Zero Trust
In the following sections, we will give you some details about how different Zero Trust products can be used with the Data Localization Suite.
Gateway
Section titled “Gateway”Regional Services can be used with Gateway in all supported regions. Be aware that Regional Services only apply when using the WARP client in Gateway with WARP mode.
Egress policies
Section titled “Egress policies”Enterprise customers can purchase a dedicated egress IP (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your egress policies.
HTTP policies
Section titled “HTTP policies”As part of Regional Services, Cloudflare Gateway will only perform TLS decryption when using the WARP client (in default Gateway with WARP mode).
Data Loss Prevention (DLP)
Section titled “Data Loss Prevention (DLP)”You are able to log the payload of matched DLP rules and encrypt them with your public key so that only you can examine them later.
Cloudflare cannot decrypt encrypted payloads.
Network policies
Section titled “Network policies”You are able to configure SSH proxy and command logs. Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key sshkey.pub to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs.
DNS policies
Section titled “DNS policies”Regional Services controls where Cloudflare decrypts traffic; because most DNS traffic is not encrypted, Gateway DNS cannot be regionalized using Regional Services.
Refer to the WARP Settings section below for more information.
Custom certificates
Section titled “Custom certificates”You can bring your own certificate to Gateway but these cannot yet be restricted to a specific region.
Logs and Analytics
Section titled “Logs and Analytics”By default, Cloudflare will store and deliver logs from data centers across our global network. To maintain regional control over your data, you can use Customer Metadata Boundary and restrict data storage to a specific geographic region. For more information refer to the section about Logpush datasets supported.
Customers also have the option to reduce the logs that Cloudflare stores:
- You can exclude PII from logs
- You can disable logging, or only log blocked requests.
Access
Section titled “Access”To ensure that all reverse proxy requests for applications protected by Cloudflare Access will only occur in FedRAMP-compliant data centers, you should use Regional Services with the region set to FedRAMP.
Cloudflare Tunnel
Section titled “Cloudflare Tunnel”You can configure Cloudflare Tunnel to only connect to data centers within the United States, regardless of where the software was deployed.
WARP settings
Section titled “WARP settings”Local Domain Fallback
Section titled “Local Domain Fallback”You can use the WARP setting Local Domain Fallback in order to use a private DNS resolver, which you can manage yourself.
Split Tunnels
Section titled “Split Tunnels”Split Tunnels allow you to decide which IP addresses/ranges and/or domains are routed through or excluded from Cloudflare.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark