diff --git a/src/content/docs/data-localization/compatibility.mdx b/src/content/docs/data-localization/compatibility.mdx
index c6faf7cf620..34378575472 100644
--- a/src/content/docs/data-localization/compatibility.mdx
+++ b/src/content/docs/data-localization/compatibility.mdx
@@ -51,7 +51,7 @@ The tables below show whether each Cloudflare product is compatible with each DL
| Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
| ------------------------------------------- | --------------- | ----------------- | -------------------------- |
| Advanced Certificate Manager | ⚫️ | ⚫️ | ⚫️ |
-| Advanced DDoS Protection | ✅ | ✅ | 🚧 [^3] |
+| Advanced DDoS Protection | ✅ | ✅ | 🚧 [^3] [^50] |
| API Shield | ✅ | ✅ | 🚧 [^4] |
| Bot Management | ✅ | ✅ | ✅ |
| Client-side security (formerly Page Shield) | ✅ | ✅ | ✅ |
@@ -60,7 +60,7 @@ The tables below show whether each Cloudflare product is compatible with each DL
| SSL | ✅ | ✅ | ✅ |
| Cloudflare for SaaS | ✘ | ✅ | ✅ |
| Turnstile | ⚫️ | ✘ | ✅ [^38] |
-| WAF/L7 Firewall | ✅ | ✅ | ✅ |
+| WAF/L7 Firewall | ✅ | ✅ | 🚧 [^50] |
| DMARC Management | ⚫️ | ⚫️ | ✅ |
---
@@ -159,7 +159,7 @@ The tables below show whether each Cloudflare product is compatible with each DL
[^17]: Currently may only be used with US FedRAMP region.
-[^18]: When Cloudflare Tunnel (a secure outbound connection from your network to Cloudflare) connects to Cloudflare, it can use either the Global Region (default, any data center worldwide) or the [US FedRAMP Moderate Domestic region](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) (data centers that meet the US government's FedRAMP security standard). For incoming web requests, Regional Services only applies when you have [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) (services exposed to users through the tunnel). In that case, the region associated with the DNS record will apply.
+[^18]: The [`--region` parameter](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) in `cloudflared` controls where the tunnel connector establishes its connection to Cloudflare. This setting is separate from Regional Services. For public hostnames served through a tunnel, Regional Services is configured at the DNS record level and operates independently from the tunnel connector region. For incoming web requests, Regional Services only applies when you have [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) (services exposed to users through the tunnel); in that case, the region associated with the DNS record will apply.
[^19]: Uses Gateway HTTP and CASB.
@@ -216,3 +216,5 @@ The tables below show whether each Cloudflare product is compatible with each DL
[^48]: The following are exceptions and are supported: AI Gateway Analytics (GraphQL Analytics datasets) and Logs (Logpush), R2 Dashboard Metrics & Analytics, Workers AI GraphQL Analytics datasets like aiInferenceAdaptive.
[^49]: Dashboard Analytics are empty when using CMB outside the US region. Use [Logpush](/logs/logpush/) instead.
+
+[^50]: Email and webhook notifications for DDoS and WAF events may not fire reliably when Customer Metadata Boundary is set to `eu`. This behavior is intermittent and under investigation. If timely alerts are critical, use [Logpush](/logs/logpush/) as a complementary monitoring mechanism.
diff --git a/src/content/docs/data-localization/how-to/cache.mdx b/src/content/docs/data-localization/how-to/cache.mdx
index 75e0944e5a6..97faf7f00a6 100644
--- a/src/content/docs/data-localization/how-to/cache.mdx
+++ b/src/content/docs/data-localization/how-to/cache.mdx
@@ -44,6 +44,12 @@ Take into consideration that only [Generic Global Tiered Cache](/cache/how-to/ti
:::
+### Egress to origin
+
+Regional Services controls where user traffic is decrypted and processed within Cloudflare's network. It does not by itself guarantee the geolocation of the egress IPs used by the Cloudflare CDN when connecting to your origin server. Egress IPs to your origin are site-local IPs from the in-region data center where the request was processed.
+
+If you need guaranteed egress IP geolocation — for example, to allowlist Cloudflare IPs on your origin from a specific country — use [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/) in combination with Regional Services.
+
## Customer Metadata Boundary
[Cache Analytics](/cache/performance-review/cache-analytics/), Generic Global Tiered Cache and Custom Tiered Cache are compatible with Customer Metadata Boundary. With Customer Metadata Boundary set to EU, the **Caching** > **Tiered Cache** tab in the zone dashboard will not be populated.
diff --git a/src/content/docs/data-localization/how-to/workers.mdx b/src/content/docs/data-localization/how-to/workers.mdx
index 71d0689d0a6..30192d2f8b8 100644
--- a/src/content/docs/data-localization/how-to/workers.mdx
+++ b/src/content/docs/data-localization/how-to/workers.mdx
@@ -29,7 +29,9 @@ To configure Regional Services for hostnames [proxied](/dns/proxy-status/) (mean
Regional Services only applies to the custom domain configured for a Workers project. Therefore, it will run only in-region Cloudflare locations.
-Regional Services does not apply to [subrequests](/workers/platform/limits/#subrequests) (secondary HTTP requests that Workers make to other services).
+Regional Services restricts where Workers are executed (where requests are processed). However, Workers code and secrets are deployed globally to all Cloudflare data centers. Regional Services does not prevent the code itself from being present outside the configured region — only its execution is regionalized.
+
+Regional Services applies to outgoing [subrequests](/workers/platform/limits/#subrequests) (secondary HTTP requests that Workers make to other services) from a regionalized hostname — those are processed within the configured region. However, incoming subrequests from other zones or domains to your regionalized hostname are not automatically regionalized; they follow their own zone's Regional Services configuration.
Regional Services does not apply to other Worker triggers, like [Queues](/queues/) or [Cron Triggers](/workers/configuration/cron-triggers/).
diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx
index ee9ca1b17e6..64d58701a3e 100644
--- a/src/content/docs/data-localization/how-to/zero-trust.mdx
+++ b/src/content/docs/data-localization/how-to/zero-trust.mdx
@@ -25,6 +25,8 @@ Regional Services can be used with Gateway in all [supported regions](/data-loca
Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations.
This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/).
+Zero Trust [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) control the IPs used by WARP and Gateway traffic when it leaves Cloudflare toward the Internet. They are different from [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/), which control the IPs used by the Cloudflare CDN when connecting to your origin server. For guaranteed egress IP geolocation from the Cloudflare CDN to your origin, refer to the [Cache](/data-localization/how-to/cache/#egress-to-origin) guide.
+
### HTTP policies
As part of Regional Services, Cloudflare Gateway will only perform [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) when using the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (in default [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/)).
@@ -71,7 +73,9 @@ To ensure that all reverse proxy requests for applications protected by Cloudfla
## Cloudflare Tunnel
-You can [configure Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) to only connect to data centers within the United States, regardless of where the software was deployed.
+The [`--region` parameter](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) in `cloudflared` controls where the tunnel connector establishes its connection to Cloudflare. This setting is separate from Regional Services, which controls where user traffic is decrypted and processed.
+
+For public hostnames served through a tunnel, Regional Services is configured at the DNS record level. The tunnel connector region and the Regional Services region operate independently.
## Cloudflare One Client settings
diff --git a/src/content/docs/data-localization/metadata-boundary/index.mdx b/src/content/docs/data-localization/metadata-boundary/index.mdx
index 5127833347a..e9f7a1cc5c9 100644
--- a/src/content/docs/data-localization/metadata-boundary/index.mdx
+++ b/src/content/docs/data-localization/metadata-boundary/index.mdx
@@ -41,6 +41,12 @@ sequenceDiagram
+## Dashboard analytics visibility
+
+When Customer Metadata Boundary is configured, dashboard analytics and Logs views are only accessible to users whose sessions are routed to the configured region's core data center. This is determined by geo-steering, not by your physical location. If your session is routed to a data center outside the configured region, you may see "no data" for analytics and logs.
+
+To allow authorized users to view logs and analytics regardless of where their session is routed, enable [Allow out-of-region access](/data-localization/metadata-boundary/out-of-region-access/).
+
## Log management
Additionally, you can configure [Logpush](/logs/logpush/) (Cloudflare's log export service) to push Customer Logs to your own storage services, SIEMs (Security Information and Event Management systems), and log management providers.
diff --git a/src/content/docs/data-localization/regional-services/index.mdx b/src/content/docs/data-localization/regional-services/index.mdx
index 98b7573f117..7b41557e79b 100644
--- a/src/content/docs/data-localization/regional-services/index.mdx
+++ b/src/content/docs/data-localization/regional-services/index.mdx
@@ -30,6 +30,8 @@ Regional Services ensures that all of the following application-layer services (
- Running Cloudflare Workers scripts.
- Load Balancing traffic to the best origin servers (or other endpoints).
+Regional Services is a compliance solution, not a performance optimization. Within the configured region, Cloudflare routes requests to the most performant in-region data center — using a scoring system that considers available connections, latency, and load — which is not necessarily the closest one. Refer to [Geographic traffic routing](/support/troubleshooting/general-troubleshooting/geographic-traffic-routing/) for more details. For geographically large regions, requests may be processed at a data center farther than the closest in-region option.
+
## Request flow example
The following diagram is a high-level example of the flow of a request coming from an end user located within the US connecting to a website using Cloudflare Regional Services set to EU.
@@ -61,6 +63,12 @@ sequenceDiagram
+## Egress behavior and ingress IPs
+
+Regional Services controls where traffic is ingested and processed (decrypted), not where it exits to your origin. Egress IPs to your origin are site-local IPs from the in-region data center where the request was processed. If you need guaranteed egress IP geolocation or origin allowlisting, use [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/) in addition to Regional Services.
+
+For Regional Hostnames using Cloudflare shared ingress IPs, third-party IP geolocation providers may return a location that does not match your configured region (often the United States). This is a limitation of shared IP addressing and does not affect where your traffic is actually decrypted and processed.
+
## Ways to use Regional Services
Regional Services regionalizes traffic through several mechanisms, depending on how your traffic reaches Cloudflare. Most customers use only one of these:
@@ -115,6 +123,10 @@ Setting up Regional Services follows the same path regardless of which option yo
+## Availability and SLA
+
+For availability and Service Level Agreements (SLAs), refer to your Cloudflare Enterprise contract. For Regional Services configurations restricted to a single country (except the US), Cloudflare's SLA includes specific exclusions: because traffic cannot fail over to data centers outside that country, there is no automatic failover if in-country capacity is unavailable. Multi-country regions (for example, the European Union) generally maintain the standard SLA.
+
## Additional information
For more details about the products that are compatible with Regional Services, refer to the [Cloudflare product compatibility](/data-localization/compatibility/) page. If you have purchased these products as part of your Enterprise subscription plan, Cloudflare will only terminate TLS connections for these products in the geographic region you have configured for Regional Services.
diff --git a/src/content/docs/data-localization/regional-services/regional-hostnames.mdx b/src/content/docs/data-localization/regional-services/regional-hostnames.mdx
index 6e045c814bf..4ea6b9e2220 100644
--- a/src/content/docs/data-localization/regional-services/regional-hostnames.mdx
+++ b/src/content/docs/data-localization/regional-services/regional-hostnames.mdx
@@ -47,7 +47,7 @@ Refer to the table on [Available regions and product support](/data-localization
You can also use Regional Services via API.
-Currently, only SuperAdmins and Admin roles can edit DLS configurations. Use the Zone-level **DNS: Read/Write** API permission for the `/addressing/` endpoint to read or write Regional Services configurations.
+Users with the Super Administrator, Administrator, or Domain Administrator roles can edit Regional Services configurations. The Domain Administrator Read Only role does not currently include read access to Regional Services configurations. Use the Zone-level **DNS: Read/Write** API permission for the `/addressing/` endpoint to read or write Regional Services configurations.
These are some examples of API requests.
diff --git a/src/content/docs/fundamentals/manage-members/roles.mdx b/src/content/docs/fundamentals/manage-members/roles.mdx
index c7a01704fb2..5a8b612f270 100644
--- a/src/content/docs/fundamentals/manage-members/roles.mdx
+++ b/src/content/docs/fundamentals/manage-members/roles.mdx
@@ -110,8 +110,8 @@ Domain-scoped roles apply for a given domain within an account.
| AI Crawl Control Read Only | Can read [AI Crawl Control](/ai-crawl-control/) and metrics. |
| Bot Management | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations. |
| Cache Domain Purge | Grants access to [purge the edge cache](/cache/how-to/purge-cache/) for a specific domain and allows the reading of zone settings. |
-| Domain Administrator | Grants full access to domains in an account, and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. |
-| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. |
+| Domain Administrator | Grants full access to domains in an account (including [Regional Services](/data-localization/regional-services/) configurations), and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. |
+| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. This role does not currently include read access to [Regional Services](/data-localization/regional-services/) configurations. |
| Domain API Gateway | Grants full access to API Gateway (including [API Shield](/api-shield/)). |
| Domain API Gateway Read | Grants read access to API Gateway (including [API Shield](/api-shield/)). |
| Domain DNS | Grants access to edit [DNS settings](/dns/) for domains in an account. |