Zero Trust
In the following sections, we will give you some details about how different Zero Trust products can be used with the Data Localization Suite.
Regional Services can be used with Gateway in all supported regions. Be aware that Regional Services only apply when using the WARP client in Gateway with WARP mode.
Enterprise customers can purchase a dedicated egress IP (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your egress policies.
As part of Regional Services, Cloudflare Gateway will only perform TLS decryption when using the WARP client (in default Gateway with WARP mode).
You are able to log the payload of matched DLP rules and encrypt them with your public key so that only you can examine them later.
Cloudflare cannot decrypt encrypted payloads.
You are able to configure SSH proxy and command logs. Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key sshkey.pub to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs.
Regional Services controls where Cloudflare decrypts traffic; because most DNS traffic is not encrypted, Gateway DNS cannot be regionalized using Regional Services.
Refer to the WARP Settings section below for more information.
You can bring your own certificate to Gateway but these cannot yet be restricted to a specific region.
By default, Cloudflare will store and deliver logs from data centers across our global network. To maintain regional control over your data, you can use Customer Metadata Boundary and restrict data storage to a specific geographic region. For more information refer to the section about Logpush datasets supported.
Customers also have the option to reduce the logs that Cloudflare stores:
- You can exclude PII from logs
- You can disable logging, or only log blocked requests.
To ensure that all reverse proxy requests for applications protected by Cloudflare Access will only occur in FedRAMP-compliant data centers, you should use Regional Services with the region set to FedRAMP.
You can configure Cloudflare Tunnel to only connect to data centers within the United States, regardless of where the software was deployed.
You can use the WARP setting Local Domain Fallback in order to use a private DNS resolver, which you can manage yourself.
Split Tunnels allow you to decide which IP addresses/ranges and/or domains are routed through or excluded from Cloudflare.