From 82d9cf6a8e9c1a8abde7caaa64c3e3e6a7556f50 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 3 Nov 2025 15:34:41 -0500 Subject: [PATCH 1/3] clarify split tunnel requirements --- .../private-net/warp-to-warp.mdx | 30 ++++++++++++------- .../egress-policies/host-selectors.mdx | 14 ++++----- .../private-network/warp-to-tunnel.mdx | 23 +++++++------- 3 files changed, 36 insertions(+), 31 deletions(-) diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx index 2d24c8ee195e2b0..0f01e4322e81114 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx @@ -8,7 +8,7 @@ head: content: Create private networks with WARP-to-WARP --- -import { Render, GlossaryTooltip } from "~/components"; +import { Render, GlossaryTooltip, Tabs, TabItem } from "~/components"; With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare's network. @@ -34,16 +34,26 @@ This guide covers how to: 3. Enable **Allow WARP to WARP connection**. This allows Cloudflare to route traffic to the CGNAT IP space. 4. In your [Split Tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/), ensure that traffic to `100.96.0.0/12` is going through WARP: -- If using **Exclude** mode, delete `100.64.0.0/10` from the list and add the following IP addresses: - - - `100.64.0.0/12` - - `100.81.0.0/16` - - `100.82.0.0/15` - - `100.84.0.0/14` - - `100.88.0.0/13` - - `100.112.0.0/12` + + If using Split Tunnels in **Exclude** mode: + 1. Delete `100.64.0.0/10` from the list. + 2. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used for Zero Trust services. For example, if you are using WARP-to-WARP alongside [Gateway host selectors](/cloudflare-one/traffic-policies/egress-policies/host-selectors/) or [private hostname routing](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/), add routes to exclude the following IP addresses: + + - `100.64.0.0/12` + - `100.81.0.0/16` + - `100.82.0.0/15` + - `100.84.0.0/14` + - `100.88.0.0/13` + - `100.112.0.0/12` + + + If using Split Tunnels in **Include** mode: + + 1. Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list. + 2. [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.96.0.0/12`. + + -- If using **Include** mode, add `100.96.0.0/12` and `100.80.0.0/16` to your list. This will instruct WARP to begin proxying any traffic destined for a `100.96.0.0/12` IP address to Cloudflare for routing and policy enforcement. diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx index b7494459360a30c..98b9d306f59a59c 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { Tabs, TabItem, Details, APIRequest } from "~/components"; +import { Tabs, TabItem, Details, APIRequest} from "~/components";
@@ -92,23 +92,21 @@ To configure your Zero Trust organization to use Host selectors with Egress poli {/* prettier-ignore-start */} -2. In your WARP [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode: +2. In your WARP [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/), configure [Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode: - 1. [Remove the route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list. - 2. [Add routes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: + 1. [Remove the route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list. + 2. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used for Zero Trust services. For example, if you are using Gateway host selectors alongside [WARP-to-WARP connectivity](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/) (`100.96.0.0/12`), add routes to exclude the following IP addresses: - `100.64.0.0/12` - `100.81.0.0/16` - `100.82.0.0/15` - `100.84.0.0/14` - `100.88.0.0/13` - `100.112.0.0/12` - - And remove `100.64.0.0/10` IP address. - 1. Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list. - 2. [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.80.0.0/16` and `100.96.0.0/12` IP addresses. + 1. Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list. + 2. [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.80.0.0/16`. diff --git a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx index 1337d051624ee15..2322be6856e4989 100644 --- a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx +++ b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx @@ -26,8 +26,8 @@ graph LR subgraph D2[Data center 2] cf2@{ shape: processes, label: "cloudflared" } subgraph F[Pool 2] - S3["Endpoint
10.0.0.1 (VNET-2)"] - S4["Endpoint
10.0.0.2 (VNET-2)"] + S3["Endpoint
server3.internal.local
10.0.0.1 (VNET-2)"] + S4["Endpoint
server4.internal.local
10.0.0.2 (VNET-2)"] end cf2-->S3 cf2-->S4 @@ -35,8 +35,8 @@ graph LR subgraph D1[Data center 1] cf1@{ shape: processes, label: "cloudflared" } subgraph E[Pool 1] - S1["Endpoint
10.0.0.1 (VNET-1)"] - S2["Endpoint
10.0.0.2 (VNET-1)"] + S1["Endpoint
server1.internal.local
10.0.0.1 (VNET-1)"] + S2["Endpoint
server2.internal.local
10.0.0.2 (VNET-1)"] end cf1-->S1 cf1-->S2 @@ -51,15 +51,11 @@ The components in the diagram include: - **cloudflared**: Each data center is connected to Cloudflare with its own Cloudflare Tunnel. `cloudflared` installs on one or [more](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas) host machines in the network. - **Private load balancer IP**: End users connect to the application using the load balancer's IP address. This can either be a Cloudflare-assigned CGNAT IP (`100.64.0.0/10`) or a custom [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) IP. - **Load balancer pool**: The load balancer is configured with one [pool](/load-balancing/understand-basics/load-balancing-components/#pools) per tunnel. -- **Load balancer endpoint**: A pool contains one or more endpoints, where each endpoint is a server behind `cloudflared` that is running the application. If your servers have overlapping IPs, you can assign a distinct [virtual network (VNET)](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) per tunnel so that Load Balancer can deterministically route requests to the correct endpoint. - -:::note -Load Balancing does not currently support [private hostname routing](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/). Load balancing endpoints must be defined using an IP address and virtual network (for example, `10.0.0.1 (VNET-1)`). -::: +- **Load balancer endpoint**: A pool contains one or more endpoints, where each endpoint is a server behind `cloudflared` that is running the application. If you prefer to manage endpoints using IPs, you can assign a distinct [virtual network (VNET)](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) per tunnel so that Load Balancer can deterministically route requests to the correct endpoint. ## Prerequisites -- Your endpoint IP addresses route through Cloudflare Tunnel. To learn how to connect your private network, refer to [Connect an IP/CIDR](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). +- Your private hostname or IP routes through Cloudflare Tunnel. To learn how to connect your private network, refer to [Connect a private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [Connect an IP/CIDR](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). ## 1. Create load balancer pools @@ -75,9 +71,9 @@ To create a pool using the dashboard, refer to the [Create a pool](/load-balanci :::note[Endpoint IP address limitations] -- All endpoints with private IPs must have a [virtual network (VNET)](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) specified. If you did not select a VNET when adding a Cloudflare Tunnel route, the endpoint will be assigned to the `default` VNET. -- A pool cannot have multiple endpoints with the same IP address, even when using different virtual networks. You can assign endpoints with overlapping IPs to different pools, as shown in the [example diagram](#_top). -::: +- All endpoints with private IPs must have a virtual network (VNET) specified. +- A pool cannot have multiple endpoints with the same IP address, even when using different virtual networks. You can assign endpoints with overlapping IPs to different pools, as shown in the [example diagram](#_top). Alternatively, add endpoints using their [private hostnames](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) instead of IPs. + ::: @@ -133,6 +129,7 @@ In order for WARP clients to connect to your load balancer, the load balancer's - **Exclude mode**: Delete the IP range that contains your load balancer IP. For example, if your load balancer has a Cloudflare-assigned CGNAT IP, delete `100.64.0.0/10`. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used by your load balancer. :::note Some IPs in the `100.64.0.0/10` range may be reserved for other Zero Trust services such as Gateway initial resolved IPs or WARP CGNAT IPs. These IPs should remain deleted from the Exclude list. + ::: - **Include mode**: Add your load balancer IP. WARP traffic can now reach your private load balancer. For example, if your load balancer points to a web application, you can test by running `curl ` from the WARP device. This traffic will be distributed over Cloudflare Tunnel to your private endpoints according to your configured steering method. From 3177ebfb4bdd2844a644d35d3cea0b67adae0983 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 3 Nov 2025 15:38:48 -0500 Subject: [PATCH 2/3] remove IP --- .../traffic-policies/egress-policies/host-selectors.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx index 98b9d306f59a59c..c094ebd287936bb 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx @@ -96,7 +96,7 @@ To configure your Zero Trust organization to use Host selectors with Egress poli 1. [Remove the route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list. - 2. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used for Zero Trust services. For example, if you are using Gateway host selectors alongside [WARP-to-WARP connectivity](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/) (`100.96.0.0/12`), add routes to exclude the following IP addresses: + 2. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used for Zero Trust services. For example, if you are using Gateway host selectors alongside [WARP-to-WARP connectivity](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/) add routes to exclude the following IP addresses: - `100.64.0.0/12` - `100.81.0.0/16` - `100.82.0.0/15` From ba4cb5d0110c862134d6ddcd727d2ffec1b61f91 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 3 Nov 2025 15:43:43 -0500 Subject: [PATCH 3/3] revert LB changes --- .../private-network/warp-to-tunnel.mdx | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx index 2322be6856e4989..6591206f8f00039 100644 --- a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx +++ b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx @@ -26,8 +26,8 @@ graph LR subgraph D2[Data center 2] cf2@{ shape: processes, label: "cloudflared" } subgraph F[Pool 2] - S3["Endpoint
server3.internal.local
10.0.0.1 (VNET-2)"] - S4["Endpoint
server4.internal.local
10.0.0.2 (VNET-2)"] + S3["Endpoint
10.0.0.1 (VNET-2)"] + S4["Endpoint
10.0.0.2 (VNET-2)"] end cf2-->S3 cf2-->S4 @@ -35,8 +35,8 @@ graph LR subgraph D1[Data center 1] cf1@{ shape: processes, label: "cloudflared" } subgraph E[Pool 1] - S1["Endpoint
server1.internal.local
10.0.0.1 (VNET-1)"] - S2["Endpoint
server2.internal.local
10.0.0.2 (VNET-1)"] + S1["Endpoint
10.0.0.1 (VNET-1)"] + S2["Endpoint
10.0.0.2 (VNET-1)"] end cf1-->S1 cf1-->S2 @@ -51,11 +51,15 @@ The components in the diagram include: - **cloudflared**: Each data center is connected to Cloudflare with its own Cloudflare Tunnel. `cloudflared` installs on one or [more](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas) host machines in the network. - **Private load balancer IP**: End users connect to the application using the load balancer's IP address. This can either be a Cloudflare-assigned CGNAT IP (`100.64.0.0/10`) or a custom [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) IP. - **Load balancer pool**: The load balancer is configured with one [pool](/load-balancing/understand-basics/load-balancing-components/#pools) per tunnel. -- **Load balancer endpoint**: A pool contains one or more endpoints, where each endpoint is a server behind `cloudflared` that is running the application. If you prefer to manage endpoints using IPs, you can assign a distinct [virtual network (VNET)](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) per tunnel so that Load Balancer can deterministically route requests to the correct endpoint. +- **Load balancer endpoint**: A pool contains one or more endpoints, where each endpoint is a server behind `cloudflared` that is running the application. If your servers have overlapping IPs, you can assign a distinct [virtual network (VNET)](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) per tunnel so that Load Balancer can deterministically route requests to the correct endpoint. + +:::note +Load Balancing does not currently support [private hostname routing](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/). Load balancing endpoints must be defined using an IP address and virtual network (for example, `10.0.0.1 (VNET-1)`). +::: ## Prerequisites -- Your private hostname or IP routes through Cloudflare Tunnel. To learn how to connect your private network, refer to [Connect a private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [Connect an IP/CIDR](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). +- Your endpoint IP addresses route through Cloudflare Tunnel. To learn how to connect your private network, refer to [Connect an IP/CIDR](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). ## 1. Create load balancer pools @@ -71,9 +75,9 @@ To create a pool using the dashboard, refer to the [Create a pool](/load-balanci :::note[Endpoint IP address limitations] -- All endpoints with private IPs must have a virtual network (VNET) specified. -- A pool cannot have multiple endpoints with the same IP address, even when using different virtual networks. You can assign endpoints with overlapping IPs to different pools, as shown in the [example diagram](#_top). Alternatively, add endpoints using their [private hostnames](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) instead of IPs. - ::: +- All endpoints with private IPs must have a [virtual network (VNET)](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) specified. If you did not select a VNET when adding a Cloudflare Tunnel route, the endpoint will be assigned to the `default` VNET. +- A pool cannot have multiple endpoints with the same IP address, even when using different virtual networks. You can assign endpoints with overlapping IPs to different pools, as shown in the [example diagram](#_top). +:::