diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
index 89468a834912b71..c9a67a7c65367fd 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
+++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
@@ -47,13 +47,29 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
-## 3. Configure the server
+## 3. Add a policy
+
+
+
+### Selectors
+
+The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:
+
+- Email
+- Emails ending in
+- SAML group
+- Country
+- Authentication method
+- Device posture
+- Entra group, GitHub organization, Google Workspace group, Okta group
+
+## 4. Configure the server
Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:
- [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server)
-## 4. Connect as a user
+## Connect as a user
Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.
@@ -100,15 +116,3 @@ warp-cli target list
## Revoke a user's session
To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
-
-## Infrastructure policy selectors
-
-The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:
-
-- Email
-- Emails ending in
-- SAML group
-- Country
-- Authentication method
-- Device posture
-- Entra group, GitHub organization, Google Workspace group, Okta group
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
index 7ac7f1e032a7808..2e2791101db7324 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
@@ -40,7 +40,11 @@ To connect your devices to Cloudflare:
-## 6. Configure SSH server
+## 6. Add a policy
+
+
+
+## 7. Configure SSH server
Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.
@@ -61,7 +65,7 @@ To generate a Cloudflare SSH CA and get its public key:
### Restart your SSH server
-## 7. Connect as a user
+## 8. Connect as a user
Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is [connected to that virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:
diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
index ecfb1ab39d24033..cf3f4c58d365ccb 100644
--- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
+++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
@@ -15,115 +15,57 @@ import { Tabs, TabItem, Render } from "~/components"
5. In **Target criteria**, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
6. Enter the **Protocol** and **Port** that will be used to connect to the server.
7. (Optional) If a protocol runs on more than one port, select **Add new target criteria** and reconfigure the same target hostname and protocol with a different port number.
- :::note
- Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
- :::
8. Select **Next**.
-9. To secure your targets, configure a policy that defines who can connect and how they can connect:
- 1. Enter any name for your policy.
- 2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/policies/access/) and review the list of [infrastructure policy selectors](/cloudflare-one/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors).
- 3. In **Connection context**, enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`).
-4. Select **Add application**.
-1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
- | Type | Item | Permission |
- | ------- | ---------------- | ---------- |
- | Account | Access: Apps & Policies | Edit |
-
-2. Make a `POST` request to the [Access applications](/api/operations/access-applications-add-an-application) endpoint:
-
- ```sh
- curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
- --header "Authorization: Bearer " \
- --header "Content-Type: application/json" \
- --data '{
- "name": "Example infrastructure app",
- "type": "infrastructure",
- "target_criteria": [
- {
- "target_attributes": {
- "hostname": [
- "infra-access-target"
- ]
- },
- "port": 22,
- "protocol": "SSH"
- }
- ],
- "policies": [
- {
- "name": "Allow a specific email",
- "decision": "allow",
- "include": [
- {
- "email": {
- "email": "jdoe@company.com"
- }
- }
- ],
- "connection_rules": {
- "ssh": {
- "usernames": [
- "root",
- "ec2-user"
- ]
+To add an infrastructure application using the [API](/api/operations/access-applications-add-an-application):
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
+--header "Authorization: Bearer " \
+--header "Content-Type: application/json" \
+--data '{
+ "name": "example app",
+ "type": "infrastructure",
+ "target_criteria": [
+ {
+ "target_attributes": {
+ "hostname": [
+ "infra-access-target"
+ ]
+ },
+ "port": 22,
+ "protocol": "SSH"
+ }
+ ],
+ "policies": [
+ {
+ "name": "Allow a specific email",
+ "decision": "allow",
+ "include": [
+ {
+ "email": {
+ "email": "jdoe@company.com"
}
}
+ ],
+ "connection_rules": {
+ "ssh": {
+ "usernames": [
+ "root",
+ "ec2-user"
+ ]
+ }
}
- ]
- }'
- ```
-
-
-
-
-1. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application:
-
- ```tf
- resource "cloudflare_zero_trust_access_application" "infra-app" {
- account_id = "f037e56e89293a057740de681ac9abbe"
- name = "Example infrastructure app"
- type = "infrastructure"
-
- target_criteria {
- port = 22
- protocol = "SSH"
- target_attributes {
- name = "hostname"
- values = ["infra-access-target"]
- }
- }
- }
- ```
-
-2. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application:
-
- ```tf
- resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {
- application_id = cloudflare_zero_trust_access_application.infra-app.id
- account_id = "f037e56e89293a057740de681ac9abbe"
- name = "Allow a specific email"
- decision = "allow"
- precedence = 1
-
- include {
- email = ["jdoe@company.com"]
}
+ ]
+}'
+```
- connection_rules {
- ssh {
- usernames = ["root", "ec2-user"]
- }
- }
- }
- ```
-The targets in this application are now secured by your infrastructure policies.
-
:::note
-Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
+Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
:::
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx
new file mode 100644
index 000000000000000..7cf23b612f4163e
--- /dev/null
+++ b/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx
@@ -0,0 +1,19 @@
+---
+{}
+
+---
+
+import { Tabs, TabItem, Render } from "~/components"
+
+To secure your targets, configure a policy that defines who can connect and how they can connect:
+
+1. Enter any name for your policy.
+2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/policies/access/).
+3. In **Connection context**, enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`).
+4. Select **Add application**.
+
+The targets in this application are now secured by your infrastructure policies.
+
+:::note
+Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
+:::
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx
index be10872c9c84afe..b61a3131c9b34d0 100644
--- a/src/content/partials/cloudflare-one/access/add-target.mdx
+++ b/src/content/partials/cloudflare-one/access/add-target.mdx
@@ -9,7 +9,7 @@ A target represents a single resource in your infrastructure (such as a server,
To create a new target:
-
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**.
2. Select **Add a target**.
@@ -30,51 +30,22 @@ To create a new target:
-1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
- | Type | Item | Permission |
- | ------- | ---------------- | ---------- |
- | Account | Zero Trust | Edit |
-
-2. Make a `POST` request to the [Infrastructure Access Targets](/api/operations/infra-targets-post) endpoint:
-
- ```sh
- curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
- --header "Authorization: Bearer " \
- --data '{
- "hostname": "infra-access-target",
- "ip": {
- "ipv4": {
- "ip_addr": "187.26.29.249",
- "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
- },
- "ipv6": {
- "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
- "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
- }
- }
- }'
- ```
-
-
-
-
-Configure the [`cloudflare_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/infrastructure_access_target) resource:
-
-```tf
-resource "cloudflare_infrastructure_access_target" "infra-ssh-target" {
- account_id = "f037e56e89293a057740de681ac9abbe"
- hostname = "infra-access-target"
- ip = {
- ipv4 = {
- ip_addr = "187.26.29.249"
- virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
- }
- ipv6 = {
- ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
- virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
- }
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
+--header "Authorization: Bearer " \
+--data '{
+ "hostname": "infra-access-target",
+ "ip": {
+ "ipv4": {
+ "ip_addr": "187.26.29.249",
+ "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
+ },
+ "ipv6": {
+ "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
+ "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
-}
+ }
+}'
```