Use Zero Trust with Data Localization Suite
In the following sections, we will give you some details about how different Zero Trust products can be used with the Data Localization Suite.
Gateway
Regional Services can be used with Gateway in all supported regions. Be aware that Regional Services only apply when using the WARP client in Gateway with WARP mode.
Egress policies
Enterprise customers can purchase a dedicated egress IP (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your egress policies.
HTTP policies
As part of Regional Services, Cloudflare Gateway will only perform TLS decryption when using the WARP client (in default Gateway with WARP mode).
Data Loss Prevention (DLP)
You are able to log the payload of matched DLP rules and encrypt them with your public key so that only you can examine them later.
Cloudflare cannot decrypt encrypted payloads.
Network policies
You are able to configure SSH proxy and command logs. Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key sshkey.pub
to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs.
DNS policies
Note that due to the nature of Cloudflare’s anycast network, Gateway DNS traffic cannot yet be localized using the Data Localization Suite.
Refer to the WARP Settings section below for more information.
Custom certificates
You can bring your own certificate to Gateway but these cannot yet be restricted to a specific region.
Logs and Analytics
By default, Cloudflare will store and deliver logs from data centers across our global edge network. To maintain regional control over your data, you can use Customer Metadata Boundary and restrict data storage to a specific geographic region.
Customer Metadata Boundary for US | Customer Metadata Boundary for EU | |
---|---|---|
Gateway DNS | ✅ All logs available | ✘ All logs sent to US |
Gateway HTTP | ✅ All logs available | ✅ Logpush can be used from EU 🚧 Logs and Analytics in the dashboard not yet available |
Gateway Network | ✅ Log region can be configured to US | ✅ Logpush can be used from EU 🚧 Logs and Analytics in the dashboard not yet available |
Customers also have the option to reduce the logs that Cloudflare stores:
- You can exclude PII from logs
- You can disable logging, or only log blocked requests.
Access
To ensure that all reverse proxy requests for applications protected by Cloudflare Access will only occur in FedRAMP-compliant data centers, you should use Regional Services with the region set to FedRAMP.
Cloudflare Tunnel
You can configure Cloudflare Tunnel to only connect to data centers within the United States, regardless of where the software was deployed.
WARP settings
Local Domain Fallback
You can use the WARP setting Local Domain Fallback in order to use a private DNS resolver, which you can manage yourself.
Split Tunnels
Split Tunnels allow you to decide which IP addresses/ranges and/or domains are routed through or excluded from Cloudflare.