diff --git a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx
index 51b93dab9bfd0b..e359d3ca9e6af5 100644
--- a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx
+++ b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx
@@ -6,10 +6,9 @@ sidebar:
head:
- tag: title
content: "Reference Architecture: Architecture using Cloudflare SASE with Microsoft"
-
---
-import { Render } from "~/components"
+import { Render } from "~/components";
## Introduction
@@ -28,13 +27,13 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo
-* Solution Brief: [Cloudflare One](https://cfl.re/SASE-SSE-platform-brief) (3 minute read)
-* Whitepaper: [Reference Architecture for Internet-Native Transformation](https://cfl.re/internet-native-transformation-wp) (10 minute read)
-* Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read)
+- Solution Brief: [Cloudflare One](https://cfl.re/SASE-SSE-platform-brief) (3 minute read)
+- Whitepaper: [Reference Architecture for Internet-Native Transformation](https://cfl.re/internet-native-transformation-wp) (10 minute read)
+- Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read)
Those who read this reference architecture will learn:
-* How Cloudflare and Microsoft can be integrated together to protect users, devices, applications and networks from a Zero Trust perspective
+- How Cloudflare and Microsoft can be integrated together to protect users, devices, applications and networks from a Zero Trust perspective
This document is also accompanied by a reference architecture with a more indepth look at [Cloudflare and SASE](/reference-architecture/architectures/sase/).
@@ -46,19 +45,19 @@ Cloudflare's [Zero Trust Network Access](https://www.cloudflare.com/zero-trust/p
Microsoft and Cloudflare can be integrated in the following ways.
-* Using Microsoft [Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) for authentication to all Cloudflare protected resources
-* Leveraging Microsoft [InTune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune) device posture in Cloudflare policies to ensure only managed, trusted devices have access to protected resources
-* Using Cloudflare [CASB](/cloudflare-one/applications/scan-apps/) to inspect your [Microsoft 365](https://www.microsoft.com/en-us/microsoft-365/what-is-microsoft-365) tenants and alert on security findings for incorrectly configured accounts and shared files containing sensitive data
-* Using Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) to control access to Microsoft SaaS applications such as Outlook, OneDrive and Teams
-* Using Cloudflare's [Email Security](/email-security/) service to increase protection of email from phishing attacks and business email compromise.
+- Using Microsoft [Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) for authentication to all Cloudflare protected resources
+- Leveraging Microsoft [InTune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune) device posture in Cloudflare policies to ensure only managed, trusted devices have access to protected resources
+- Using Cloudflare [CASB](/cloudflare-one/applications/scan-apps/) to inspect your [Microsoft 365](https://www.microsoft.com/en-us/microsoft-365/what-is-microsoft-365) tenants and alert on security findings for incorrectly configured accounts and shared files containing sensitive data
+- Using Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) to control access to Microsoft SaaS applications such as Outlook, OneDrive and Teams
+- Using Cloudflare's [Email Security](/email-security/) service to increase protection of email from phishing attacks and business email compromise.
### Microsoft Entra ID with Cloudflare
Cloudflare's integration with Entra ID allows you to leverage your identities in Entra for authentication to any Cloudflare protected application. Groups can also be imported via SCIM to be used in access policies, simplifying management and abstracting access control by managing group membership in Entra ID.
-* Entra ID enables administrators to create and enforce policies on both applications and users using Conditional Access policies.
-* It offers a wide range of parameters to control user access to applications, such as user risk level, sign-in risk level, device platform, location, client apps, and more.
-* Security teams can define their security controls in Entra ID and enforce them at the network layer, for every request, with Cloudflare's ZTNA service.
+- Entra ID enables administrators to create and enforce policies on both applications and users using Conditional Access policies.
+- It offers a wide range of parameters to control user access to applications, such as user risk level, sign-in risk level, device platform, location, client apps, and more.
+- Security teams can define their security controls in Entra ID and enforce them at the network layer, for every request, with Cloudflare's ZTNA service.
![Figure 1: Microsoft Entra ID integrates with Cloudflare for ZTNA access to SaaS and self hosted applications.](~/assets/images/reference-architecture/cloudflare-sase-with-microsoft/cloudflare-sase-with-microsoft-fig1.svg "Figure 1: Microsoft Entra ID integrates with Cloudflare for ZTNA access to SaaS and self hosted applications.")
@@ -66,9 +65,9 @@ Cloudflare's integration with Entra ID allows you to leverage your identities in
Cloudflare is able to enforce access policies that include information about device posture. InTune can be integrated into Cloudflare so that information about InTune managed and protected devices can be used to enforce access control to Cloudflare protected resources.
-* With a device connected using our [agent](/cloudflare-one/connections/connect-devices/warp/), Cloudflare's ZTNA service can leverage the enhanced telemetry and context provided by Intune regarding a user's device posture and compliance state.
-* Intune provides detailed information about the security status and configuration of user devices, enabling more informed access control decisions.
-* This integration allows administrators to ensure that only compliant and secure devices are granted access to critical networks and applications.
+- With a device connected using our [agent](/cloudflare-one/connections/connect-devices/warp/), Cloudflare's ZTNA service can leverage the enhanced telemetry and context provided by Intune regarding a user's device posture and compliance state.
+- Intune provides detailed information about the security status and configuration of user devices, enabling more informed access control decisions.
+- This integration allows administrators to ensure that only compliant and secure devices are granted access to critical networks and applications.
![Figure 2: Figure 2: Using Intune and Cloudflare device posture data for secure application access.](~/assets/images/reference-architecture/cloudflare-sase-with-microsoft/cloudflare-sase-with-microsoft-fig2.svg "Figure 2: Using Intune and Cloudflare device posture data for secure application access.")
@@ -85,7 +84,7 @@ Learn more about how our CASB solution can [protect data at rest here](/referenc
Cloudflare's Secure Web Gateway (SWG) can help organizations achieve safe and secure access to Microsoft 365 in the following ways:
1. Traffic inspection and filtering: Cloudflare's SWG inspects all user and device traffic destined for the Internet, including traffic to Microsoft 365. This allows organizations to apply security policies, content filtering, and threat prevention measures to ensure that only legitimate and authorized traffic reaches Microsoft 365 services.
- As seen above, policies can be designed so that only managed, secure devices can access any part of the Microsoft 365 and Azure platform.
+ As seen above, policies can be designed so that only managed, secure devices can access any part of the Microsoft 365 and Azure platform.
2. Data protection with DLP profiles: Traffic is not only inspected based on device posture and identity information, but our DLP engine can also examine the content of the request and allow/block downloads/uploads of confidential information to and from Microsoft 365 and Azure.
3. Enforce Cloudflare gateway: Microsoft 365 can be configured to accept user traffic only from a specific range of IP addresses. Cloudflare makes it possible to define and associate IP addresses attached to all traffic leaving the SWG. This means that organizations can configure Microsoft 365 to only accept traffic coming from the IP address range designated by Cloudflare SWG, ensuring that all traffic has been inspected and approved by Cloudflare's security policies before reaching Microsoft 365.
@@ -107,5 +106,5 @@ By leveraging Cloudflare and its integrations with Microsoft, organizations can
## Related resources
-* [Overview of Microsoft and Cloudflare partnership](https://www.cloudflare.com/partners/technology-partners/microsoft/)
-* [Set up Entra ID (formerly Azure AD) as an identity provider](/cloudflare-one/identity/idp-integration/azuread/#set-up-azure-ad-as-an-identity-provider)
+- [Overview of Microsoft and Cloudflare partnership](https://www.cloudflare.com/partners/technology-partners/microsoft/)
+- [Set up Microsoft Entra ID (formerly Azure Active Directory) as an identity provider](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider)
diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx
index 7834e1cace8e92..cd4ea43a798feb 100644
--- a/src/content/docs/reference-architecture/architectures/sase.mdx
+++ b/src/content/docs/reference-architecture/architectures/sase.mdx
@@ -6,7 +6,7 @@ sidebar:
label: Secure Access Service Edge (SASE)
---
-import { Render } from "~/components"
+import { Render } from "~/components";
Download a [PDF version](/reference-architecture/static/cloudflare-evolving-to-a-sase-architecture.pdf) of this reference architecture.
@@ -14,10 +14,10 @@ Download a [PDF version](/reference-architecture/static/cloudflare-evolving-to-a
Cloudflare One is a secure access service edge (SASE) platform that protects enterprise applications, users, devices, and networks. By progressively adopting Cloudflare One, organizations can move away from their patchwork of hardware appliances and other point solutions and instead consolidate security and networking capabilities on one unified control plane. Such network and security transformation helps address key challenges modern businesses face, including:
-* Securing access for any user to any resource with Zero Trust practices
-* Defending against cyber threats, including multi-channel phishing and ransomware attacks
-* Protecting data in order to comply with regulations and prevent leaks
-* Simplifying connectivity across offices, data centers, and cloud environments
+- Securing access for any user to any resource with Zero Trust practices
+- Defending against cyber threats, including multi-channel phishing and ransomware attacks
+- Protecting data in order to comply with regulations and prevent leaks
+- Simplifying connectivity across offices, data centers, and cloud environments
Cloudflare One is built on Cloudflare's [connectivity cloud](https://www.cloudflare.com/connectivity-cloud/), a unified, intelligent platform of programmable cloud-native services that enable any-to-any connectivity between all networks (enterprise and Internet), cloud environments, applications, and users. It is one of the [largest global networks](https://www.cloudflare.com/network/), with data centers spanning [hundreds of cities worldwide](https://www.cloudflare.com/network/) and interconnection with over 12,500 other networks. It also has a greater presence in [core Internet exchanges](https://bgp.he.net/report/exchanges#_participants) than many other large technology companies.
@@ -33,15 +33,15 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo
-* Solution Brief: [Cloudflare One](https://cfl.re/SASE-SSE-platform-brief) (3 minute read)
-* Whitepaper: [Reference Architecture for Internet-Native Transformation](https://cfl.re/internet-native-transformation-wp) (10 minute read)
-* Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read)
+- Solution Brief: [Cloudflare One](https://cfl.re/SASE-SSE-platform-brief) (3 minute read)
+- Whitepaper: [Reference Architecture for Internet-Native Transformation](https://cfl.re/internet-native-transformation-wp) (10 minute read)
+- Blog: [Zero Trust, SASE, and SSE: foundational concepts for your next-generation network](https://blog.cloudflare.com/zero-trust-sase-and-sse-foundational-concepts-for-your-next-generation-network/) (14 minute read)
Those who read this reference architecture will learn:
-* How Cloudflare One protects an organization's employees, devices, applications, data, and networks
-* How Cloudflare One fits into your existing infrastructure, and how to approach migration to a SASE architecture
-* How to plan for deploying Cloudflare One
+- How Cloudflare One protects an organization's employees, devices, applications, data, and networks
+- How Cloudflare One fits into your existing infrastructure, and how to approach migration to a SASE architecture
+- How to plan for deploying Cloudflare One
While this document examines Cloudflare One at a technical level, it does not offer fine detail about every product in the platform. Instead, it looks at how all the services in Cloudflare One enable networking and network security to be consolidated on one architecture. Visit the [developer documentation](https://developers.cloudflare.com/) for further information specific to a product area or use case.
@@ -63,11 +63,11 @@ The diagram above shows an example of this adapted perimeter-based approach, in
Such challenges are driving many organizations to prioritize goals like:
-* Accelerating business agility by supporting remote / hybrid work with secure any-to-any access
-* Improving productivity by simplifying policy management and by streamlining user experiences
-* Reducing cyber risk by protecting users and data from phishing, ransomware, and other threats across all channels
-* Consolidating visibility and controls across networking and security
-* Reducing costs by replacing expensive appliances and infrastructure (e.g. VPNs, hardware firewalls, and MPLS connections)
+- Accelerating business agility by supporting remote / hybrid work with secure any-to-any access
+- Improving productivity by simplifying policy management and by streamlining user experiences
+- Reducing cyber risk by protecting users and data from phishing, ransomware, and other threats across all channels
+- Consolidating visibility and controls across networking and security
+- Reducing costs by replacing expensive appliances and infrastructure (e.g. VPNs, hardware firewalls, and MPLS connections)
## Understanding a SASE architecture
@@ -75,10 +75,10 @@ In recent years, [secure access service edge](https://www.cloudflare.com/learnin
SASE platforms consist of networking and security services, all underpinned by supporting operational services and a policy engine:
-* Network services forward traffic from a variety of networks into a single global corporate network. These services provide capabilities like firewalling, routing, and load balancing.
-* Security services apply to traffic flowing over the network, allowing for filtering of certain types of traffic and control over who can access what.
-* Operational services provide platform-wide capabilities like logging, API access, and comprehensive Infrastructure-as-Code support through providers like Terraform.
-* A policy engine integrates across all services, allowing admins to define policies which are then applied across all the connected services.
+- Network services forward traffic from a variety of networks into a single global corporate network. These services provide capabilities like firewalling, routing, and load balancing.
+- Security services apply to traffic flowing over the network, allowing for filtering of certain types of traffic and control over who can access what.
+- Operational services provide platform-wide capabilities like logging, API access, and comprehensive Infrastructure-as-Code support through providers like Terraform.
+- A policy engine integrates across all services, allowing admins to define policies which are then applied across all the connected services.
![Cloudflare's SASE cloud platform offers network, security, and operational services, as well as policy engine features, to provide zero trust connectivity between a variety of user identities, devices and access locations to customer applications, infrastructure and networks.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-2.svg)
@@ -98,7 +98,7 @@ Cloudflare's SASE platform benefits from our use of [anycast](https://www.cloudf
Using anycast ensures the Cloudflare network is well balanced. If there is a sudden increase in traffic on the network, the load can be distributed across multiple data centers – which in turn, helps maintain consistent and reliable connectivity for users. Further, Cloudflare's large [network capacity](https://www.cloudflare.com/network/) and [AI/ML-optimized smart routing](https://blog.cloudflare.com/meet-traffic-manager/) also help ensure that performance is constantly optimized.
-By contrast, many other SASE providers use Unicast routing in which a single IP address is associated with a single server and/or data center. In many such architectures, a single IP address is then associated with a specific application, which means requests to access that application may have very different network routing experiences depending on how far that traffic needs to travel. For example, performance may be excellent for employees working in the office next to the application's servers, but poor for remote employees or those working overseas. Unicast also complicates scaling traffic loads — that single service location must ramp up resources when load increases, whereas anycast networks can share traffic across many data centers and geographies.
+By contrast, many other SASE providers use Unicast routing in which a single IP address is associated with a single server and/or data center. In many such architectures, a single IP address is then associated with a specific application, which means requests to access that application may have very different network routing experiences depending on how far that traffic needs to travel. For example, performance may be excellent for employees working in the office next to the application's servers, but poor for remote employees or those working overseas. Unicast also complicates scaling traffic loads — that single service location must ramp up resources when load increases, whereas anycast networks can share traffic across many data centers and geographies.
![Cloudflare's anycast network ensures fast and reliable connectivity, whereas Unicast routing often sends all traffic to a single IP address, resulting in slower and failure prone connections.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-5.svg)
@@ -114,10 +114,10 @@ In the bottom half are a variety of users, devices, networks, and locations. Use
A SASE architecture will define, secure, and streamline how each user and device will connect to the various resources in the diagram. Over the following sections, this guide will show ways to integrate Cloudflare One into the above infrastructure:
-* **Applications and services**: Placing access to private applications and services behind Cloudflare
-* **Networks**: Connecting entire networks to Cloudflare
-* **Forwarding device traffic**: Facilitating access to Cloudflare-protected resources from any device
-* **Verifying users and devices**: Identifying which users access requests come from, and which devices those users have
+- **Applications and services**: Placing access to private applications and services behind Cloudflare
+- **Networks**: Connecting entire networks to Cloudflare
+- **Forwarding device traffic**: Facilitating access to Cloudflare-protected resources from any device
+- **Verifying users and devices**: Identifying which users access requests come from, and which devices those users have
### Connecting applications
@@ -130,9 +130,9 @@ This journey to a SASE architecture starts with an organization needing to provi
Connectivity to self-hosted applications is facilitated through tunnels that are created and maintained by a software connector,
[`cloudflared`](/cloudflare-one/connections/connect-networks/get-started/). `cloudflared` is a lightweight daemon installed in an organizations' infrastructure that creates a tunnel via an outbound connection to Cloudflare's global network. The connector can be installed in a variety of ways:
-* In the OS installed on the bare metal server
-* In the OS that is running in a virtualized environment
-* In a [container](https://hub.docker.com/r/cloudflare/cloudflared) running in a Docker or Kubernetes environment
+- In the OS installed on the bare metal server
+- In the OS that is running in a virtualized environment
+- In a [container](https://hub.docker.com/r/cloudflare/cloudflared) running in a Docker or Kubernetes environment
`cloudflared` runs on Windows, Linux, or macOS operating systems and creates an encrypted tunnel using QUIC, a modern protocol that uses UDP (instead of TCP) for fast tunnel performance and modern encryption standards. Generally speaking, there are two approaches for how users can deploy `cloudflared` in their environment:
@@ -155,12 +155,12 @@ For example, organizations can define a public hostname (`mywebapp.domain.com`)
Key capabilities:
-* A hostname is created in a public DNS zone and all requests to that hostname are first routed to the Cloudflare network, inspected against configured security and access policies, before being routed through the tunnel to the secured private resource
-* Multiple hostnames can be defined per tunnel, with each hostname mapping to a single application (service address and port)
-* Support for HTTP/HTTPS protocols
-* Access to resources only requires a browser
-* When Cloudflare's device client is deployed on an user device, policies can leverage additional contextual signals (e.g. determining whether the device is managed or running the latest OS) in policy enforcement
-* For access to SSH/VNC services, Cloudflare renders an SSH/VNC terminal using webassembly in the browser
+- A hostname is created in a public DNS zone and all requests to that hostname are first routed to the Cloudflare network, inspected against configured security and access policies, before being routed through the tunnel to the secured private resource
+- Multiple hostnames can be defined per tunnel, with each hostname mapping to a single application (service address and port)
+- Support for HTTP/HTTPS protocols
+- Access to resources only requires a browser
+- When Cloudflare's device client is deployed on an user device, policies can leverage additional contextual signals (e.g. determining whether the device is managed or running the latest OS) in policy enforcement
+- For access to SSH/VNC services, Cloudflare renders an SSH/VNC terminal using webassembly in the browser
Applications exposed this way receive all of the benefits of Cloudflare's leading DNS, CDN, and DDoS services as well as our web application firewall (WAF), API, and bot services, all without exposing application servers directly to the Internet.
@@ -170,9 +170,9 @@ In some cases, users may want to leverage ZTNA policies to provide access to man
Key capabilities:
-* `cloudflared`, combined with Cloudflare device agent, provides access to private networks, allowing for any arbitrary L4 TCP, UDP or ICMP connections
-* One or many networks can be configured using CIDR notation (e.g. 172.21.0.16/28)
-* Access to resources on the private network requires the Cloudflare device agent to be installed on clients, and at least one Cloudflare Tunnel server on the connecting network
+- `cloudflared`, combined with Cloudflare device agent, provides access to private networks, allowing for any arbitrary L4 TCP, UDP or ICMP connections
+- One or many networks can be configured using CIDR notation (e.g. 172.21.0.16/28)
+- Access to resources on the private network requires the Cloudflare device agent to be installed on clients, and at least one Cloudflare Tunnel server on the connecting network
For both methods, it is important to note that `cloudflared` only proxies inbound traffic to a private application or network. It does not become a gateway or "on-ramp" back to Cloudflare for the network that it proxies inbound connections to. This means that if the web server starts its own connection to another Internet-based API, that connection will not be routed via Cloudflare Tunnel and will instead be routed via the host server's default route and gateway.
@@ -192,10 +192,10 @@ Another method to secure access to SaaS applications is to configure single sign
Key capabilities:
-* Apply consistent access policies across both self-hosted and SaaS applications
-* Layer device security posture into the authentication process (e.g. users can ensure that only managed devices, running the latest operating system and passing all endpoint security checks, are able to access SaaS applications)
-* Ensure that certain network routes are used for access (e.g. users can require that devices are connected to Cloudflare using the device agent, which allows them to filter traffic to the SaaS application and prevent downloads of protected data)
-* Centralize SSO applications to Cloudflare and create one SSO integration from Cloudflare to their IdP — making both infrastructure and access policies SSO-agnostic (e.g. users can allow access to critical applications only when MFA is used, no matter which IdP is used to authenticate)
+- Apply consistent access policies across both self-hosted and SaaS applications
+- Layer device security posture into the authentication process (e.g. users can ensure that only managed devices, running the latest operating system and passing all endpoint security checks, are able to access SaaS applications)
+- Ensure that certain network routes are used for access (e.g. users can require that devices are connected to Cloudflare using the device agent, which allows them to filter traffic to the SaaS application and prevent downloads of protected data)
+- Centralize SSO applications to Cloudflare and create one SSO integration from Cloudflare to their IdP — making both infrastructure and access policies SSO-agnostic (e.g. users can allow access to critical applications only when MFA is used, no matter which IdP is used to authenticate)
When Cloudflare acts as the SSO service to an application, user authentication is still handled by an organization's existing identity provider, but is proxied via Cloudflare, where additional access restrictions can be applied. The diagram below is a high-level example of a typical request flow:
@@ -205,17 +205,17 @@ The last method of connecting SaaS applications to Cloudflare's SASE architectur
Native integration with the Cloudflare [data loss prevention](https://www.cloudflare.com/learning/access-management/what-is-dlp/) (DLP) service enables CASB to scan for sensitive or regulated data that may be stored in files with incorrect permissions — further risking leaks or unauthorized access. CASB reports findings that alert IT teams to items such as:
-* Administrative accounts without adequate MFA
-* Company-sensitive data in files stored with public access permissions
-* Missing application configurations (e.g. domains missing SPF/DMARC records)
+- Administrative accounts without adequate MFA
+- Company-sensitive data in files stored with public access permissions
+- Missing application configurations (e.g. domains missing SPF/DMARC records)
#### Checkpoint: Connecting applications to Cloudflare
Now, this is what the architecture of a typical organization might look like once they have integrated with Cloudflare services. It is important to note that Cloudflare is designed to secure organizations' existing applications and services in the following ways:
-* All self-hosted applications and services are only accessible through Cloudflare and controlled by policies defined by the Cloudflare ZTNA
-* SaaS application traffic is filtered and secured via the Cloudflare SWG
-* SaaS services are scanned via the Cloudflare CASB to check for configuration and permissions of data at rest
+- All self-hosted applications and services are only accessible through Cloudflare and controlled by policies defined by the Cloudflare ZTNA
+- SaaS application traffic is filtered and secured via the Cloudflare SWG
+- SaaS services are scanned via the Cloudflare CASB to check for configuration and permissions of data at rest
![Access to all applications is now only available via Cloudflare.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-9.svg)
@@ -225,11 +225,11 @@ Once an organization's applications and services have been integrated, it is tim
When all traffic flows through Cloudflare, SASE services perform the following actions:
-* Granting application access
-* Filtering general Internet-bound traffic (e.g. blocking access to sites that host malware)
-* Isolating web sites to protect users from day-zero or unknown harmful Internet content
-* Filtering traffic to identify data defined by DLP policies — then blocking the download/upload of that data to insecure devices or applications
-* Providing visibility into the use of non-approved applications and allowing admins to either block or apply policies around their use
+- Granting application access
+- Filtering general Internet-bound traffic (e.g. blocking access to sites that host malware)
+- Isolating web sites to protect users from day-zero or unknown harmful Internet content
+- Filtering traffic to identify data defined by DLP policies — then blocking the download/upload of that data to insecure devices or applications
+- Providing visibility into the use of non-approved applications and allowing admins to either block or apply policies around their use
There are several approaches for connecting networks to Cloudflare, which can provide further flexibility in how an organization provides access to SASE-protected resources:
@@ -293,10 +293,10 @@ There may also be situations where network-layer encryption is not necessary —
Organizations may also connect their network locations directly to the Cloudflare network via [Cloudflare Network Interconnect](https://www.cloudflare.com/network-services/products/network-interconnect/) (CNI). Cloudflare [supports a variety of options](/network-interconnect/about) to connect your network to Cloudflare:
-* Express CNI for Magic WAN and Magic Transit
-* Classic CNI for Magic Transit
-* Cloud CNI for Magic WAN and Magic Transit
-* Peering via either an internet exchange, or a private network interconnect (PNI).
+- Express CNI for Magic WAN and Magic Transit
+- Classic CNI for Magic Transit
+- Cloud CNI for Magic WAN and Magic Transit
+- Peering via either an internet exchange, or a private network interconnect (PNI).
The following table summarizes the different methods of connecting networks to Cloudflare:
@@ -312,17 +312,23 @@ Each of these methods of connecting and routing traffic can be deployed concurre
Note the following traffic flows:
-* All traffic connected via a WARP Connector or device agent can communicate with each other over the mesh network
- * Developers working from home can communicate with the production and staging servers in the cloud
- * The employee in the retail location, as well as the developer at home, can receive VOIP calls on their laptop
-* A HPC Cluster in AWS represents a proprietary solution in which no third-party software agents can be installed; as a result, it uses an IPsec connection to Magic WAN
-* In the retail location, the Magic WAN Connector routes all traffic to Cloudflare via an IPsec tunnel
- * An employee's laptop running the device agent creates its own secure connection to Cloudflare that is routed over the IPsec tunnel
-* The application owner of the reporting system maintains a connection to Cloudflare using `cloudflared` and doesn't require any networking help to expose their application to employees
+- All traffic connected via a WARP Connector or device agent can communicate with each other over the mesh network
+ - Developers working from home can communicate with the production and staging servers in the cloud
+ - The employee in the retail location, as well as the developer at home, can receive VOIP calls on their laptop
+- A HPC Cluster in AWS represents a proprietary solution in which no third-party software agents can be installed; as a result, it uses an IPsec connection to Magic WAN
+- In the retail location, the Magic WAN Connector routes all traffic to Cloudflare via an IPsec tunnel
+ - An employee's laptop running the device agent creates its own secure connection to Cloudflare that is routed over the IPsec tunnel
+- The application owner of the reporting system maintains a connection to Cloudflare using `cloudflared` and doesn't require any networking help to expose their application to employees
![Connecting and routing traffic can be created using various methods such as Cloudflare Network Interconnect, IPSEC tunnels, WARP Connector and cloudflared.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-14.svg)
-*Note: All of the endpoints connected via the WARP Connector or device agent are automatically assigned IP addresses from the 100.96.0.0/12 address range, while endpoints connected to Magic WAN retain their assigned RFC1918 private IP addresses. `cloudflared` can be deployed in any of the locations by an application owner to provide hostname-based connectivity to the application.*
+
+ *Note: All of the endpoints connected via the WARP Connector or device agent
+ are automatically assigned IP addresses from the 100.96.0.0/12 address range,
+ while endpoints connected to Magic WAN retain their assigned RFC1918 private
+ IP addresses. `cloudflared` can be deployed in any of the locations by an
+ application owner to provide hostname-based connectivity to the application.*
+
Once the networks, applications, and user devices are connected to Cloudflare — regardless of the connection methods and devices used — all traffic can be inspected, authenticated, and filtered by the Cloudflare SASE services, then securely routed to their intended destinations. Additionally, consistent policies can be applied across all traffic, no matter how it arrives at Cloudflare.
@@ -338,10 +344,10 @@ The previous sections explain using ZTNA to secure access to self-hosted applica
There are several approaches to ensure that traffic from a user device which isn't connected to an existing Cloudflare protected network, are also forwarding traffic through Cloudflare and be protected.
-* [Install an agent on the device](#connecting-with-a-device-agent)
-* [Modify browser proxy configuration](#browser-proxy-configuration)
-* [Direct the user to a remote browser instance](#using-remote-browser-instances)
-* [Modify DNS configuration](#agentless-dns-filtering)
+- [Install an agent on the device](#connecting-with-a-device-agent)
+- [Modify browser proxy configuration](#browser-proxy-configuration)
+- [Direct the user to a remote browser instance](#using-remote-browser-instances)
+- [Modify DNS configuration](#agentless-dns-filtering)
#### Connecting with a device agent
@@ -349,10 +355,10 @@ The preferred method of ensuring device traffic is forwarded to Cloudflare is to
To allow for flexibility in how different devices and users connect, there are multiple [deployment modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/):
-* A full L4 traffic proxy
-* L7 DNS proxy
-* L7 HTTP proxy
-* The ability to just collect device posture information
+- A full L4 traffic proxy
+- L7 DNS proxy
+- L7 HTTP proxy
+- The ability to just collect device posture information
For example, organizations might have an office that continues to use an existing [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) service, so they can configure the agent to just proxy network and HTTP traffic.
@@ -370,14 +376,14 @@ When it is not possible to install software on the device, there are agentless a
One option is to configure the browser to forward HTTP requests to Cloudflare by configuring proxy server details in the browser or OS. Although this can be done manually, it is more common for organizations to automate the configuration of browser proxy settings using Internet-hosted [Proxy Auto-Configuration](/cloudflare-one/connections/connect-devices/agentless/pac-files/) (PAC) files. The browser identifies the PAC file location in several ways:
-* MDM software configuring the setting in the browser
-* In Windows domains, Group Policy Objects (GPO) can configure the browser's PAC file
-* Browsers can use [Web Proxy Auto-Discovery](https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01) (WPAD)
+- MDM software configuring the setting in the browser
+- In Windows domains, Group Policy Objects (GPO) can configure the browser's PAC file
+- Browsers can use [Web Proxy Auto-Discovery](https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01) (WPAD)
From there, configure a proxy endpoint where the browser will send all HTTP requests to. If using this method, please note that:
-* Filtering HTTPS traffic will also require [installing and trusting Cloudflare root certificates](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on the devices.
-* A proxy endpoint will only proxy traffic sourced from a set of known IP addresses, such as the pool of public IP addresses used by a site's NAT gateway, that the administrator must specify.
+- Filtering HTTPS traffic will also require [installing and trusting Cloudflare root certificates](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on the devices.
+- A proxy endpoint will only proxy traffic sourced from a set of known IP addresses, such as the pool of public IP addresses used by a site's NAT gateway, that the administrator must specify.
#### Using remote browser instances
@@ -387,16 +393,16 @@ RBI renders the received content in an isolated and secure cloud environment. In
Ensuring access to sites is protected with RBI does not require any local software installation or reconfiguring the user's browser. Below are [several ways](/cloudflare-one/policies/browser-isolation/setup/) to accomplish this:
-* Typically, a remote browser session is started as the result of an SWG policy — the user just requests websites without being notified that the content is loading in a remote browser.
-* Organizations can also provide users with a link that automatically ensures RBI always processes each request.
-* Organizations can also opt to use the ZTNA service to redirect all traffic from self-hosted applications via RBI instances.
+- Typically, a remote browser session is started as the result of an SWG policy — the user just requests websites without being notified that the content is loading in a remote browser.
+- Organizations can also provide users with a link that automatically ensures RBI always processes each request.
+- Organizations can also opt to use the ZTNA service to redirect all traffic from self-hosted applications via RBI instances.
All requests via a remote browser pass through the Cloudflare SWG; therefore, policies can enforce certain website access limitations. For instance, browser isolation policies can be established to:
-* Disable copy/paste between a remote web page and the user's local machine; this can prevent the employee from pasting proprietary code into third-party chatbots.
-* Disable printing of remote web content to prevent contractors from printing confidential information
-* Disable file uploads/downloads to ensure sensitive company data is not sent to — or downloaded from — certain websites.
-* Disable keyboard input (in combination with other policies) to limit data being exposed, such as someone typing in passwords to a phishing site.
+- Disable copy/paste between a remote web page and the user's local machine; this can prevent the employee from pasting proprietary code into third-party chatbots.
+- Disable printing of remote web content to prevent contractors from printing confidential information
+- Disable file uploads/downloads to ensure sensitive company data is not sent to — or downloaded from — certain websites.
+- Disable keyboard input (in combination with other policies) to limit data being exposed, such as someone typing in passwords to a phishing site.
Isolating web applications and applying policies to risky websites helps organizations limit data loss from cyber threats or user error. And, like many Cloudflare One capabilities, RBI can be leveraged across other areas of the SASE architecture. Cloudflare's [email security](https://www.cloudflare.com/learning/email-security/what-is-email-security/) service, for example, can automatically rewrite and isolate suspicious links in emails. This "email link isolation" capability helps protect the user from potential malicious activity such as credential harvesting phishing.
@@ -412,8 +418,6 @@ All of the above methods result in only the DNS requests — not all traffic —
The following table summarizes SWG capabilities for the various methods of forwarding traffic to Cloudflare (as of Oct 2023):
-
-
| | IP tunnel or Interconnect (Magic WAN) | Device Agent (WARP)\*1 | Remote Browser | Browser proxy | DNS proxy |
| ------------------------------ | ------------------------------------- | --------------------------------- | -------------- | ------------- | ---------------- |
| Types of traffic forwarded | TCP/UDP | TPC/UDP | HTTP | HTTP | DNS |
@@ -428,8 +432,6 @@ The following table summarizes SWG capabilities for the various methods of forwa
| Remote browser isolation | Yes | Yes | Yes | Yes | N/A |
| Enforce egress IP | Yes | Yes | Yes | Yes | N/A |
-
-
Notes:
1. Running the device agent in DNS over HTTP mode provides user identity information, in addition to the same capabilities as connecting via DNS.
@@ -454,13 +456,13 @@ But, before organizations define policies to manage that access, they need to kn
The first step in any access decision is to determine who is making the request – i.e., to authenticate the user.
-Cloudflare integrates with identity providers that manage secure access to resources for organizations' employees, contractors, partners, and other users. This includes support for integrations with any [SAML](/cloudflare-one/identity/idp-integration/generic-saml/) - or OpenID Connect ([OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/)) - compliant service; Cloudflare One also includes pre-built integrations with [Okta](/cloudflare-one/identity/idp-integration/okta/), [Microsoft Azure AD](/cloudflare-one/identity/idp-integration/azuread/), [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/), as well as consumer IdPs such as [Facebook](/cloudflare-one/identity/idp-integration/facebook-login/), [GitHub](/cloudflare-one/identity/idp-integration/github/) and [LinkedIn](/cloudflare-one/identity/idp-integration/linkedin/).
+Cloudflare integrates with identity providers that manage secure access to resources for organizations' employees, contractors, partners, and other users. This includes support for integrations with any [SAML](/cloudflare-one/identity/idp-integration/generic-saml/) - or OpenID Connect ([OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/)) - compliant service; Cloudflare One also includes pre-built integrations with [Okta](/cloudflare-one/identity/idp-integration/okta/), [Microsoft Entra ID (formerly Azure Active Directory)](/cloudflare-one/identity/idp-integration/entra-id/), [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/), as well as consumer IdPs such as [Facebook](/cloudflare-one/identity/idp-integration/facebook-login/), [GitHub](/cloudflare-one/identity/idp-integration/github/) and [LinkedIn](/cloudflare-one/identity/idp-integration/linkedin/).
Multiple IdPs can be integrated, allowing organizations to apply policies to a wide range of both internal and external users. When a user attempts to access a Cloudflare secured application or service, they are redirected to authenticate via one of the integrated IdPs. When using the device agent, users must also authenticate to one of their organization's configured IdPs.
![Users are presented with a list of integrated identity providers before accessing protected applications.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-18.svg)
-Once a user is authenticated, Cloudflare receives that user's information, such as username, group membership, authentication method (password, whether MFA was involved and what type), and other associated attributes (i.e., the user's role, department, or office location). This information from the IdP is then made available to the policy engine.
+Once a user is authenticated, Cloudflare receives that user's information, such as username, group membership, authentication method (password, whether MFA was involved and what type), and other associated attributes (i.e., the user's role, department, or office location). This information from the IdP is then made available to the policy engine.
In addition to user identities, most corporate directories also contain groups to which those identities are members. Cloudflare supports the importing of group information, which is then used as part of the policy. Group membership is a critical part of aggregating single identities so that policies can be less complex. It is far easier — for example — to set a policy allowing all employees in the sales department to access Salesforce, than to identify each user in the sales organization.
@@ -472,14 +474,14 @@ Not only does the user identity need to be verified, but the security posture of
The following built-in posture checks are available:
-* [Application check](/cloudflare-one/identity/devices/warp-client-checks/application-check/): Checks that a specific application process is running
-* [File check](/cloudflare-one/identity/devices/warp-client-checks/file-check/): Checks for the presence of a file
-* [Firewall](/cloudflare-one/identity/devices/warp-client-checks/firewall/): Checks if a firewall is running
-* [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/): Checks if/how many disks are encrypted
-* [Domain joined](/cloudflare-one/identity/devices/warp-client-checks/domain-joined/): Checks if the device is joined to a Microsoft Active Directory domain
-* [OS version](/cloudflare-one/identity/devices/warp-client-checks/os-version/): Checks what version of the OS is running
-* [Unique Client ID](/cloudflare-one/identity/devices/warp-client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device
-* [Device serial number](/cloudflare-one/identity/devices/warp-client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers
+- [Application check](/cloudflare-one/identity/devices/warp-client-checks/application-check/): Checks that a specific application process is running
+- [File check](/cloudflare-one/identity/devices/warp-client-checks/file-check/): Checks for the presence of a file
+- [Firewall](/cloudflare-one/identity/devices/warp-client-checks/firewall/): Checks if a firewall is running
+- [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/): Checks if/how many disks are encrypted
+- [Domain joined](/cloudflare-one/identity/devices/warp-client-checks/domain-joined/): Checks if the device is joined to a Microsoft Active Directory domain
+- [OS version](/cloudflare-one/identity/devices/warp-client-checks/os-version/): Checks what version of the OS is running
+- [Unique Client ID](/cloudflare-one/identity/devices/warp-client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device
+- [Device serial number](/cloudflare-one/identity/devices/warp-client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers
Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/identity/devices/service-providers/microsoft/), [Tanium](/cloudflare-one/identity/devices/access-integrations/tanium/), [Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/), [CrowdStrike](/cloudflare-one/identity/devices/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/identity/devices/warp-client-checks/sentinel-one/), and more. Any data from those products can be passed to Cloudflare for use in access decisions.
@@ -495,8 +497,8 @@ Cloudflare's email security service scans for signs of malicious content or atta
Instead of deploying tunnels to manage and control traffic to email servers, Cloudflare provides two methods of email security [setup](/email-security/deployment/):
-* [Inline](/email-security/deployment/inline/): Redirect all inbound email traffic through Cloudflare before they reach a user's inbox by modifying MX records
-* [API](/email-security/deployment/api/): Integrate Cloudflare directly with an email provider such as Microsoft 365 or Gmail
+- [Inline](/email-security/deployment/inline/): Redirect all inbound email traffic through Cloudflare before they reach a user's inbox by modifying MX records
+- [API](/email-security/deployment/api/): Integrate Cloudflare directly with an email provider such as Microsoft 365 or Gmail
Modifying MX records (inline deployment) forces all inbound email traffic through our cloud email security service where it is scanned, and — if found to be malicious — blocked from reaching a user's inbox. Because the service works at the MX record level, it is possible to use the email security service with any [SMTP-compliant](https://www.cloudflare.com/learning/email-security/what-is-smtp/) email service.
@@ -520,7 +522,7 @@ Now that all users, devices, applications, networks, and other components are se
Before we go into the details of how policies can be written to manage access to applications, services, and networks connected to Cloudflare, it's worth taking a look at the two main enforcement points in Cloudflare's SASE platform that control access: SWG and the ZTNA services. These services are configured through a single administrative dashboard, simplifying policy management across the entire SASE deployment.
-The following diagram illustrates the flow of a request through these services, including the application of policies and the source of data for these policies. In the diagram below, the user request can either enter through the SWG or ZTNA depending on the type of service requested. It's also possible to combine both services, such as implementing a SWG HTTP policy that uses DLP service to inspect traffic related to a privately hosted application behind a ZTNA Cloudflare Tunnel. This configuration enables organizations to block downloads of sensitive data from internal applications that organizations have authorized for external access.
+The following diagram illustrates the flow of a request through these services, including the application of policies and the source of data for these policies. In the diagram below, the user request can either enter through the SWG or ZTNA depending on the type of service requested. It's also possible to combine both services, such as implementing a SWG HTTP policy that uses DLP service to inspect traffic related to a privately hosted application behind a ZTNA Cloudflare Tunnel. This configuration enables organizations to block downloads of sensitive data from internal applications that organizations have authorized for external access.
![User requests to the Internet or self hosted applications go through our SWG and/or ZTNA service. Administrators have a single dashboard to manage policies across both.](~/assets/images/reference-architecture/cloudflare-one-reference-architecture-images/cf1-ref-arch-23.svg)
@@ -534,12 +536,12 @@ Cloudflare's vast intelligent network continually monitors billions of web asset
Additionally, Cloudflare's SWG offers the flexibility to create and maintain customized [lists of data](/cloudflare-one/policies/gateway/lists/). These lists can be uploaded via CSV files, manually maintained, or integrated with other processes and applications using the Cloudflare API. A list can contain the following data:
-* URLs
-* Hostnames
-* Serial numbers (macOS, Windows, Linux)
-* Emails
-* IP addresses
-* Device IDs (iOS, Android)
+- URLs
+- Hostnames
+- Serial numbers (macOS, Windows, Linux)
+- Emails
+- IP addresses
+- Device IDs (iOS, Android)
For example, organizations can maintain a list of IP addresses of all remote office locations, of short term contractors' email addresses, or trusted company domains. These lists can be used in a policy to allow contractors access to a specific application if their traffic is coming from a known office IP address.
@@ -583,24 +585,24 @@ In this example, consider two services: a database administration application ([
The policies that enable access rely on two Access Groups.
-* Contractors
- * Users who authenticate through Okta and are part of the Okta group labeled "Contractors"
- * Authentication requires the use of a hardware token
-* Database and IT administrators
- * Users who authenticate through Okta and are in the Okta groups "IT administrators" or "Database administrators"
- * Authentication requires the use of a hardware token
- * Users should be on a device with a serial number in the "Managed Devices" list
+- Contractors
+ - Users who authenticate through Okta and are part of the Okta group labeled "Contractors"
+ - Authentication requires the use of a hardware token
+- Database and IT administrators
+ - Users who authenticate through Okta and are in the Okta groups "IT administrators" or "Database administrators"
+ - Authentication requires the use of a hardware token
+ - Users should be on a device with a serial number in the "Managed Devices" list
Both of these groups are then used in two different access policies.
-* Database administration tool access
- * Database and IT admins are allowed access
- * Members of the "Contractor" access group are allowed access, but each authenticated session requires the user to complete a justification request
- * The admin tool is rendered in an isolated browser on Cloudflare's Edge network and file downloads are disabled
-* Database server SSH access
- * "Database and IT administrators" group is allowed access
- * Their device must pass a Crowdstrike risk score of at least 80
- * Access must come from a device that is running our device agent and is connected to Cloudflare
+- Database administration tool access
+ - Database and IT admins are allowed access
+ - Members of the "Contractor" access group are allowed access, but each authenticated session requires the user to complete a justification request
+ - The admin tool is rendered in an isolated browser on Cloudflare's Edge network and file downloads are disabled
+- Database server SSH access
+ - "Database and IT administrators" group is allowed access
+ - Their device must pass a Crowdstrike risk score of at least 80
+ - Access must come from a device that is running our device agent and is connected to Cloudflare
These policies show that contractors are only allowed access to the database administration tool and do not have SSH access to the server. IT and database administrators can access the SSH service only when their devices are securely connected to Cloudflare via the device agent. Every element of the access groups and policies is evaluated for every login, so an IT administrator using a compromised laptop or a contractor unable to authenticate with a hardware token will be denied access.
@@ -618,8 +620,8 @@ This can then be applied to secure and protect all users in one policy. Cloudfla
With this setup, every request to a social media website ensures the following security measures:
-* Any content on the social media website that contains harmful code is prevented from executing on the local device
-* External users are restricted from downloading content from the site that could potentially be infected with malware or spyware
+- Any content on the social media website that contains harmful code is prevented from executing on the local device
+- External users are restricted from downloading content from the site that could potentially be infected with malware or spyware
#### Data protection for regulatory compliance
@@ -665,7 +667,7 @@ It's worth noting that many of the capabilities described in this document can b
| Zero Trust Network Access | [How to build Access policies](/cloudflare-one/policies/access/) |
| Remote Browser Isolation | [Understanding browser isolation](/cloudflare-one/policies/browser-isolation/) |
| API-Driven CASB | [Scanning SaaS applications](/cloudflare-one/applications/scan-apps/) |
-| Email Security | [Understanding Cloudflare Email Security](/email-security/) |
+| Email Security | [Understanding Cloudflare Email Security](/email-security/) |
| Replacing your VPN | [Using Cloudflare to replace your VPN](/learning-paths/replace-vpn/) |
If you would like to discuss your SASE requirements in greater detail and connect with one of our architects, please visit [https://www.cloudflare.com/cloudflare-one/](https://www.cloudflare.com/cloudflare-one/) and request a consultation.
diff --git a/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx b/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx
index 4c2134221130f3..dcc19cd924adb2 100644
--- a/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx
+++ b/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx
@@ -1,7 +1,6 @@
---
pcx_content_type: concept
title: 3rd-party integration guide
-
---
## Purpose
@@ -12,7 +11,7 @@ The purpose of a 3rd-party integration guide is to explain how to use a 3rd-part
instructional, straightforward
-## content\_type
+## content_type
`integration-guide`
@@ -44,10 +43,9 @@ Link out for basic concepts (Regex, JavaScript, web server maintenance).
:::caution
-
Step-by-step instructions of 3rd-party environments are discouraged generally, but acceptable in certain situations. General preference is to link back to an article that someone else maintains.
-They easily become out-of-date, especially if we can not access the 3rd-party product
+They easily become out-of-date, especially if we can not access the 3rd-party product
:::
[**Links**](/style-guide/documentation-content-strategy/component-attributes/links/): May be a bulleted list that references the 3rd-party product or in-text links to the 3rd-party process documentation.
@@ -68,10 +66,9 @@ Link to reputable sources within reason.
:::note
-
Screenshots of the 3rd-party product are highly discouraged. It has all the problems of video or screenshot maintenance, but with a much greater risk that something changes and we are not aware of it.
-It may become a bigger problem if we can not access the 3rd-party product.
+It may become a bigger problem if we can not access the 3rd-party product.
:::
## Templates
@@ -138,17 +135,17 @@ Prerequisites
**3rd-party integration in the Cloudflare dashboard**:
-* [Enable Logpush to Sumo Logic](/logs/get-started/enable-destinations/sumo-logic/)
-* [Device Posture - Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/)
+- [Enable Logpush to Sumo Logic](/logs/get-started/enable-destinations/sumo-logic/)
+- [Device Posture - Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/)
**Linking to external documentation**:
-* [GitHub SMS notifications using Twilio](/workers/tutorials/github-sms-notifications-using-twilio/#sending-a-text-with-twilio)
+- [GitHub SMS notifications using Twilio](/workers/tutorials/github-sms-notifications-using-twilio/#sending-a-text-with-twilio)
(Discouraged but acceptable scenario) **How to with instructions in 3rd-party environment and within Cloudflare dashboard**:
-* [IDP integration - Microsoft Azure AD](/cloudflare-one/identity/idp-integration/azuread/)
-* [Managed deployment - Partners - Jamf](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/jamf/)
+- [IDP integration - Microsoft Entra ID (formerly Azure Active Directory)](/cloudflare-one/identity/idp-integration/entra-id/)
+- [Managed deployment - Partners - Jamf](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/jamf/)
### Additional information
@@ -160,6 +157,6 @@ We publish with the expectation of maintenance. If you want to publish something
### Products where we frequently see 3rd-party information
-* [Workers](/workers/tutorials/)
-* [Zero Trust](/cloudflare-one/identity/idp-integration/)
-* [Analytics](/analytics/analytics-integrations/)
+- [Workers](/workers/tutorials/)
+- [Zero Trust](/cloudflare-one/identity/idp-integration/)
+- [Analytics](/analytics/analytics-integrations/)