Access applications for the configured period of time. The session timer resets when the user re-authenticates with the IdP used to enroll in WARP.
diff --git a/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx
index e6851dae411dca7..f8346bf191c55b4 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx
@@ -61,7 +61,7 @@ Gateway enforces global DNS and resolver policies before any other policies. Thi
| Allow Gateway Proxy PAC | `00000001-776e-438d-9856-987d7053762b` | Hostname | `*.cloudflare-gateway.com` and `*.fed.cloudflare-gateway.com` | allow | Allows Gateway proxy with [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/). |
| Allow Zero Trust Services | `00000001-e1e8-421b-a0fe-895397489f28` | Hostname | `dash.teams.cloudflare.com`, `help.teams.cloudflare.com`, `blocked.teams.cloudflare.com`, `blocked.teams.fed.cloudflare.com`, `api.cloudflare.com`, `api.fed.cloudflare.com`, `cloudflarestatus.com`, `www.cloudflarestatus.com`, `one.dash.cloudflare.com`, `one.dash.fed.cloudflare.com`, `help.one.cloudflare.com`, `dash.cloudflare.com`, `dash.fed.cloudflare.com`, and `developers.cloudflare.com` | allow | Allows Cloudflare Zero Trust services. |
| Allow Access Apps L4 | `00000001-daa2-41e2-8a88-698af4066951` | Hostname | `*.cloudflareaccess.com` and `*.fed.cloudflareaccess.com` | allow | Allows [Cloudflare Access](/cloudflare-one/access-controls/policies/) applications. |
-| Allow HTTP requests to browser-rendered Access Apps | `00000001-1f93-4476-8f92-9aa4407d1c5f` | Hostname | `*.zero-trust-apps.cfdata.org`, `*.zero-trust-apps-staging.cfdata.org`, `*.zero-trust-apps.fed.cfdata.org`, or `*.zero-trust-apps-staging.fed.cfdata.org` | allow | Allows Cloudflare Access terminal applications [rendered in a browser](/cloudflare-one/applications/non-http/browser-rendering/#ssh-and-vnc). |
+| Allow HTTP requests to browser-rendered Access Apps | `00000001-1f93-4476-8f92-9aa4407d1c5f` | Hostname | `*.zero-trust-apps.cfdata.org`, `*.zero-trust-apps-staging.cfdata.org`, `*.zero-trust-apps.fed.cfdata.org`, or `*.zero-trust-apps-staging.fed.cfdata.org` | allow | Allows Cloudflare Access terminal applications [rendered in a browser](/cloudflare-one/access-controls/applications/non-http/browser-rendering/#ssh-and-vnc). |
## HTTP inspection policies
diff --git a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
index 2996468cc778435..a6fdfb28f5b5cc0 100644
--- a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
@@ -411,7 +411,7 @@ To secure the AI agent wrapper to ensure that only trusted users can access it:
4. Enter a name for your AI agent wrapper application.
5. In **Session Duration**, choose when the user's application token should expire.
6. Select **Add public hostname** and enter the custom domain you set for your Worker.
-7. [Configure your Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for your Worker.
+7. [Configure your Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for your Worker.
8. Add [Access policies](/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application.
Now your AI wrapper can only be accessed by your users that successfully match your Access policies.
diff --git a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
index ec24f9862cec894..c3d950cf6bf65cc 100644
--- a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
@@ -87,6 +87,6 @@ To enforce your Conditional Access policies on a Cloudflare Access application:
8. For **Identity providers**, select your Microsoft Entra ID integration.
-9. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application.
+9. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
Users will only be allowed access if they pass the Microsoft Entra ID Conditional Access policies associated with this authentication context.
diff --git a/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx b/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx
index 5743a9bb6522fc2..719c47ec8e473d7 100644
--- a/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx
@@ -41,7 +41,7 @@ This approach allows you to:
## Before you begin
-- Add a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access.
+- Add a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access.
- Enable the [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/) and [Firewall](/cloudflare-one/identity/devices/warp-client-checks/firewall/) device posture checks.
- Install [Wrangler](/workers/wrangler/install-and-update/) on your local machine.
diff --git a/src/content/docs/cloudflare-one/tutorials/fastapi.mdx b/src/content/docs/cloudflare-one/tutorials/fastapi.mdx
index 372829bf56b477c..d32391ee87f1b97 100644
--- a/src/content/docs/cloudflare-one/tutorials/fastapi.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/fastapi.mdx
@@ -15,7 +15,7 @@ This tutorial covers how to validate that the [Access JWT](/cloudflare-one/ident
## Prerequisites
-* A [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for your FastAPI app
+* A [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for your FastAPI app
* The [AUD tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application
## 1. Create a validation function
diff --git a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
index 14d8a8ba4c4c9f9..03e9dca7c27daaa 100644
--- a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
@@ -35,7 +35,7 @@ You can connect to machines over `kubectl` using Cloudflare's Zero Trust platfor
4. Enter a name for your Access application.
5. Select **Add public hostname** and input a subdomain. This will be the hostname where your application will be available to users.
6. [Create a new policy](/cloudflare-one/access-controls/policies/policy-management/) to control who can reach the application, or select existing policies.
-7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application.
+7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
## Install `cloudflared`
diff --git a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
index 2613b280c4f7ea2..009efae0dd52b19 100644
--- a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
@@ -43,7 +43,7 @@ You can build a rule in Cloudflare Access to control who can connect to your Mon
6. Add [Access policies](/cloudflare-one/access-controls/policies/) to control who can reach the deployment. You can build a policy that allows anyone in your organization to connect or you can build more granular policies based on signals like identity provider groups, [multifactor method](/cloudflare-one/tutorials/okta-u2f/), or [country](/cloudflare-one/access-controls/policies/groups/).
-7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application.
+7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
## Configure the Kubernetes deployment
diff --git a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
index 7faf6ec5b62cf27..8c783ee1e8554ac 100644
--- a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
@@ -114,7 +114,7 @@ Your Cloudflare Tunnel will terminate at the AWS VPC using your public hostname.
4. Enter a name for the application.
5. Select **Add public hostname** and enter the public hostname used by your Tunnel. For example, `s3-bucket..com`.
6. Add [Access policies](/cloudflare-one/access-controls/policies/) to determine which users and applications may access your bucket. You can optionally create a [service token](/cloudflare-one/identity/service-tokens/) policy to automatically authenticate access to your S3 bucket.
-7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application.
+7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
Users and applications that successfully authenticate via Cloudflare Access can access your S3 bucket at `https://s3-bucket..com`.
diff --git a/src/content/docs/email-security/account-setup/sso/access.mdx b/src/content/docs/email-security/account-setup/sso/access.mdx
index c6ea3bbcab22198..337864b6526030b 100644
--- a/src/content/docs/email-security/account-setup/sso/access.mdx
+++ b/src/content/docs/email-security/account-setup/sso/access.mdx
@@ -1,7 +1,7 @@
---
pcx_content_type: navigation
title: Cloudflare Access for SaaS
-external_link: /cloudflare-one/applications/configure-apps/saas-apps/area-1/
+external_link: /cloudflare-one/access-controls/applications/configure-apps/saas-apps/area-1/
sidebar:
order: 4
diff --git a/src/content/docs/fundamentals/performance/maintenance-mode.mdx b/src/content/docs/fundamentals/performance/maintenance-mode.mdx
index 28480099e3bf5ee..848396adf0876ad 100644
--- a/src/content/docs/fundamentals/performance/maintenance-mode.mdx
+++ b/src/content/docs/fundamentals/performance/maintenance-mode.mdx
@@ -23,7 +23,7 @@ Certain customization and queue options depend on your [plan](/waiting-room/plan
### All plans
-Users on all plans can [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). Make sure to limit your [Access policy](/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) to only include yourself and any collaborators.
+Users on all plans can [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). Make sure to limit your [Access policy](/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) to only include yourself and any collaborators.
If needed, you can also further [customize the login page](/cloudflare-one/applications/login-page).
diff --git a/src/content/docs/learning-paths/clientless-access/migrate-applications/integrated-sso.mdx b/src/content/docs/learning-paths/clientless-access/migrate-applications/integrated-sso.mdx
index 01a06c2cda71707..b8fbd8e103c6137 100644
--- a/src/content/docs/learning-paths/clientless-access/migrate-applications/integrated-sso.mdx
+++ b/src/content/docs/learning-paths/clientless-access/migrate-applications/integrated-sso.mdx
@@ -32,7 +32,7 @@ If your applications use integrated SSO, there are a number of different paths y
| [Present applications exclusively on Cloudflare domains](#recommended-solution) | Change SSO ACS URL to the Cloudflare Tunnel public hostname |
Increased security posture
No changes to application code
No changes to internal DNS design
| Hard cutover event when ACS URL changes from internal to external domain |
| Present applications on existing internal domains with identical external domains delegated to Cloudflare | Add domains to Cloudflare that match internal domains |
No changes to SSO ACS URL
No change for end users
|
Requires careful management of internal and external domains
Requires changing internal DNS design
|
| [Consume the Cloudflare JWT in internal applications](/learning-paths/clientless-access/migrate-applications/consume-jwt/) |
Remove integrated SSO
Update application to accept the Cloudflare JWT for user authorization
|
Reduced authentication burden for end users
No changes to internal DNS design
Instantly secure applications without direct SSO integration
|
Requires changing application code
Hard cutover event when application updates
|
-| Use Cloudflare as the direct SSO integration, which then calls your IdP of choice (Okta, OneLogin, etc.) | Swap existing SSO provider for [Access for SaaS](/cloudflare-one/applications/configure-apps/saas-apps/) |
Increased flexibility for changing IdPs
Ability to use multiple IdPs simultaneously
|
Hard cutover event for IdP changes
No SCIM provisioning for application
|
+| Use Cloudflare as the direct SSO integration, which then calls your IdP of choice (Okta, OneLogin, etc.) | Swap existing SSO provider for [Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) |
Increased flexibility for changing IdPs
Ability to use multiple IdPs simultaneously
|
Hard cutover event for IdP changes
No SCIM provisioning for application
|
## Recommended solution
diff --git a/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx b/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx
index 0ff0cca0479a842..88366afd590eb67 100644
--- a/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx
+++ b/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx
@@ -42,7 +42,7 @@ This section will discuss the process of consolidating and securing access to yo
The Model Context Protocol supports [OAuth 2.1 for authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization). You can configure your MCP server to use Cloudflare Access as its OAuth provider. This allows you to secure the MCP server with Access policies, using signals from your existing identity providers (IdPs), device posture providers, and other rules to control who can log in to the server. Once the user is authenticated through Access, Access passes an OAuth ID token to the MCP server. You can then implement server-side access controls based on the user identity attributes included in the token. For example, you may wish to limit access to specific tools based on user emails.
-To set up the Cloudflare Access OAuth integration, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
+To set up the Cloudflare Access OAuth integration, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
### Consolidate MCP servers into a portal
@@ -50,4 +50,4 @@ MCP server portals allow you to centralize management of your MCP servers and to
To define user access to your systems, you can configure Access policies for a portal as a whole while maintaining granular access control for the MCP servers that a user sees in their portals. Additionally, you can turn on or off the individual tools available through the portal and only expose the tools relevant for your specific use case. Prompts and responses made using the portal are logged in Cloudflare Access, providing you with visibility into how users are interacting with your MCP servers.
-To get started with MCP server portals, refer to [MCP server portals](/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/).
+To get started with MCP server portals, refer to [MCP server portals](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/).
diff --git a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx
index 99a0e50c38b07f7..f3f0534d47cb7ec 100644
--- a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx
+++ b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx
@@ -114,7 +114,7 @@ Additionally, authenticated requests also send the `Cf-Access-Jwt-Assertion\` JW
## 4. Create the self-hosted applications
-Finally, the hostname you want to protect with mTLS needs to be added as a [self-hosted app](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access, defining an [Access Policy](/cloudflare-one/access-controls/policies/) which uses the action [Service Auth](/cloudflare-one/access-controls/policies/#service-auth) and the Selector _"Valid Certificate"_, or simply requiring an [IdP](/cloudflare-one/integrations/identity-providers/) authentication. You can also take advantage of extra requirements, such as the "Common Name" (CN), which expects the indicated hostname, and more [Selectors](/cloudflare-one/access-controls/policies/#selectors). Alternatively, one can also [extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/).
+Finally, the hostname you want to protect with mTLS needs to be added as a [self-hosted app](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access, defining an [Access Policy](/cloudflare-one/access-controls/policies/) which uses the action [Service Auth](/cloudflare-one/access-controls/policies/#service-auth) and the Selector _"Valid Certificate"_, or simply requiring an [IdP](/cloudflare-one/integrations/identity-providers/) authentication. You can also take advantage of extra requirements, such as the "Common Name" (CN), which expects the indicated hostname, and more [Selectors](/cloudflare-one/access-controls/policies/#selectors). Alternatively, one can also [extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/).
## Demo
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
index a566f5f45838c5f..91478741c03bf61 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
@@ -8,7 +8,7 @@ sidebar:
---
-[Access for SaaS](/cloudflare-one/applications/configure-apps/saas-apps/) functions as an identity proxy to add an additional authentication layer to your SaaS apps.
+[Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) functions as an identity proxy to add an additional authentication layer to your SaaS apps.
Access for SaaS integrates directly with your SaaS app using standard protocols (such as SAML) to become the primary enforcement point for user access. Access calls your identity provider (IdP) of choice and uses additional security signals about your users and devices to make policy decisions. Benefits of Access for SaaS include:
diff --git a/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx b/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx
index 49da8c4e01a92ca..f3e45bdd66d30c0 100644
--- a/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx
+++ b/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx
@@ -59,4 +59,4 @@ In this example, the randomly-generated URL `https://seasonal-deck-organisms-sf.
Cloudflare Tunnel can be configured in a variety of ways and can be used beyond providing access to your in-development applications. For example, you can provide `cloudflared` with a [configuration file](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/) to add more complex routing and tunnel setups that go beyond a simple `--url` flag. You can also [attach a Cloudflare DNS record](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/) to a domain or subdomain for an easily accessible, long-lived tunnel to your local machine.
-Finally, by incorporating Cloudflare Access, you can provide [secure access to your tunnels](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) without exposing your entire server, or compromising on security. Refer to the [Cloudflare for Teams documentation](/cloudflare-one/) to learn more about what you can do with Cloudflare's entire suite of Zero Trust tools.
+Finally, by incorporating Cloudflare Access, you can provide [secure access to your tunnels](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) without exposing your entire server, or compromising on security. Refer to the [Cloudflare for Teams documentation](/cloudflare-one/) to learn more about what you can do with Cloudflare's entire suite of Zero Trust tools.
diff --git a/src/content/docs/r2/buckets/public-buckets.mdx b/src/content/docs/r2/buckets/public-buckets.mdx
index 33434882e4f2fae..370d291027b82b4 100644
--- a/src/content/docs/r2/buckets/public-buckets.mdx
+++ b/src/content/docs/r2/buckets/public-buckets.mdx
@@ -44,7 +44,7 @@ For more information on default Cache behavior and how to customize it, refer to
To restrict access to your custom domain's bucket, use Cloudflare's existing security products.
-- [Cloudflare Zero Trust Access](/cloudflare-one/applications/configure-apps): Protects buckets that should only be accessible by your teammates. Refer to [Protect an R2 Bucket with Cloudflare Access](/r2/tutorials/cloudflare-access/) tutorial for more information.
+- [Cloudflare Zero Trust Access](/cloudflare-one/access-controls/): Protects buckets that should only be accessible by your teammates. Refer to [Protect an R2 Bucket with Cloudflare Access](/r2/tutorials/cloudflare-access/) tutorial for more information.
- [Cloudflare WAF Token Authentication](/waf/custom-rules/use-cases/configure-token-authentication/): Restricts access to documents, files, and media to selected users by providing them with an access token.
:::caution
diff --git a/src/content/docs/r2/tutorials/cloudflare-access.mdx b/src/content/docs/r2/tutorials/cloudflare-access.mdx
index 81e29178fed4592..e7dfb3a2dd1906f 100644
--- a/src/content/docs/r2/tutorials/cloudflare-access.mdx
+++ b/src/content/docs/r2/tutorials/cloudflare-access.mdx
@@ -8,7 +8,7 @@ description: >-
import { Render } from "~/components";
-You can secure access to R2 buckets using [Cloudflare Access](/cloudflare-one/applications/configure-apps/).
+You can secure access to R2 buckets using [Cloudflare Access](/cloudflare-one/access-controls/applications/configure-apps/).
Access allows you to only allow specific users, groups or applications within your organization to access objects within a bucket, or specific sub-paths, based on policies you define.
@@ -46,7 +46,7 @@ To create an Access application for your R2 bucket:
Ensure that your policies only allow the users within your organization that need access to this R2 bucket.
:::
-6. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application.
+6. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
## 3. Connect a custom domain
@@ -66,10 +66,10 @@ Visit the custom domain you connected to your R2 bucket, which should present a
For example, if you connected Google and/or GitHub identity providers, you can log in with those providers. If the login is successful and you pass the Access policies configured in this guide, you will be able to access (read/download) objects within the R2 bucket.
-If you cannot authenticate or receive a block page after authenticating, check that you have an [Access policy](/cloudflare-one/applications/configure-apps/self-hosted-public-app/#1-add-your-application-to-access) configured within your Access application that explicitly allows the group your user account is associated with.
+If you cannot authenticate or receive a block page after authenticating, check that you have an [Access policy](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/#1-add-your-application-to-access) configured within your Access application that explicitly allows the group your user account is associated with.
## Next steps
-- Learn more about [Access applications](/cloudflare-one/applications/configure-apps/) and how to configure them.
+- Learn more about [Access applications](/cloudflare-one/access-controls/applications/configure-apps/) and how to configure them.
- Understand how to use [pre-signed URLs](/r2/api/s3/presigned-urls/) to issue time-limited and prefix-restricted access to objects for users not within your organization.
- Review the [documentation on using API tokens to authenticate](/r2/api/tokens/) against R2 buckets.
diff --git a/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx b/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx
index b498b255e612166..017d9308c4449a5 100644
--- a/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx
+++ b/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx
@@ -169,7 +169,7 @@ There are many different [types of selectors](/cloudflare-one/access-controls/po
You can configure this control by enabling the "gateway" device posture check and then requiring "gateway" in your application policies. Requiring "gateway" is more flexible than relying solely on the device agent because users can also on-ramp from Browser Isolation or a Magic WAN-connected site, both of which provide traffic logging and filtering. Additionally, when using the device agent, this allows you to guarantee that a user is coming from a compliant device that has passed a set of device posture checks.
- Requiring the gateway is enforced continuously for [self-hosted applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). For SaaS apps, it is only enforced at the time of login. However, a dedicated egress IP can be leveraged in tandem to enforce that traffic always goes via Cloudflare Gateway.
+ Requiring the gateway is enforced continuously for [self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). For SaaS apps, it is only enforced at the time of login. However, a dedicated egress IP can be leveraged in tandem to enforce that traffic always goes via Cloudflare Gateway.
- **Does the user belong to an existing group, or have specific identity attributes?**
If your IdP supports SCIM, group membership information can be imported into Cloudflare, where it can be used in policies. Group information can also come from the SAML or OAuth data sent as part of authentication. In fact, when OIDC or SAML is used and claims are sent, they can be used in a policy. So if your users authenticate to your IDP using SAML, and the resulting token contains their "role," you can query that value in the rule.
diff --git a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx
index aa845a100e58d7a..4ff643a09d4a023 100644
--- a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx
+++ b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx
@@ -202,7 +202,7 @@ In the example below, `erp.example.com` is added as [Public Hostname](/cloudflar
-Not all applications will be suitable for this type of access. Only HTTP(S) applications or [applications that can be rendered in the browser](/cloudflare-one/applications/non-http/) such as SSH and VNC are supported. To learn more about such a deployment and additional advanced options such cookie settings, browser isolation and using the Access token in your application for authentication, see the [self-hosted application documentation](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+Not all applications will be suitable for this type of access. Only HTTP(S) applications or [applications that can be rendered in the browser](/cloudflare-one/access-controls/applications/non-http/) such as SSH and VNC are supported. To learn more about such a deployment and additional advanced options such cookie settings, browser isolation and using the Access token in your application for authentication, see the [self-hosted application documentation](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
## Summary
diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
index f2865b5700bfe95..d5dd3f88270e535 100644
--- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
+++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
@@ -262,7 +262,7 @@ For Cloudflare users, this offers a number of advantages: it helps streamline au
### Where does Cloudflare fit in?
-We recommend using our Cloudflare Access product for remote access to your internal services (by way of our Cloudflare Tunnel software in your network). With Cloudflare Access, you can [consume the JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) created by Cloudflare Access or use [Access for SaaS](/cloudflare-one/applications/configure-apps/saas-apps/) to act as a SAML or OAUTH proxy for your private, self-hosted applications (which have SSO integrations pre-built into them).
+We recommend using our Cloudflare Access product for remote access to your internal services (by way of our Cloudflare Tunnel software in your network). With Cloudflare Access, you can [consume the JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) created by Cloudflare Access or use [Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) to act as a SAML or OAUTH proxy for your private, self-hosted applications (which have SSO integrations pre-built into them).
In a lot of cases, you may even use both products for application access. For example, if you're self-hosting [Sentry](https://sentry.io/) — which is not currently available on the public Internet — follow these steps:
@@ -400,7 +400,7 @@ This framework can also give your IT organization direction on which tools to co
Cloudflare can help set a foundation for visibility and management of your [shadow IT](/cloudflare-one/insights/analytics/shadow-it-discovery/) environment and subsequent discoveries. User traffic to the Internet can be audited and organized from the WARP client and our [Secure Web Gateway (SWG)](/cloudflare-one/traffic-policies/), and can you understand where your sensitive data moves outside of your corporate-accepted SaaS tenants.
-This can then be an opportunity to further expand your Zero Trust strategy by ensuring those newly-discovered tools are either explicitly blocked or explicitly allowed, setting specific data security controls on them, or integrating them with your Zero Trust vendor (using something like [Access for SaaS](/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas/) to apply security policies).
+This can then be an opportunity to further expand your Zero Trust strategy by ensuring those newly-discovered tools are either explicitly blocked or explicitly allowed, setting specific data security controls on them, or integrating them with your Zero Trust vendor (using something like [Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/aws-sso-saas/) to apply security policies).
## Long-term management with APIs and Infrastructure as Code (IaC)
diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx
index 2e0f541203b9a61..b052d799966ac5a 100644
--- a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx
+++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx
@@ -31,7 +31,7 @@ When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudfl
1. For managed endpoints, we recommend deploying our [device agent](/cloudflare-one/team-and-resources/devices/warp/) to maximize visibility and control of all traffic between the end user’s device and the resources being requested.
2. For unmanaged endpoints, we have [client-less solutions](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/) which all you to still have visibility over and inspection into the data accessed by users.
-2. Cloudflare's [Zero Trust Network Access](/cloudflare-one/access-controls/policies/) (ZTNA) service can integrate directly with your [SaaS applications](/cloudflare-one/applications/configure-apps/saas-apps/) using standard protocols (e.g. SAML or OIDC) to become the initial enforcement point for user access. Access calls your [identity provider](/cloudflare-one/integrations/identity-providers/) (IdP) of choice and uses additional security signals about your users and devices to make policy decisions.
+2. Cloudflare's [Zero Trust Network Access](/cloudflare-one/access-controls/policies/) (ZTNA) service can integrate directly with your [SaaS applications](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) using standard protocols (e.g. SAML or OIDC) to become the initial enforcement point for user access. Access calls your [identity provider](/cloudflare-one/integrations/identity-providers/) (IdP) of choice and uses additional security signals about your users and devices to make policy decisions.
3. As an extension of what was covered in Securing data in use, Cloudflare [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/) (RBI) can also be used with [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/), so that even remote clientless user’s traffic can arrive at the requested SaaS application from predictable and consistent IP addresses.
diff --git a/src/content/docs/security-center/security-insights/index.mdx b/src/content/docs/security-center/security-insights/index.mdx
index fd71bb042d95c97..e59ec64c3dce1ba 100644
--- a/src/content/docs/security-center/security-insights/index.mdx
+++ b/src/content/docs/security-center/security-insights/index.mdx
@@ -44,7 +44,7 @@ Listed below are the specific insights currently available:
| [Turn on JavaScript Detection](/bots/additional-configurations/javascript-detections/) | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite. |
| [Unassigned Access seats](/cloudflare-one/) | We detect a Zero Trust subscription that is not configured yet. |
| [Unauthenticated API endpoints detected](/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | None of the successful requests against API endpoints carried session identifiers. |
-| [Unprotected Cloudflare Tunnels](/cloudflare-one/applications/configure-apps/self-hosted-public-app/#4-connect-your-origin-to-cloudflare) | We detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy. |
+| [Unprotected Cloudflare Tunnels](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/#4-connect-your-origin-to-cloudflare) | We detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy. |
| [Unproxied `A` Records](/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
| [Unproxied `AAAA` Records](/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
| [Unproxied `CNAME` Records](/dns/proxy-status/#dns-only-records) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx
index 6a93bad752c27ab..01bc7d1aac91d9d 100644
--- a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx
+++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx
@@ -12,7 +12,7 @@ Refer to the sections below to learn about the use cases supported by the Zero T
## Agentless Cloudflare Access
-You can use [Cloudflare Access](/cloudflare-one/access-controls/policies/) [self-hosted applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Refer to the [learning path](/learning-paths/clientless-access/initial-setup/) for detailed guidance.
+You can use [Cloudflare Access](/cloudflare-one/access-controls/policies/) [self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Refer to the [learning path](/learning-paths/clientless-access/initial-setup/) for detailed guidance.
Even if the applications themselves have not yet migrated to post-quantum (PQ) cryptography, they will be protected against quantum threats.
diff --git a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
index 0b11dc73de28a05..03a2182218ee526 100644
--- a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
+++ b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
@@ -83,7 +83,7 @@ Now that you’ve elevated your security to protect the publicly accessible part
### Zero Trust
-[Zero Trust](https://www.cloudflare.com/plans/zero-trust-services/) Web Applications is the best way to limit access to your admin panel. You can restrict access based on user instead of device, and it allows for very granular control. Setup of a Self-hosted web application is very easy, for more information refer to the [Self-hosted applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) section of the Zero Trust developer documentation.
+[Zero Trust](https://www.cloudflare.com/plans/zero-trust-services/) Web Applications is the best way to limit access to your admin panel. You can restrict access based on user instead of device, and it allows for very granular control. Setup of a Self-hosted web application is very easy, for more information refer to the [Self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) section of the Zero Trust developer documentation.
After configuring a web application, users will be required to authenticate in some way before they can access the restricted content. The default method is through email multifactor authentication:
diff --git a/src/content/docs/workers/examples/basic-auth.mdx b/src/content/docs/workers/examples/basic-auth.mdx
index cd96f70e4d06490..7fa3bd705e62a76 100644
--- a/src/content/docs/workers/examples/basic-auth.mdx
+++ b/src/content/docs/workers/examples/basic-auth.mdx
@@ -26,7 +26,7 @@ This example Worker makes use of the [Node.js Buffer API](/workers/runtime-apis/
:::caution[Caution when using in production]
-This code is provided as a sample, and is not suitable for production use. Basic Authentication sends credentials unencrypted, and must be used with an HTTPS connection to be considered secure. For a production-ready authentication system, consider using [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+This code is provided as a sample, and is not suitable for production use. Basic Authentication sends credentials unencrypted, and must be used with an HTTPS connection to be considered secure. For a production-ready authentication system, consider using [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
:::
diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
index 396d0172e91f1d5..250c01c0867128e 100644
--- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
+++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
@@ -26,7 +26,7 @@ import {
8. Select **Next**.
9. To secure your targets, configure a policy that defines who can connect and how they can connect:
1. Enter any name for your policy.
- 2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/access-controls/policies/) and review the list of [infrastructure policy selectors](/cloudflare-one/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors).
+ 2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/access-controls/policies/) and review the list of [infrastructure policy selectors](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors).
3. In **Connection context**, configure the following settings:
- **SSH user**: Enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`).
- **Allow users to log in as their email alias**: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, `Jdoe@company.com` could log in as `jdoe`.
diff --git a/src/content/partials/cloudflare-one/access/block-page.mdx b/src/content/partials/cloudflare-one/access/block-page.mdx
index a7de815903a685f..1f1605c83205c55 100644
--- a/src/content/partials/cloudflare-one/access/block-page.mdx
+++ b/src/content/partials/cloudflare-one/access/block-page.mdx
@@ -58,4 +58,4 @@ To create a custom block page for Access:
8. Once you are satisfied with your custom page, select **Save**.
-You can now select this block page when you [configure an Access application](/cloudflare-one/applications/configure-apps/).
+You can now select this block page when you [configure an Access application](/cloudflare-one/access-controls/applications/configure-apps/).
diff --git a/src/content/partials/cloudflare-one/access/enable-isolation.mdx b/src/content/partials/cloudflare-one/access/enable-isolation.mdx
index 587338bfc5f6d73..f01805a8ff45c17 100644
--- a/src/content/partials/cloudflare-one/access/enable-isolation.mdx
+++ b/src/content/partials/cloudflare-one/access/enable-isolation.mdx
@@ -7,7 +7,7 @@ import { Render } from "~/components";
3. Go to **Access** > **Applications**.
-4. Choose a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) and select **Configure**.
+4. Choose a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) and select **Configure**.
5. Go to **Policies**.
6. Choose an [Allow policy](/cloudflare-one/access-controls/policies/) and select **Configure**.
7. Under **Additional settings**, turn on **Isolate application**.
diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx
index 20549b10d0fe5ba..b15c3bba7df9ecb 100644
--- a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx
+++ b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx
@@ -7,13 +7,13 @@ import { Render } from "~/components"
-6. Select **Add public hostname**.
+6. Select **Add public hostname**.
7.
8. (Optional) Configure **Browser rendering settings**:
- - [Automatic `cloudflared` authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/)
- - [Browser rendering for SSH, VNC, or RDP](/cloudflare-one/applications/non-http/browser-rendering/)
+ - [Automatic `cloudflared` authentication](/cloudflare-one/access-controls/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/)
+ - [Browser rendering for SSH, VNC, or RDP](/cloudflare-one/access-controls/applications/non-http/browser-rendering/)
9.
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/all-access-app-targets.mdx b/src/content/partials/cloudflare-one/gateway/selectors/all-access-app-targets.mdx
index 8a0208de9684dae..e11c99dee37e886 100644
--- a/src/content/partials/cloudflare-one/gateway/selectors/all-access-app-targets.mdx
+++ b/src/content/partials/cloudflare-one/gateway/selectors/all-access-app-targets.mdx
@@ -2,7 +2,7 @@
{}
---
-All [targets](/cloudflare-one/applications/non-http/infrastructure-apps/#1-add-a-target) secured by an [Access infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/).
+All [targets](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target) secured by an [Access infrastructure application](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/).
| UI name | API example |
| ---------------------------- | --------------- |
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/all-access-private-app-destinations.mdx b/src/content/partials/cloudflare-one/gateway/selectors/all-access-private-app-destinations.mdx
index 1f25ee627fa4e07..1f5f1b251195e90 100644
--- a/src/content/partials/cloudflare-one/gateway/selectors/all-access-private-app-destinations.mdx
+++ b/src/content/partials/cloudflare-one/gateway/selectors/all-access-private-app-destinations.mdx
@@ -2,7 +2,7 @@
{}
---
-All destination IPs and hostnames secured by an [Access self-hosted private application](/cloudflare-one/applications/non-http/self-hosted-private-app/).
+All destination IPs and hostnames secured by an [Access self-hosted private application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/).
| UI name | API example |
| ------------------ | -------------------- |
diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca-note.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca-note.mdx
index ea76c20ef437323..5117c9c548cc54c 100644
--- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca-note.mdx
+++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca-note.mdx
@@ -5,5 +5,5 @@
:::note
-Other short-lived CAs, such as those used to [secure SSH servers behind Cloudflare Access](/cloudflare-one/applications/non-http/short-lived-certificates-legacy/), are incompatible with the Gateway SSH proxy. For SSH logging to work, you must create a new CA using the `gateway_ca` API endpoint.
+Other short-lived CAs, such as those used to [secure SSH servers behind Cloudflare Access](/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/), are incompatible with the Gateway SSH proxy. For SSH logging to work, you must create a new CA using the `gateway_ca` API endpoint.
:::
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
index 6861c0eb473d179..200bb0cae25fb9f 100644
--- a/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
+++ b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
@@ -10,4 +10,4 @@
4. Select **Save**.
-5. (Recommended) Add a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access in order to manage access to your server.
+5. (Recommended) Add a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access in order to manage access to your server.
diff --git a/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx b/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
index d7b72b3e8e9f918..e7eb2263edef231 100644
--- a/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
@@ -10,4 +10,4 @@
3. Select **Save**.
4. To test, open a browser and go to `http://hellocloudflare..com`. You should see the **Hello Cloudflare!** test page.
-You can optionally [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to control who can access the service.
+You can optionally [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to control who can access the service.
diff --git a/src/content/plans/index.json b/src/content/plans/index.json
index 1474f378b691650..f6508a1c47b30bc 100644
--- a/src/content/plans/index.json
+++ b/src/content/plans/index.json
@@ -3,7 +3,7 @@
"title": "Account options",
"single_sign_on": {
"title": "Cloudflare dashboard single sign-on",
- "link": "/cloudflare-one/applications/configure-apps/dash-sso-apps/",
+ "link": "/fundamentals/manage-members/dashboard-sso/",
"properties": {
"availability": {
"title": "Availability",