cloudflare · maxvp · Nov 19, 2025 · Nov 17, 2025 · Nov 17, 2025 · Nov 17, 2025
@@ -1,6 +1,7 @@
 ---
 reviewed: 2025-05-02
 category: 🔐 Zero Trust
+difficulty: Advanced
 pcx_content_type: tutorial
 title: Create and secure an AI agent wrapper using AI Gateway and Zero Trust
 tags:

@@ -1,6 +1,7 @@
 ---
 reviewed: 2021-03-23
 category: 🔐 Zero Trust
+difficulty: Intermediate
 pcx_content_type: tutorial
 title: Connect through Cloudflare Access using a CLI
 description: >-

@@ -1,6 +1,7 @@
 ---
 reviewed: 2024-03-04
 category: 🔐 Zero Trust
+difficulty: Intermediate
 pcx_content_type: tutorial
 title: Access a web application via its private hostname without WARP
 description: >-

@@ -1,6 +1,7 @@
 ---
 reviewed: 2024-01-12
 category: 🔐 Access
+difficulty: Intermediate
 pcx_content_type: tutorial
 title: Use Microsoft Entra ID Conditional Access policies in Cloudflare Access
 description: >-

@@ -1,6 +1,7 @@
 ---
 reviewed: 2023-06-09
 category: 🔐 Access
+difficulty: Beginner
 pcx_content_type: tutorial
 title: Validate the Access token with FastAPI
 tags:
@@ -15,8 +16,8 @@ This tutorial covers how to validate that the [Access JWT](/cloudflare-one/acces
 
 ## Prerequisites
 
-* A [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your FastAPI app
-* The [AUD tag](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application
+- A [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your FastAPI app
+- The [AUD tag](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application
 
 ## 1. Create a validation function
 

@@ -1,6 +1,7 @@
 ---
 reviewed: 2023-12-06
 category: 🌐 Connections
+difficulty: Intermediate
 pcx_content_type: tutorial
 title: Monitor Cloudflare Tunnel with Grafana
 description: >-

@@ -9,7 +9,7 @@ head:
   - tag: title
     content: GraphQL Analytics
 reviewed: 2022-03-02
-difficulty: Medium
+difficulty: Intermediate
 description: >-
   Use the GraphQL Analytics API to review data for Magic Firewall network traffic related to rules matching your traffic.
 ---

@@ -1,6 +1,7 @@
 ---
 reviewed: 2021-08-19
 category: 🔐 Zero Trust
+difficulty: Intermediate
 pcx_content_type: tutorial
 title: Integrate Microsoft MCAS with Cloudflare Zero Trust
 description: >-

@@ -1,6 +1,7 @@
 ---
 reviewed: 2022-07-19
 category: 🔐 Zero Trust
+difficulty: Advanced
 pcx_content_type: tutorial
 title: Connect through Cloudflare Access using kubectl
 description: >-

@@ -1,6 +1,7 @@
 ---
 reviewed: 2024-03-11
 category: 🔐 Zero Trust
+difficulty: Intermediate
 pcx_content_type: tutorial
 title: Access and secure a MySQL database using Cloudflare Tunnel and network policies
 description: >-

@@ -1,7 +1,7 @@
 ---
 reviewed: 2020-12-07
 category: 🔐 Zero Trust
-difficulty: Medium
+difficulty: Intermediate
 pcx_content_type: tutorial
 title: Require U2F with Okta
 description: >-

@@ -0,0 +1,130 @@
+---
+reviewed: 2025-11-19
+category: 🔐 Zero Trust
+difficulty: Advanced
+pcx_content_type: tutorial
+title: Implement regional private DNS servers with Gateway resolver policies
+description: Configure Gateway resolver policies to route DNS queries to region-specific private DNS servers, enabling geo-steering for internal resources across multiple locations.
+---
+
+import { Render } from "~/components";
+
+Gateway resolver policies allow you to route DNS queries to custom DNS resolvers based on various criteria. This tutorial demonstrates how to configure region-specific private DNS servers to ensure your users are directed to the closest internal resources based on their geographic location.
+
+This approach is particularly useful for organizations with internal networks spanning multiple locations where DNS routes and manages access to private network resources.
+
+By the end of this tutorial, you will have configured Gateway resolver policies to automatically route DNS queries to region-specific private DNS servers based on user location, providing optimal performance and access to internal resources.
+
+This tutorial uses US and EU region servers as example private DNS servers.
+
+## Prerequisites
+
+Before you begin, make sure you have:
+
+- An Enterprise Zero Trust account
+- Private DNS servers deployed in multiple regions (for example, US, EU, and APAC)
+- A [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) connecting your private DNS servers to Cloudflare
+- Internal domains that need to be resolved (for example, `internal.example.com`)
+
+## 1. Connect private DNS servers with Cloudflare Tunnel
+
+First, connect your regional private DNS servers to Cloudflare using Cloudflare Tunnel.
+
+For each region where you have a private DNS server, [create a tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#1-create-a-tunnel). For each tunnel, [add the private IP addresses](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2-add-private-network-routes) of your DNS servers. For example, `10.0.1.53/32` for the US region and `10.1.1.53/32` for the EU region.
+
+Repeat this process for all regional DNS servers.
+
+## 2. Create Gateway resolver policies for each region
+
+Once your private DNS servers are connected to Cloudflare, configure Gateway resolver policies to route DNS queries to the appropriate regional DNS server based on user location.
+
+### Create resolver policies for each region
+
+For each region where you have a private DNS server:
+
+1. Go to **Traffic policies** > **Resolver policies**.
+2. Select **Add a policy**.
+3. Name your policy based on the region (for example, `US Internal DNS`).
+4. Create an expression to match internal domains and users in that region. For example, to match users in the United States:
+
+   | Selector                      | Operator | Value                  | Logic |
+   | ----------------------------- | -------- | ---------------------- | ----- |
+   | Domain                        | in       | `internal.example.com` | And   |
+   | Source Country IP Geolocation | in       | _United States_        |       |
+
+5. In **Select DNS resolver**, select _Configure custom DNS resolvers_.
+6. Enter the private IP address of your regional DNS server (for example, `10.0.1.53` for US or `10.1.1.53` for EU).
+7. In the dropdown menu, choose _`<IP-address> - Private`_.
+8. (Optional) Select **Add DNS resolver** and enter a secondary IP address to add a backup DNS resolver.
+9. Select **Create policy**.
+10. Repeat steps 1-9 for each region where you have a private DNS server. For example, to create a policy to match users in the EU region:
+
+| Selector                      | Operator | Value                                                    | Logic |
+| ----------------------------- | -------- | -------------------------------------------------------- | ----- |
+| Domain                        | in       | `internal.example.com`                                   | And   |
+| Source Country IP Geolocation | in       | _Austria_, _Belgium_, _France_, _Germany_, _Netherlands_ |       |
+
+### Create a fallback resolver policy
+
+Create a catch-all policy for users in regions without a dedicated DNS server, or if no policies match your traffic:
+
+1. Go to **Traffic policies** > **Resolver policies**.
+2. Select **Add a policy**.
+3. Name your policy (for example, `Internal DNS Fallback`).
+4. Create an expression to match internal domains:
+
+   | Selector | Operator | Value                  |
+   | -------- | -------- | ---------------------- |
+   | Domain   | in       | `internal.example.com` |
+
+5. In **Select DNS resolver**, select _Configure custom DNS resolvers_.
+6. Enter the private IP address of your primary DNS server.
+7. Select **Create policy**.
+
+## 3. Configure policy order
+
+Gateway will apply resolver policies based on [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). Ensure your policies are ordered from most specific to least specific:
+
+1. Go to **Traffic policies** > **Resolver policies**.
+2. Use the drag handle to reorder policies:
+   - Resolver policies with regional coverage first
+   - Your fallback resolver policy last
+
+Gateway will apply the first matching policy. If no policies match your traffic, Gateway will apply the fallback resolver policy. The order between resolver policies with regional coverage does not matter.
+
+## 4. Test your configuration
+
+### Test from different regions
+
+To test your configuration, deploy WARP on a device in each region where you have a private DNS server and run a DNS query to an internal domain. For example, to test the US region:
+
+1. [Deploy WARP](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/) on a device in the US region.
+2. From the device, open a terminal and run:
+
+   ```sh
+   nslookup internal.example.com
+   ```
+
+3. Verify that the DNS query returns the expected IP address for your internal resource. The response should show the IP address that your US DNS server is configured to return for `internal.example.com`.
+4. Repeat the test from devices in other regions to confirm they receive responses from their respective regional DNS servers. Each region may return different IP addresses based on your DNS server configuration.
+
+### Verify in Gateway logs
+
+1. Go to **Insights** > **Logs** > **DNS query logs**.
+2. Filter for queries to `internal.example.com`.
+3. Check the **Resolver IP** field to confirm queries are being routed to the correct regional DNS servers based on user location.
+
+## Best practices
+
+- **Use backup resolvers**: Configure secondary DNS resolvers for each region to ensure high availability.
+- **Monitor DNS performance**: Use [Gateway Analytics](/cloudflare-one/insights/analytics/gateway/) to track DNS query performance and identify any issues with regional routing.
+- **Implement network policies**: Combine resolver policies with [network policies](/cloudflare-one/traffic-policies/network-policies/) to control access to internal resources based on user identity and device posture.
+- **Consider virtual networks**: If you have overlapping IP address spaces across regions, use [virtual networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) to isolate traffic.
+- **Test failover scenarios**: Regularly test what happens when a regional DNS server becomes unavailable to ensure your backup resolvers work as expected.
+
+## Related resources
+
+- [Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/)
+- [Connect private networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/)
+- [Gateway Analytics](/cloudflare-one/insights/analytics/gateway/)
+- [Virtual networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/)
@@ -1,6 +1,7 @@
 ---
 reviewed: 2024-10-02
 category: 🔐 Zero Trust
+difficulty: Intermediate
 pcx_content_type: tutorial
 title: Use Cloudflare Tunnels with Kubernetes client-go plugin
 description: >-