Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions src/content/docs/data-localization/compatibility.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ The tables below show whether each Cloudflare product is compatible with each DL
| Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
| ------------------------------------------- | --------------- | ----------------- | -------------------------- |
| Advanced Certificate Manager | ⚫️ | ⚫️ | ⚫️ |
| Advanced DDoS Protection | ✅ | ✅ | 🚧 [^3] |
| Advanced DDoS Protection | ✅ | ✅ | 🚧 [^3] [^50] |
| API Shield | ✅ | ✅ | 🚧 [^4] |
| Bot Management | ✅ | ✅ | ✅ |
| Client-side security (formerly Page Shield) | ✅ | ✅ | ✅ |
Expand All @@ -60,7 +60,7 @@ The tables below show whether each Cloudflare product is compatible with each DL
| SSL | ✅ | ✅ | ✅ |
| Cloudflare for SaaS | ✘ | ✅ | ✅ |
| Turnstile | ⚫️ | ✘ | ✅ [^38] |
| WAF/L7 Firewall | ✅ | ✅ | |
| WAF/L7 Firewall | ✅ | ✅ | 🚧 [^50] |
| DMARC Management | ⚫️ | ⚫️ | ✅ |

---
Expand Down Expand Up @@ -159,7 +159,7 @@ The tables below show whether each Cloudflare product is compatible with each DL

[^17]: Currently may only be used with US FedRAMP region.

[^18]: When Cloudflare Tunnel (a secure outbound connection from your network to Cloudflare) connects to Cloudflare, it can use either the Global Region (default, any data center worldwide) or the [US FedRAMP Moderate Domestic region](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) (data centers that meet the US government's FedRAMP security standard). For incoming web requests, Regional Services only applies when you have [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) (services exposed to users through the tunnel). In that case, the region associated with the DNS record will apply.
[^18]: The [`--region` parameter](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) in `cloudflared` controls where the tunnel connector establishes its connection to Cloudflare. This setting is separate from Regional Services. For public hostnames served through a tunnel, Regional Services is configured at the DNS record level and operates independently from the tunnel connector region. For incoming web requests, Regional Services only applies when you have [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) (services exposed to users through the tunnel); in that case, the region associated with the DNS record will apply.

[^19]: Uses Gateway HTTP and CASB.

Expand Down Expand Up @@ -216,3 +216,5 @@ The tables below show whether each Cloudflare product is compatible with each DL
[^48]: The following are exceptions and are supported: AI Gateway Analytics (GraphQL Analytics datasets) and Logs (Logpush), R2 Dashboard Metrics & Analytics, Workers AI GraphQL Analytics datasets like aiInferenceAdaptive.

[^49]: Dashboard Analytics are empty when using CMB outside the US region. Use [Logpush](/logs/logpush/) instead.

[^50]: Email and webhook notifications for DDoS and WAF events may not fire reliably when Customer Metadata Boundary is set to `eu`. This behavior is intermittent and under investigation. If timely alerts are critical, use [Logpush](/logs/logpush/) as a complementary monitoring mechanism.
6 changes: 6 additions & 0 deletions src/content/docs/data-localization/how-to/cache.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ Take into consideration that only [Generic Global Tiered Cache](/cache/how-to/ti

:::

### Egress to origin

Regional Services controls where user traffic is decrypted and processed within Cloudflare's network. It does not by itself guarantee the geolocation of the egress IPs used by the Cloudflare CDN when connecting to your origin server. Egress IPs to your origin are site-local IPs from the in-region data center where the request was processed.

If you need guaranteed egress IP geolocation — for example, to allowlist Cloudflare IPs on your origin from a specific country — use [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/) in combination with Regional Services.

## Customer Metadata Boundary

[Cache Analytics](/cache/performance-review/cache-analytics/), Generic Global Tiered Cache and Custom Tiered Cache are compatible with Customer Metadata Boundary. With Customer Metadata Boundary set to EU, the **Caching** > **Tiered Cache** tab in the zone dashboard will not be populated.
Expand Down
4 changes: 3 additions & 1 deletion src/content/docs/data-localization/how-to/workers.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ To configure Regional Services for hostnames [proxied](/dns/proxy-status/) (mean

Regional Services only applies to the custom domain configured for a Workers project. Therefore, it will run only in-region Cloudflare locations.

Regional Services does not apply to [subrequests](/workers/platform/limits/#subrequests) (secondary HTTP requests that Workers make to other services).
Regional Services restricts where Workers are executed (where requests are processed). However, Workers code and secrets are deployed globally to all Cloudflare data centers. Regional Services does not prevent the code itself from being present outside the configured region — only its execution is regionalized.

Regional Services applies to outgoing [subrequests](/workers/platform/limits/#subrequests) (secondary HTTP requests that Workers make to other services) from a regionalized hostname — those are processed within the configured region. However, incoming subrequests from other zones or domains to your regionalized hostname are not automatically regionalized; they follow their own zone's Regional Services configuration.

Regional Services does not apply to other Worker triggers, like [Queues](/queues/) or [Cron Triggers](/workers/configuration/cron-triggers/).

Expand Down
6 changes: 5 additions & 1 deletion src/content/docs/data-localization/how-to/zero-trust.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ Regional Services can be used with Gateway in all [supported regions](/data-loca
Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations.
This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/).

Zero Trust [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) control the IPs used by WARP and Gateway traffic when it leaves Cloudflare toward the Internet. They are different from [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/), which control the IPs used by the Cloudflare CDN when connecting to your origin server. For guaranteed egress IP geolocation from the Cloudflare CDN to your origin, refer to the [Cache](/data-localization/how-to/cache/#egress-to-origin) guide.

### HTTP policies

As part of Regional Services, Cloudflare Gateway will only perform [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) when using the [Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (in default [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/)).
Expand Down Expand Up @@ -71,7 +73,9 @@ To ensure that all reverse proxy requests for applications protected by Cloudfla

## Cloudflare Tunnel

You can [configure Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) to only connect to data centers within the United States, regardless of where the software was deployed.
The [`--region` parameter](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/run-parameters/#region) in `cloudflared` controls where the tunnel connector establishes its connection to Cloudflare. This setting is separate from Regional Services, which controls where user traffic is decrypted and processed.

For public hostnames served through a tunnel, Regional Services is configured at the DNS record level. The tunnel connector region and the Regional Services region operate independently.

## Cloudflare One Client settings

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,12 @@ sequenceDiagram

<br />

## Dashboard analytics visibility

When Customer Metadata Boundary is configured, dashboard analytics and Logs views are only accessible to users whose sessions are routed to the configured region's core data center. This is determined by geo-steering, not by your physical location. If your session is routed to a data center outside the configured region, you may see "no data" for analytics and logs.

To allow authorized users to view logs and analytics regardless of where their session is routed, enable [Allow out-of-region access](/data-localization/metadata-boundary/out-of-region-access/).

## Log management

Additionally, you can configure [Logpush](/logs/logpush/) (Cloudflare's log export service) to push Customer Logs to your own storage services, SIEMs (Security Information and Event Management systems), and log management providers.
Expand Down
12 changes: 12 additions & 0 deletions src/content/docs/data-localization/regional-services/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ Regional Services ensures that all of the following application-layer services (
- Running Cloudflare Workers scripts.
- Load Balancing traffic to the best origin servers (or other <GlossaryTooltip term="endpoint">endpoints</GlossaryTooltip>).

Regional Services is a compliance solution, not a performance optimization. Within the configured region, Cloudflare routes requests to the most performant in-region data center — using a scoring system that considers available connections, latency, and load — which is not necessarily the closest one. Refer to [Geographic traffic routing](/support/troubleshooting/general-troubleshooting/geographic-traffic-routing/) for more details. For geographically large regions, requests may be processed at a data center farther than the closest in-region option.

## Request flow example

The following diagram is a high-level example of the flow of a request coming from an end user located within the US connecting to a website using Cloudflare Regional Services set to EU.
Expand Down Expand Up @@ -61,6 +63,12 @@ sequenceDiagram

<br />

## Egress behavior and ingress IPs

Regional Services controls where traffic is ingested and processed (decrypted), not where it exits to your origin. Egress IPs to your origin are site-local IPs from the in-region data center where the request was processed. If you need guaranteed egress IP geolocation or origin allowlisting, use [Dedicated CDN Egress IPs](/smart-shield/configuration/dedicated-egress-ips/) in addition to Regional Services.

For Regional Hostnames using Cloudflare shared ingress IPs, third-party IP geolocation providers may return a location that does not match your configured region (often the United States). This is a limitation of shared IP addressing and does not affect where your traffic is actually decrypted and processed.

## Ways to use Regional Services

Regional Services regionalizes traffic through several mechanisms, depending on how your traffic reaches Cloudflare. Most customers use only one of these:
Expand Down Expand Up @@ -115,6 +123,10 @@ Setting up Regional Services follows the same path regardless of which option yo

</Steps>

## Availability and SLA

For availability and Service Level Agreements (SLAs), refer to your Cloudflare Enterprise contract. For Regional Services configurations restricted to a single country (except the US), Cloudflare's SLA includes specific exclusions: because traffic cannot fail over to data centers outside that country, there is no automatic failover if in-country capacity is unavailable. Multi-country regions (for example, the European Union) generally maintain the standard SLA.

## Additional information

For more details about the products that are compatible with Regional Services, refer to the [Cloudflare product compatibility](/data-localization/compatibility/) page. If you have purchased these products as part of your Enterprise subscription plan, Cloudflare will only terminate TLS connections for these products in the geographic region you have configured for Regional Services.
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ Refer to the table on [Available regions and product support](/data-localization

You can also use Regional Services via API.

Currently, only SuperAdmins and Admin roles can edit DLS configurations. Use the Zone-level **DNS: Read/Write** API permission for the `/addressing/` endpoint to read or write Regional Services configurations.
Users with the Super Administrator, Administrator, or Domain Administrator roles can edit Regional Services configurations. The Domain Administrator Read Only role does not currently include read access to Regional Services configurations. Use the Zone-level **DNS: Read/Write** API permission for the `/addressing/` endpoint to read or write Regional Services configurations.

These are some examples of API requests.

Expand Down
4 changes: 2 additions & 2 deletions src/content/docs/fundamentals/manage-members/roles.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -110,8 +110,8 @@ Domain-scoped roles apply for a given domain within an account.
| AI Crawl Control Read Only | Can read [AI Crawl Control](/ai-crawl-control/) and metrics. |
| Bot Management | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations. |
| Cache Domain Purge | Grants access to [purge the edge cache](/cache/how-to/purge-cache/) for a specific domain and allows the reading of zone settings. |
| Domain Administrator | Grants full access to domains in an account, and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. |
| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. |
| Domain Administrator | Grants full access to domains in an account (including [Regional Services](/data-localization/regional-services/) configurations), and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. |
| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. This role does not currently include read access to [Regional Services](/data-localization/regional-services/) configurations. |
| Domain API Gateway | Grants full access to API Gateway (including [API Shield](/api-shield/)). |
| Domain API Gateway Read | Grants read access to API Gateway (including [API Shield](/api-shield/)). |
| Domain DNS | Grants access to edit [DNS settings](/dns/) for domains in an account. |
Expand Down