Comprehensive guide to connecting locations, users, and applications
← Back to Diagram| Connectivity Option | Locations (Networks) |
Users (End Users) |
Applications (Resources) |
Use Cases | Key Features & Protocols |
|---|---|---|---|---|---|
|
WARP Client
Requires client installation (Default mode)
|
— | ✅Full identity-based policies | — |
WireGuard
MASQUE
DNS Filtering
Network Filtering
HTTP Inspection
Data Loss Prevention (DLP)
Device Posture Checks
AV Scanning
Remote Browser Isolation (RBI)
|
|
|
WARP Client (Gateway with DoH)
DNS-only filtering mode
|
— | 🟡DNS filtering only | — |
DNS over HTTPS (DoH)
DNS Filtering
|
|
|
WARP Client (Gateway without DNS)
HTTP inspection without DNS
|
— | ✅No DNS filtering | — |
WireGuard
MASQUE
Network Filtering
HTTP Inspection
Data Loss Prevention (DLP)
Device Posture Checks
AV Scanning
Remote Browser Isolation (RBI)
|
|
|
WARP Client (Proxy Mode)
HTTP proxy configuration
|
— | ✅Proxy-based filtering | — |
Localhost Proxy
WireGuard
MASQUE
HTTP Inspection
Data Loss Prevention (DLP)
AV Scanning
Remote Browser Isolation (RBI)
|
|
|
DNS Resolver IPs
Office Router DNS configuration
|
✅Location-based DNS | 🟡Limited identity context | — |
DNS Filtering
|
|
|
DNS over HTTPS (DoH)
DoH token configuration
|
✅Location-specific endpoints | ✅User-specific tokens | — |
DNS over HTTPS (DoH)
DNS Filtering
DoH Identity Tokens
|
|
|
DNS over TLS (DoT)
TLS DNS configuration
|
✅Location-specific endpoints | 🟡Limited identity | — |
DNS over TLS (DoT)
DNS Filtering
Port 853
|
|
|
Proxy Endpoint (PAC)
PAC file with authorization endpoint
|
— | ✅Authorization endpoint | — |
Authorization Endpoint
HTTP Inspection
Identity-Based Policies
PAC file
|
|
|
Clientless RBI
Browser isolation deployment
|
✅On-ramp via GRE or IPSec Tunnel | 🟡Non-identity via PAC, GRE or IPSec Tunnel | — |
Remote Browser Isolation (RBI)
Web Isolation
(Isolated) HTTP Inspection
(Isolated) Network Filtering
(Isolated) DNS Filtering
|
|
|
Cloudflare Tunnel
Outbound-only connections
|
✅Private Networks | — | ✅Private Networks and Public Hostnames |
HTTP/HTTPS
SSH
RDP
SMB
gRPC
TCP
Kubernetes
Layer 4
|
|
|
WARP Connector
Site-to-site, bidirectional, and mesh networking connectivity
|
✅ | — | ✅ |
WireGuard
IP Routing
Private Networks
Layer 3
|
|
|
Magic WAN
Enterprise network infrastructure
|
✅Connection via GRE or IPSec Tunnel | — | ✅ |
IPSec
GRE
SD-WAN
(NGFW) Network Filtering
Traffic Steering
IP Routing
|
|
|
Network Interconnect (CNI)
Physical network connections
|
✅Direct peering | — | ✅IP Routing |
Direct Connect / Peering
BGP
High Bandwidth
|
|
|
Identity Provider (SAML/OIDC)
IdP integration required
|
— | ✅SSO integration | ✅SaaS Applications |
SAML
OIDC
OAuth
SSO
|
|
|
Mutual TLS (mTLS)
Certificate management
|
✅Network authentication | 🟡Service accounts | ✅API endpoints |
mTLS
Client Certificates
API Authentication
|
|
|
Service Tokens
Token-based authentication
|
— | 🟡Service accounts | ✅API endpoints |
Bearer Tokens
API Authentication
|
|
|
CASB (API Integration)
SaaS API integration
|
— | — | ✅SaaS applications |
API Integration
SaaS Security
Data Protection
|
|
|
WARP Client (Device Info Only)
Device posture only
|
— | 🟡Device posture only | — |
Device Posture Checks
No Traffic Routing
|
Options marked with 🟡 have limited or no support for identity-based policies. Full identity support requires user authentication through IdP or WARP client.
Modern protocols like Post-Quantum Cryptography, WireGuard, and MASQUE are supported across applicable connection types.
For detailed implementation guides, visit the Cloudflare One Documentation and explore specific configuration examples.