diff --git a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx index e3f995b0003c89a..a2c15434dfba0af 100644 --- a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx +++ b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx @@ -1,6 +1,7 @@ --- reviewed: 2025-05-02 category: 🔐 Zero Trust +difficulty: Advanced pcx_content_type: tutorial title: Create and secure an AI agent wrapper using AI Gateway and Zero Trust tags: diff --git a/src/content/docs/cloudflare-one/tutorials/cli.mdx b/src/content/docs/cloudflare-one/tutorials/cli.mdx index b1623cf8597cbfc..cb2cee281a9f7eb 100644 --- a/src/content/docs/cloudflare-one/tutorials/cli.mdx +++ b/src/content/docs/cloudflare-one/tutorials/cli.mdx @@ -1,6 +1,7 @@ --- reviewed: 2021-03-23 category: 🔐 Zero Trust +difficulty: Intermediate pcx_content_type: tutorial title: Connect through Cloudflare Access using a CLI description: >- diff --git a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx index c8dddd930d0ac7d..f6c01e6adf0e028 100644 --- a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx +++ b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx @@ -1,6 +1,7 @@ --- reviewed: 2024-03-04 category: 🔐 Zero Trust +difficulty: Intermediate pcx_content_type: tutorial title: Access a web application via its private hostname without WARP description: >- diff --git a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx index 5edec29a25fe517..b8fda28eeaa4bf2 100644 --- a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx +++ b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx @@ -1,6 +1,7 @@ --- reviewed: 2024-01-12 category: 🔐 Access +difficulty: Intermediate pcx_content_type: tutorial title: Use Microsoft Entra ID Conditional Access policies in Cloudflare Access description: >- diff --git a/src/content/docs/cloudflare-one/tutorials/fastapi.mdx b/src/content/docs/cloudflare-one/tutorials/fastapi.mdx index 96363a34fbb8947..a92d49e9c187509 100644 --- a/src/content/docs/cloudflare-one/tutorials/fastapi.mdx +++ b/src/content/docs/cloudflare-one/tutorials/fastapi.mdx @@ -1,6 +1,7 @@ --- reviewed: 2023-06-09 category: 🔐 Access +difficulty: Beginner pcx_content_type: tutorial title: Validate the Access token with FastAPI tags: @@ -15,8 +16,8 @@ This tutorial covers how to validate that the [Access JWT](/cloudflare-one/acces ## Prerequisites -* A [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your FastAPI app -* The [AUD tag](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application +- A [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your FastAPI app +- The [AUD tag](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application ## 1. Create a validation function diff --git a/src/content/docs/cloudflare-one/tutorials/grafana.mdx b/src/content/docs/cloudflare-one/tutorials/grafana.mdx index 45c9a4637d7865c..d256b99205ae7df 100644 --- a/src/content/docs/cloudflare-one/tutorials/grafana.mdx +++ b/src/content/docs/cloudflare-one/tutorials/grafana.mdx @@ -1,6 +1,7 @@ --- reviewed: 2023-12-06 category: 🌐 Connections +difficulty: Intermediate pcx_content_type: tutorial title: Monitor Cloudflare Tunnel with Grafana description: >- diff --git a/src/content/docs/cloudflare-one/tutorials/graphql-analytics.mdx b/src/content/docs/cloudflare-one/tutorials/graphql-analytics.mdx index eb71350e18cb710..74bfe1edf9e459e 100644 --- a/src/content/docs/cloudflare-one/tutorials/graphql-analytics.mdx +++ b/src/content/docs/cloudflare-one/tutorials/graphql-analytics.mdx @@ -9,7 +9,7 @@ head: - tag: title content: GraphQL Analytics reviewed: 2022-03-02 -difficulty: Medium +difficulty: Intermediate description: >- Use the GraphQL Analytics API to review data for Magic Firewall network traffic related to rules matching your traffic. --- diff --git a/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx b/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx index d58ee51328d2404..267d5378d60d3c6 100644 --- a/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx +++ b/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx @@ -1,6 +1,7 @@ --- reviewed: 2021-08-19 category: 🔐 Zero Trust +difficulty: Intermediate pcx_content_type: tutorial title: Integrate Microsoft MCAS with Cloudflare Zero Trust description: >- diff --git a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx index 61a056e2c1143e5..39d5ad141db1376 100644 --- a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx +++ b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx @@ -1,6 +1,7 @@ --- reviewed: 2022-07-19 category: 🔐 Zero Trust +difficulty: Advanced pcx_content_type: tutorial title: Connect through Cloudflare Access using kubectl description: >- diff --git a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx index 4a1f5f425886ca3..31792128b0bf564 100644 --- a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx +++ b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx @@ -1,6 +1,7 @@ --- reviewed: 2024-03-11 category: 🔐 Zero Trust +difficulty: Intermediate pcx_content_type: tutorial title: Access and secure a MySQL database using Cloudflare Tunnel and network policies description: >- diff --git a/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx b/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx index 387a76f235bacfa..b46f2321f13de5d 100644 --- a/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx +++ b/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx @@ -1,7 +1,7 @@ --- reviewed: 2020-12-07 category: 🔐 Zero Trust -difficulty: Medium +difficulty: Intermediate pcx_content_type: tutorial title: Require U2F with Okta description: >- diff --git a/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx b/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx new file mode 100644 index 000000000000000..a2cfd90abccf174 --- /dev/null +++ b/src/content/docs/cloudflare-one/tutorials/regional-private-dns-resolver-policies.mdx @@ -0,0 +1,130 @@ +--- +reviewed: 2025-11-19 +category: 🔐 Zero Trust +difficulty: Advanced +pcx_content_type: tutorial +title: Implement regional private DNS servers with Gateway resolver policies +description: Configure Gateway resolver policies to route DNS queries to region-specific private DNS servers, enabling geo-steering for internal resources across multiple locations. +--- + +import { Render } from "~/components"; + +Gateway resolver policies allow you to route DNS queries to custom DNS resolvers based on various criteria. This tutorial demonstrates how to configure region-specific private DNS servers to ensure your users are directed to the closest internal resources based on their geographic location. + +This approach is particularly useful for organizations with internal networks spanning multiple locations where DNS routes and manages access to private network resources. + +By the end of this tutorial, you will have configured Gateway resolver policies to automatically route DNS queries to region-specific private DNS servers based on user location, providing optimal performance and access to internal resources. + +This tutorial uses US and EU region servers as example private DNS servers. + +## Prerequisites + +Before you begin, make sure you have: + +- An Enterprise Zero Trust account +- Private DNS servers deployed in multiple regions (for example, US, EU, and APAC) +- A [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) connecting your private DNS servers to Cloudflare +- Internal domains that need to be resolved (for example, `internal.example.com`) + +## 1. Connect private DNS servers with Cloudflare Tunnel + +First, connect your regional private DNS servers to Cloudflare using Cloudflare Tunnel. + +For each region where you have a private DNS server, [create a tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#1-create-a-tunnel). For each tunnel, [add the private IP addresses](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2-add-private-network-routes) of your DNS servers. For example, `10.0.1.53/32` for the US region and `10.1.1.53/32` for the EU region. + +Repeat this process for all regional DNS servers. + +## 2. Create Gateway resolver policies for each region + +Once your private DNS servers are connected to Cloudflare, configure Gateway resolver policies to route DNS queries to the appropriate regional DNS server based on user location. + +### Create resolver policies for each region + +For each region where you have a private DNS server: + +1. Go to **Traffic policies** > **Resolver policies**. +2. Select **Add a policy**. +3. Name your policy based on the region (for example, `US Internal DNS`). +4. Create an expression to match internal domains and users in that region. For example, to match users in the United States: + + | Selector | Operator | Value | Logic | + | ----------------------------- | -------- | ---------------------- | ----- | + | Domain | in | `internal.example.com` | And | + | Source Country IP Geolocation | in | _United States_ | | + +5. In **Select DNS resolver**, select _Configure custom DNS resolvers_. +6. Enter the private IP address of your regional DNS server (for example, `10.0.1.53` for US or `10.1.1.53` for EU). +7. In the dropdown menu, choose _` - Private`_. +8. (Optional) Select **Add DNS resolver** and enter a secondary IP address to add a backup DNS resolver. +9. Select **Create policy**. +10. Repeat steps 1-9 for each region where you have a private DNS server. For example, to create a policy to match users in the EU region: + +| Selector | Operator | Value | Logic | +| ----------------------------- | -------- | -------------------------------------------------------- | ----- | +| Domain | in | `internal.example.com` | And | +| Source Country IP Geolocation | in | _Austria_, _Belgium_, _France_, _Germany_, _Netherlands_ | | + +### Create a fallback resolver policy + +Create a catch-all policy for users in regions without a dedicated DNS server, or if no policies match your traffic: + +1. Go to **Traffic policies** > **Resolver policies**. +2. Select **Add a policy**. +3. Name your policy (for example, `Internal DNS Fallback`). +4. Create an expression to match internal domains: + + | Selector | Operator | Value | + | -------- | -------- | ---------------------- | + | Domain | in | `internal.example.com` | + +5. In **Select DNS resolver**, select _Configure custom DNS resolvers_. +6. Enter the private IP address of your primary DNS server. +7. Select **Create policy**. + +## 3. Configure policy order + +Gateway will apply resolver policies based on [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). Ensure your policies are ordered from most specific to least specific: + +1. Go to **Traffic policies** > **Resolver policies**. +2. Use the drag handle to reorder policies: + - Resolver policies with regional coverage first + - Your fallback resolver policy last + +Gateway will apply the first matching policy. If no policies match your traffic, Gateway will apply the fallback resolver policy. The order between resolver policies with regional coverage does not matter. + +## 4. Test your configuration + +### Test from different regions + +To test your configuration, deploy WARP on a device in each region where you have a private DNS server and run a DNS query to an internal domain. For example, to test the US region: + +1. [Deploy WARP](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/) on a device in the US region. +2. From the device, open a terminal and run: + + ```sh + nslookup internal.example.com + ``` + +3. Verify that the DNS query returns the expected IP address for your internal resource. The response should show the IP address that your US DNS server is configured to return for `internal.example.com`. +4. Repeat the test from devices in other regions to confirm they receive responses from their respective regional DNS servers. Each region may return different IP addresses based on your DNS server configuration. + +### Verify in Gateway logs + +1. Go to **Insights** > **Logs** > **DNS query logs**. +2. Filter for queries to `internal.example.com`. +3. Check the **Resolver IP** field to confirm queries are being routed to the correct regional DNS servers based on user location. + +## Best practices + +- **Use backup resolvers**: Configure secondary DNS resolvers for each region to ensure high availability. +- **Monitor DNS performance**: Use [Gateway Analytics](/cloudflare-one/insights/analytics/gateway/) to track DNS query performance and identify any issues with regional routing. +- **Implement network policies**: Combine resolver policies with [network policies](/cloudflare-one/traffic-policies/network-policies/) to control access to internal resources based on user identity and device posture. +- **Consider virtual networks**: If you have overlapping IP address spaces across regions, use [virtual networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) to isolate traffic. +- **Test failover scenarios**: Regularly test what happens when a regional DNS server becomes unavailable to ensure your backup resolvers work as expected. + +## Related resources + +- [Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) +- [Connect private networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/) +- [Gateway Analytics](/cloudflare-one/insights/analytics/gateway/) +- [Virtual networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) diff --git a/src/content/docs/cloudflare-one/tutorials/tunnel-kubectl.mdx b/src/content/docs/cloudflare-one/tutorials/tunnel-kubectl.mdx index 44b4105815551b3..e419ae6392d7c1b 100644 --- a/src/content/docs/cloudflare-one/tutorials/tunnel-kubectl.mdx +++ b/src/content/docs/cloudflare-one/tutorials/tunnel-kubectl.mdx @@ -1,6 +1,7 @@ --- reviewed: 2024-10-02 category: 🔐 Zero Trust +difficulty: Intermediate pcx_content_type: tutorial title: Use Cloudflare Tunnels with Kubernetes client-go plugin description: >-