From b2cb7af4bb3d0f8b067d012d03d84edb22e792aa Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Thu, 2 Jul 2026 13:27:54 +0000 Subject: [PATCH 1/5] Address DLS documentation gaps 9 findings from wiki review (post D. Tofan review + PR #31507): Regional Services (regional-services/index.mdx): - Compliance-not-optimization routing behavior - Egress IPs are site-local, use Dedicated CDN Egress IPs for guaranteed geolocation - Regional Hostnames shared ingress IPs may show US in third-party IP geolocation - SLA exclusions for single-nation regions (except US) Workers with Regional Services (how-to/workers.mdx): - Code and secrets deployed globally; only execution is regionalized - Outgoing subrequests are covered by RS; incoming subrequests from other zones follow their own zone's RS configuration Customer Metadata Boundary (metadata-boundary/index.mdx): - Dashboard analytics visibility depends on geo-steering of the admin's session, not physical location Zero Trust with Regional Services (how-to/zero-trust.mdx): - RS does not guarantee egress IP geolocation - Tunnel --region parameter is separate from Regional Services Compatibility (compatibility.mdx): - New footnote for DDoS and WAF notifications with CMB=eu - Updated Cloudflare Tunnel footnote Roles (regional-hostnames.mdx, fundamentals/manage-members/roles.mdx): - Domain Administrator role can edit Regional Services - Domain Administrator Read Only cannot view Regional Services --- src/content/docs/data-localization/compatibility.mdx | 8 +++++--- .../docs/data-localization/how-to/workers.mdx | 4 +++- .../docs/data-localization/how-to/zero-trust.mdx | 6 +++++- .../data-localization/metadata-boundary/index.mdx | 6 ++++++ .../data-localization/regional-services/index.mdx | 12 ++++++++++++ .../regional-services/regional-hostnames.mdx | 2 +- .../docs/fundamentals/manage-members/roles.mdx | 4 ++-- 7 files changed, 34 insertions(+), 8 deletions(-) diff --git a/src/content/docs/data-localization/compatibility.mdx b/src/content/docs/data-localization/compatibility.mdx index c6faf7cf620..34378575472 100644 --- a/src/content/docs/data-localization/compatibility.mdx +++ b/src/content/docs/data-localization/compatibility.mdx @@ -51,7 +51,7 @@ The tables below show whether each Cloudflare product is compatible with each DL | Product | Geo Key Manager | Regional Services | Customer Metadata Boundary | | ------------------------------------------- | --------------- | ----------------- | -------------------------- | | Advanced Certificate Manager | ⚫️ | ⚫️ | ⚫️ | -| Advanced DDoS Protection | ✅ | ✅ | 🚧 [^3] | +| Advanced DDoS Protection | ✅ | ✅ | 🚧 [^3] [^50] | | API Shield | ✅ | ✅ | 🚧 [^4] | | Bot Management | ✅ | ✅ | ✅ | | Client-side security (formerly Page Shield) | ✅ | ✅ | ✅ | @@ -60,7 +60,7 @@ The tables below show whether each Cloudflare product is compatible with each DL | SSL | ✅ | ✅ | ✅ | | Cloudflare for SaaS | ✘ | ✅ | ✅ | | Turnstile | ⚫️ | ✘ | ✅ [^38] | -| WAF/L7 Firewall | ✅ | ✅ | ✅ | +| WAF/L7 Firewall | ✅ | ✅ | 🚧 [^50] | | DMARC Management | ⚫️ | ⚫️ | ✅ | --- @@ -159,7 +159,7 @@ The tables below show whether each Cloudflare product is compatible with each DL [^17]: Currently may only be used with US FedRAMP region. -[^18]: When Cloudflare Tunnel (a secure outbound connection from your network to Cloudflare) connects to Cloudflare, it can use either the Global Region (default, any data center worldwide) or the [US FedRAMP Moderate Domestic region](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) (data centers that meet the US government's FedRAMP security standard). For incoming web requests, Regional Services only applies when you have [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) (services exposed to users through the tunnel). In that case, the region associated with the DNS record will apply. +[^18]: The [`--region` parameter](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) in `cloudflared` controls where the tunnel connector establishes its connection to Cloudflare. This setting is separate from Regional Services. For public hostnames served through a tunnel, Regional Services is configured at the DNS record level and operates independently from the tunnel connector region. For incoming web requests, Regional Services only applies when you have [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) (services exposed to users through the tunnel); in that case, the region associated with the DNS record will apply. [^19]: Uses Gateway HTTP and CASB. @@ -216,3 +216,5 @@ The tables below show whether each Cloudflare product is compatible with each DL [^48]: The following are exceptions and are supported: AI Gateway Analytics (GraphQL Analytics datasets) and Logs (Logpush), R2 Dashboard Metrics & Analytics, Workers AI GraphQL Analytics datasets like aiInferenceAdaptive. [^49]: Dashboard Analytics are empty when using CMB outside the US region. Use [Logpush](/logs/logpush/) instead. + +[^50]: Email and webhook notifications for DDoS and WAF events may not fire reliably when Customer Metadata Boundary is set to `eu`. This behavior is intermittent and under investigation. If timely alerts are critical, use [Logpush](/logs/logpush/) as a complementary monitoring mechanism. diff --git a/src/content/docs/data-localization/how-to/workers.mdx b/src/content/docs/data-localization/how-to/workers.mdx index 71d0689d0a6..30192d2f8b8 100644 --- a/src/content/docs/data-localization/how-to/workers.mdx +++ b/src/content/docs/data-localization/how-to/workers.mdx @@ -29,7 +29,9 @@ To configure Regional Services for hostnames [proxied](/dns/proxy-status/) (mean Regional Services only applies to the custom domain configured for a Workers project. Therefore, it will run only in-region Cloudflare locations. -Regional Services does not apply to [subrequests](/workers/platform/limits/#subrequests) (secondary HTTP requests that Workers make to other services). +Regional Services restricts where Workers are executed (where requests are processed). However, Workers code and secrets are deployed globally to all Cloudflare data centers. Regional Services does not prevent the code itself from being present outside the configured region — only its execution is regionalized. + +Regional Services applies to outgoing [subrequests](/workers/platform/limits/#subrequests) (secondary HTTP requests that Workers make to other services) from a regionalized hostname — those are processed within the configured region. However, incoming subrequests from other zones or domains to your regionalized hostname are not automatically regionalized; they follow their own zone's Regional Services configuration. Regional Services does not apply to other Worker triggers, like [Queues](/queues/) or [Cron Triggers](/workers/configuration/cron-triggers/). diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx index ee9ca1b17e6..7046cb3d57b 100644 --- a/src/content/docs/data-localization/how-to/zero-trust.mdx +++ b/src/content/docs/data-localization/how-to/zero-trust.mdx @@ -25,6 +25,8 @@ Regional Services can be used with Gateway in all [supported regions](/data-loca Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). +Regional Services controls where user traffic is decrypted and processed. It does not by itself guarantee the geolocation of egress IPs to origin. For guaranteed egress IP geolocation, use dedicated egress IPs in combination with Regional Services. + ### HTTP policies As part of Regional Services, Cloudflare Gateway will only perform [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) when using the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (in default [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/)). @@ -71,7 +73,9 @@ To ensure that all reverse proxy requests for applications protected by Cloudfla ## Cloudflare Tunnel -You can [configure Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) to only connect to data centers within the United States, regardless of where the software was deployed. +The [`--region` parameter](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) in `cloudflared` controls where the tunnel connector establishes its connection to Cloudflare. This setting is separate from Regional Services, which controls where user traffic is decrypted and processed. + +For public hostnames served through a tunnel, Regional Services is configured at the DNS record level. The tunnel connector region and the Regional Services region operate independently. ## Cloudflare One Client settings diff --git a/src/content/docs/data-localization/metadata-boundary/index.mdx b/src/content/docs/data-localization/metadata-boundary/index.mdx index 5127833347a..e9f7a1cc5c9 100644 --- a/src/content/docs/data-localization/metadata-boundary/index.mdx +++ b/src/content/docs/data-localization/metadata-boundary/index.mdx @@ -41,6 +41,12 @@ sequenceDiagram
+## Dashboard analytics visibility + +When Customer Metadata Boundary is configured, dashboard analytics and Logs views are only accessible to users whose sessions are routed to the configured region's core data center. This is determined by geo-steering, not by your physical location. If your session is routed to a data center outside the configured region, you may see "no data" for analytics and logs. + +To allow authorized users to view logs and analytics regardless of where their session is routed, enable [Allow out-of-region access](/data-localization/metadata-boundary/out-of-region-access/). + ## Log management Additionally, you can configure [Logpush](/logs/logpush/) (Cloudflare's log export service) to push Customer Logs to your own storage services, SIEMs (Security Information and Event Management systems), and log management providers. diff --git a/src/content/docs/data-localization/regional-services/index.mdx b/src/content/docs/data-localization/regional-services/index.mdx index 98b7573f117..b54bddebff6 100644 --- a/src/content/docs/data-localization/regional-services/index.mdx +++ b/src/content/docs/data-localization/regional-services/index.mdx @@ -30,6 +30,8 @@ Regional Services ensures that all of the following application-layer services ( - Running Cloudflare Workers scripts. - Load Balancing traffic to the best origin servers (or other endpoints). +Regional Services is a compliance solution, not a performance optimization. Within the configured region, Cloudflare routes requests to the most performant in-region data center — using a scoring system that considers available connections, latency, and load — which is not necessarily the closest one. For geographically large regions, requests may be processed at a data center farther than the closest in-region option. + ## Request flow example The following diagram is a high-level example of the flow of a request coming from an end user located within the US connecting to a website using Cloudflare Regional Services set to EU. @@ -61,6 +63,12 @@ sequenceDiagram
+## Egress behavior and ingress IPs + +Regional Services controls where traffic is ingested and processed (decrypted), not where it exits to your origin. Egress IPs to your origin are site-local IPs from the in-region data center where the request was processed. If you need guaranteed egress IP geolocation or origin allowlisting, use [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/) in addition to Regional Services. + +For Regional Hostnames using Cloudflare shared ingress IPs, third-party IP geolocation providers may return a location that does not match your configured region (often the United States). This is a limitation of shared IP addressing and does not affect where your traffic is actually decrypted and processed. + ## Ways to use Regional Services Regional Services regionalizes traffic through several mechanisms, depending on how your traffic reaches Cloudflare. Most customers use only one of these: @@ -115,6 +123,10 @@ Setting up Regional Services follows the same path regardless of which option yo +## Availability and SLA + +For availability and Service Level Agreements (SLA), refer to your Cloudflare contract. For Regional Services configurations restricted to a single country (except the US), Cloudflare's SLA includes specific exclusions: because traffic cannot fail over to data centers outside that country, there is no automatic failover if in-country capacity is unavailable. Multi-country regions (for example, the European Union) generally maintain the standard SLA. + ## Additional information For more details about the products that are compatible with Regional Services, refer to the [Cloudflare product compatibility](/data-localization/compatibility/) page. If you have purchased these products as part of your Enterprise subscription plan, Cloudflare will only terminate TLS connections for these products in the geographic region you have configured for Regional Services. diff --git a/src/content/docs/data-localization/regional-services/regional-hostnames.mdx b/src/content/docs/data-localization/regional-services/regional-hostnames.mdx index 6e045c814bf..e3e11390f6c 100644 --- a/src/content/docs/data-localization/regional-services/regional-hostnames.mdx +++ b/src/content/docs/data-localization/regional-services/regional-hostnames.mdx @@ -47,7 +47,7 @@ Refer to the table on [Available regions and product support](/data-localization You can also use Regional Services via API. -Currently, only SuperAdmins and Admin roles can edit DLS configurations. Use the Zone-level **DNS: Read/Write** API permission for the `/addressing/` endpoint to read or write Regional Services configurations. +Users with the Super Administrator, Administrator, or Domain Administrator roles can edit Regional Services configurations. The Domain Administrator Read Only role does not currently have permission to view Regional Services configurations. Use the Zone-level **DNS: Read/Write** API permission for the `/addressing/` endpoint to read or write Regional Services configurations. These are some examples of API requests. diff --git a/src/content/docs/fundamentals/manage-members/roles.mdx b/src/content/docs/fundamentals/manage-members/roles.mdx index c7a01704fb2..5a8b612f270 100644 --- a/src/content/docs/fundamentals/manage-members/roles.mdx +++ b/src/content/docs/fundamentals/manage-members/roles.mdx @@ -110,8 +110,8 @@ Domain-scoped roles apply for a given domain within an account. | AI Crawl Control Read Only | Can read [AI Crawl Control](/ai-crawl-control/) and metrics. | | Bot Management | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations. | | Cache Domain Purge | Grants access to [purge the edge cache](/cache/how-to/purge-cache/) for a specific domain and allows the reading of zone settings. | -| Domain Administrator | Grants full access to domains in an account, and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. | -| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. | +| Domain Administrator | Grants full access to domains in an account (including [Regional Services](/data-localization/regional-services/) configurations), and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. | +| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. This role does not currently include read access to [Regional Services](/data-localization/regional-services/) configurations. | | Domain API Gateway | Grants full access to API Gateway (including [API Shield](/api-shield/)). | | Domain API Gateway Read | Grants read access to API Gateway (including [API Shield](/api-shield/)). | | Domain DNS | Grants access to edit [DNS settings](/dns/) for domains in an account. | From 13080b908fd3c6f2d6603b25a4a16eed5a31155c Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Thu, 2 Jul 2026 13:42:23 +0000 Subject: [PATCH 2/5] Address ask-bonk review suggestions - Align 'Domain Administrator Read Only' phrasing in regional-hostnames.mdx with the canonical wording in roles.mdx. - Match plural form (SLAs) in the parenthetical. - Read smoother by adding 'the' before 'origin'. --- src/content/docs/data-localization/how-to/zero-trust.mdx | 2 +- src/content/docs/data-localization/regional-services/index.mdx | 2 +- .../data-localization/regional-services/regional-hostnames.mdx | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx index 7046cb3d57b..0a0169e03d7 100644 --- a/src/content/docs/data-localization/how-to/zero-trust.mdx +++ b/src/content/docs/data-localization/how-to/zero-trust.mdx @@ -25,7 +25,7 @@ Regional Services can be used with Gateway in all [supported regions](/data-loca Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). -Regional Services controls where user traffic is decrypted and processed. It does not by itself guarantee the geolocation of egress IPs to origin. For guaranteed egress IP geolocation, use dedicated egress IPs in combination with Regional Services. +Regional Services controls where user traffic is decrypted and processed. It does not by itself guarantee the geolocation of egress IPs to the origin. For guaranteed egress IP geolocation, use dedicated egress IPs in combination with Regional Services. ### HTTP policies diff --git a/src/content/docs/data-localization/regional-services/index.mdx b/src/content/docs/data-localization/regional-services/index.mdx index b54bddebff6..5baa9782f21 100644 --- a/src/content/docs/data-localization/regional-services/index.mdx +++ b/src/content/docs/data-localization/regional-services/index.mdx @@ -125,7 +125,7 @@ Setting up Regional Services follows the same path regardless of which option yo ## Availability and SLA -For availability and Service Level Agreements (SLA), refer to your Cloudflare contract. For Regional Services configurations restricted to a single country (except the US), Cloudflare's SLA includes specific exclusions: because traffic cannot fail over to data centers outside that country, there is no automatic failover if in-country capacity is unavailable. Multi-country regions (for example, the European Union) generally maintain the standard SLA. +For availability and Service Level Agreements (SLAs), refer to your Cloudflare contract. For Regional Services configurations restricted to a single country (except the US), Cloudflare's SLA includes specific exclusions: because traffic cannot fail over to data centers outside that country, there is no automatic failover if in-country capacity is unavailable. Multi-country regions (for example, the European Union) generally maintain the standard SLA. ## Additional information diff --git a/src/content/docs/data-localization/regional-services/regional-hostnames.mdx b/src/content/docs/data-localization/regional-services/regional-hostnames.mdx index e3e11390f6c..4ea6b9e2220 100644 --- a/src/content/docs/data-localization/regional-services/regional-hostnames.mdx +++ b/src/content/docs/data-localization/regional-services/regional-hostnames.mdx @@ -47,7 +47,7 @@ Refer to the table on [Available regions and product support](/data-localization You can also use Regional Services via API. -Users with the Super Administrator, Administrator, or Domain Administrator roles can edit Regional Services configurations. The Domain Administrator Read Only role does not currently have permission to view Regional Services configurations. Use the Zone-level **DNS: Read/Write** API permission for the `/addressing/` endpoint to read or write Regional Services configurations. +Users with the Super Administrator, Administrator, or Domain Administrator roles can edit Regional Services configurations. The Domain Administrator Read Only role does not currently include read access to Regional Services configurations. Use the Zone-level **DNS: Read/Write** API permission for the `/addressing/` endpoint to read or write Regional Services configurations. These are some examples of API requests. From 1319dbfb161d136b1bf2699228cec72d154f8529 Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Thu, 2 Jul 2026 13:48:14 +0000 Subject: [PATCH 3/5] Link Dedicated CDN Egress IPs from Zero Trust page --- src/content/docs/data-localization/how-to/zero-trust.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx index 0a0169e03d7..cf0f9a507e8 100644 --- a/src/content/docs/data-localization/how-to/zero-trust.mdx +++ b/src/content/docs/data-localization/how-to/zero-trust.mdx @@ -25,7 +25,7 @@ Regional Services can be used with Gateway in all [supported regions](/data-loca Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). -Regional Services controls where user traffic is decrypted and processed. It does not by itself guarantee the geolocation of egress IPs to the origin. For guaranteed egress IP geolocation, use dedicated egress IPs in combination with Regional Services. +Regional Services controls where user traffic is decrypted and processed. It does not by itself guarantee the geolocation of egress IPs to the origin. For guaranteed egress IP geolocation, use [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/) in combination with Regional Services. ### HTTP policies From 5d3148dec5e327afc987942a8c0570b7c0b2c9c8 Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Thu, 2 Jul 2026 15:09:45 +0000 Subject: [PATCH 4/5] Address D. Tofan review suggestions - Add link to Geographic traffic routing troubleshooting page. - Clarify that SLAs are set in the Cloudflare Enterprise contract. --- .../docs/data-localization/regional-services/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/data-localization/regional-services/index.mdx b/src/content/docs/data-localization/regional-services/index.mdx index 5baa9782f21..7b41557e79b 100644 --- a/src/content/docs/data-localization/regional-services/index.mdx +++ b/src/content/docs/data-localization/regional-services/index.mdx @@ -30,7 +30,7 @@ Regional Services ensures that all of the following application-layer services ( - Running Cloudflare Workers scripts. - Load Balancing traffic to the best origin servers (or other endpoints). -Regional Services is a compliance solution, not a performance optimization. Within the configured region, Cloudflare routes requests to the most performant in-region data center — using a scoring system that considers available connections, latency, and load — which is not necessarily the closest one. For geographically large regions, requests may be processed at a data center farther than the closest in-region option. +Regional Services is a compliance solution, not a performance optimization. Within the configured region, Cloudflare routes requests to the most performant in-region data center — using a scoring system that considers available connections, latency, and load — which is not necessarily the closest one. Refer to [Geographic traffic routing](/support/troubleshooting/general-troubleshooting/geographic-traffic-routing/) for more details. For geographically large regions, requests may be processed at a data center farther than the closest in-region option. ## Request flow example @@ -125,7 +125,7 @@ Setting up Regional Services follows the same path regardless of which option yo ## Availability and SLA -For availability and Service Level Agreements (SLAs), refer to your Cloudflare contract. For Regional Services configurations restricted to a single country (except the US), Cloudflare's SLA includes specific exclusions: because traffic cannot fail over to data centers outside that country, there is no automatic failover if in-country capacity is unavailable. Multi-country regions (for example, the European Union) generally maintain the standard SLA. +For availability and Service Level Agreements (SLAs), refer to your Cloudflare Enterprise contract. For Regional Services configurations restricted to a single country (except the US), Cloudflare's SLA includes specific exclusions: because traffic cannot fail over to data centers outside that country, there is no automatic failover if in-country capacity is unavailable. Multi-country regions (for example, the European Union) generally maintain the standard SLA. ## Additional information From ac0fafba2822ff8557e0bae7a81311983385f4a6 Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Thu, 2 Jul 2026 15:41:12 +0000 Subject: [PATCH 5/5] Move egress-IP guidance from Zero Trust to Cache page Per D. Tofan review: the RS-does-not-guarantee-egress-IP-geolocation caveat is a CDN/origin concern, not a Zero Trust one. - Cache: add 'Egress to origin' subsection with the actionable guidance to use Dedicated CDN Egress IPs alongside Regional Services for guaranteed egress IP geolocation. - Zero Trust: replace the moved paragraph with a short note that distinguishes Zero Trust dedicated egress IPs (WARP/Gateway to Internet) from Dedicated CDN Egress IPs (CDN to origin), and points to the Cache page for the egress-to-origin guidance. --- src/content/docs/data-localization/how-to/cache.mdx | 6 ++++++ src/content/docs/data-localization/how-to/zero-trust.mdx | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/content/docs/data-localization/how-to/cache.mdx b/src/content/docs/data-localization/how-to/cache.mdx index 75e0944e5a6..97faf7f00a6 100644 --- a/src/content/docs/data-localization/how-to/cache.mdx +++ b/src/content/docs/data-localization/how-to/cache.mdx @@ -44,6 +44,12 @@ Take into consideration that only [Generic Global Tiered Cache](/cache/how-to/ti ::: +### Egress to origin + +Regional Services controls where user traffic is decrypted and processed within Cloudflare's network. It does not by itself guarantee the geolocation of the egress IPs used by the Cloudflare CDN when connecting to your origin server. Egress IPs to your origin are site-local IPs from the in-region data center where the request was processed. + +If you need guaranteed egress IP geolocation — for example, to allowlist Cloudflare IPs on your origin from a specific country — use [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/) in combination with Regional Services. + ## Customer Metadata Boundary [Cache Analytics](/cache/performance-review/cache-analytics/), Generic Global Tiered Cache and Custom Tiered Cache are compatible with Customer Metadata Boundary. With Customer Metadata Boundary set to EU, the **Caching** > **Tiered Cache** tab in the zone dashboard will not be populated. diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx index cf0f9a507e8..64d58701a3e 100644 --- a/src/content/docs/data-localization/how-to/zero-trust.mdx +++ b/src/content/docs/data-localization/how-to/zero-trust.mdx @@ -25,7 +25,7 @@ Regional Services can be used with Gateway in all [supported regions](/data-loca Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). -Regional Services controls where user traffic is decrypted and processed. It does not by itself guarantee the geolocation of egress IPs to the origin. For guaranteed egress IP geolocation, use [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/) in combination with Regional Services. +Zero Trust [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) control the IPs used by WARP and Gateway traffic when it leaves Cloudflare toward the Internet. They are different from [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/), which control the IPs used by the Cloudflare CDN when connecting to your origin server. For guaranteed egress IP geolocation from the Cloudflare CDN to your origin, refer to the [Cache](/data-localization/how-to/cache/#egress-to-origin) guide. ### HTTP policies