Cloudflare Docs
Data Localization Suite
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Zero Trust

In the following sections, we will give you some details about how different Zero Trust products can be used with the Data Localization Suite.

​​ Gateway

Regional Services can be used with Gateway in all supported regions. Be aware that Regional Services only apply when using the WARP client in Gateway with WARP mode.

​​ Egress policies

Enterprise customers can purchase a dedicated egress IP (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your egress policies.

​​ HTTP policies

As part of Regional Services, Cloudflare Gateway will only perform TLS decryption when using the WARP client (in default Gateway with WARP mode).

​​ Data Loss Prevention (DLP)

You are able to log the payload of matched DLP rules and encrypt them with your public key so that only you can examine them later.

Cloudflare cannot decrypt encrypted payloads.

​​ Network policies

You are able to configure SSH proxy and command logs. Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key sshkey.pub to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs.

​​ DNS policies

Regional Services controls where Cloudflare decrypts traffic; because most DNS traffic is not encrypted, Gateway DNS cannot be regionalized using Regional Services.

Refer to the WARP Settings section below for more information.

​​ Custom certificates

You can bring your own certificate to Gateway but these cannot yet be restricted to a specific region.

​​ Logs and Analytics

By default, Cloudflare will store and deliver logs from data centers across our global network. To maintain regional control over your data, you can use Customer Metadata Boundary and restrict data storage to a specific geographic region. For more information refer to the section about Logpush datasets supported.

Customers also have the option to reduce the logs that Cloudflare stores:

​​ Access

To ensure that all reverse proxy requests for applications protected by Cloudflare Access will only occur in FedRAMP-compliant data centers, you should use Regional Services with the region set to FedRAMP.

​​ Cloudflare Tunnel

You can configure Cloudflare Tunnel to only connect to data centers within the United States, regardless of where the software was deployed.

​​ WARP settings

​​ Local Domain Fallback

You can use the WARP setting Local Domain Fallback in order to use a private DNS resolver, which you can manage yourself.

​​ Split Tunnels

Split Tunnels allow you to decide which IP addresses/ranges and/or domains are routed through or excluded from Cloudflare.