Cloudflare One Connectivity Diagram

🔗 Connectivity Architecture Overview

graph LR %% Define Node Styles with Different Colors classDef cloudflare fill:#F38020,stroke:#E56C0A,stroke-width:3px,color:#ffffff,font-weight:bold; classDef onrampUser fill:#DBEAFE,stroke:#3B82F6,stroke-width:2px,color:#1e40af; classDef onrampOffice fill:#D1FAE5,stroke:#10B981,stroke-width:2px,color:#065f46; classDef internet fill:#E0F2FE,stroke:#0EA5E9,stroke-width:2px,color:#0369a1; classDef saas fill:#FEF3C7,stroke:#F59E0B,stroke-width:2px,color:#92400e; classDef offrampTunnel fill:#EDE9FE,stroke:#8B5CF6,stroke-width:2px,color:#5b21b6; classDef offrampWarp fill:#FCE7F3,stroke:#EC4899,stroke-width:2px,color:#9d174d; classDef offrampIPSec fill:#FED7AA,stroke:#F97316,stroke-width:2px,color:#9a3412; classDef offrampCNI fill:#E0E7FF,stroke:#6366F1,stroke-width:2px,color:#3730a3; %% Subgraph for On-Ramps (Left Side) subgraph OnRamps["On-Ramps"] direction TB U1["👤 Users with WARP Client"]:::onrampUser U2["👤 Users without Client"]:::onrampUser O1["🏢 Branch Office
Network Hardware"]:::onrampOffice O2["🏢 Remote Site
Magic WAN Connector"]:::onrampOffice end %% Central Cloudflare Node CF["☁️ Cloudflare
Global Network"]:::cloudflare %% Public Internet & SaaS Nodes PI["🌐 Public Internet"]:::internet SaaS["💼 SaaS Applications
Microsoft 365, Salesforce, etc."]:::saas %% Subgraph for Off-Ramps (Right Side) subgraph OffRamps["Off-Ramps"] direction TB D1["🖥️ Private Resources
via Cloudflare Tunnel"]:::offrampTunnel D2["🖥️ Private Resources
via WARP Connector"]:::offrampWarp D3["🖥️ Data Centers
via Magic WAN"]:::offrampIPSec D4["🖥️ Cloud/Data Centers
via Direct Connect"]:::offrampCNI end %% Connections with labels U1 --->|"WireGuard / MASQUE"| CF U2 --->|"HTTPS / PAC / DoH / DoT /
mTLS / Clientless RBI"| CF O1 --->|"IPSec / GRE /
DoH / DoT / Clientless RBI"| CF O2 --->|"Anycast IPSec/GRE Tunnels"| CF CF -->|"HTTPS"| PI CF -->|"SAML / OIDC / SCIM / API"| SaaS CF <-->|"cloudflared (QUIC)"| D1 CF <===>|"WireGuard / MASQUE"| D2 CF <===>|"Anycast IPSec/GRE Tunnels"| D3 CF <===>|"CNI Peering"| D4 %% Add styles to connections linkStyle 0 stroke:#3B82F6,stroke-width:2px; linkStyle 1 stroke:#3B82F6,stroke-width:2px; linkStyle 2 stroke:#10B981,stroke-width:2px; linkStyle 3 stroke:#10B981,stroke-width:2px; linkStyle 4 stroke:#0EA5E9,stroke-width:2px; linkStyle 5 stroke:#F59E0B,stroke-width:2px; linkStyle 6 stroke:#8B5CF6,stroke-width:2px; linkStyle 7 stroke:#EC4899,stroke-width:3px; linkStyle 8 stroke:#F97316,stroke-width:3px; linkStyle 9 stroke:#6366F1,stroke-width:3px;

View Color Legend

Cloudflare Network

User On-Ramps

Location On-Ramps

Public Internet

SaaS Applications

Tunnel Off-Ramps

WARP Connector

Magic WAN (IPSec/GRE)

CNI Peering

Understanding Connectivity

Cloudflare One provides flexible connectivity options to connect locations (networks), users (knowledge workers), and applications (resources) to the global network.

The table below outlines all available on-ramps and off-ramps:

🟡 Identity-based policies not supported or restrictions apply (Users column)

✅ Full support with identity-based policies

Connectivity Option	Locations (Networks)	Users	Applications (Resources)
WARP Client (Default mode)	-	✅ Full identity-based policies	-
WARP Client (Gateway with DoH)	-	🟡 DNS filtering only	-
WARP Client (Gateway without DNS)	-	✅ No DNS filtering	-
WARP Client (Proxy Mode)	-	✅ Proxy-based filtering	-
WARP Client (Device Info Only)	-	🟡 Device posture only	-
DNS Resolver IPs	✅ Location-based DNS	🟡 Limited identity context	-
DNS over HTTPS (DoH)	✅ Location-specific endpoints	✅ User-specific tokens	-
DNS over TLS (DoT)	✅ Location-specific endpoints	🟡 Limited identity	-
Proxy Endpoint (PAC file)	-	✅ Beta Authorization endpoint	-
Cloudflare Tunnel	✅ Private Networks	-	✅ Private Networks & Public Hostnames
WARP Connector	✅ Layer 3 routing	-	✅ Layer 3 routing
Clientless RBI	✅ On-ramp via GRE or IPSec Tunnel	🟡 Non-identity via PAC, GRE or IPSec	-
Magic WAN	✅ GRE/IPSec Tunnel	-	✅ Layer 3 routing
Network Interconnect (CNI)	✅ Direct peering	-	✅ IP Routing
Mutual TLS (mTLS)	✅ Network authentication	🟡 Service accounts	✅ API endpoints
Service Tokens	-	🟡 Service accounts	✅ API endpoints
Identity Provider (SAML/OIDC)	-	✅ SSO integration	✅ SaaS Applications
CASB (API Integration)	-	-	✅ SaaS applications

Last updated: February 2026

Key Notes:

Proxy Endpoints (PAC files) now support Authorization endpoints for identity-based policies.
Post-Quantum Cryptography (PQC) is supported across the platform.
Identity-based policies provide user-level control over access and security rules.
mTLS and Service Tokens are used for service-to-service authentication and API security.
IPSec/GRE Tunnels and CNI require Magic WAN or Magic Transit.
Public Peering or PNI follows Cloudflare's open peering policy.

View Enhanced Table Includes categories, features, protocols, and more details

🔗 Connectivity Architecture Overview

Connectivity Options Reference

Understanding Connectivity