[Tunnel] New Cloudflare Tunnel tile

.github/CODEOWNERS

@@ -69,6 +69,7 @@ package.json @cloudflare/content-engineering
 /src/content/docs/cloudflare-one/access-controls/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/team-and-resources/devices/ @ranbel @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing
+/src/content/docs/tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/cloud-and-saas-findings/ @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/traffic-policies/ @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/remote-browser-isolation/ @deadlypants1973 @cloudflare/pcx-technical-writing

.github/labeler.yml

@@ -78,6 +78,10 @@ product:cloudflare-one:
   - changed-files:
       - any-glob-to-any-file:
           - src/content/docs/cloudflare-one/**
+product:tunnel:
+  - changed-files:
+      - any-glob-to-any-file:
+          - src/content/docs/tunnel/**
 product:constellation:
   - changed-files:
       - any-glob-to-any-file:

public/__redirects

@@ -2374,6 +2374,8 @@
 /cloudflare-one/email-security/settings/trusted-domains/ /cloudflare-one/email-security/settings/detection-settings/trusted-domains/ 301
 /cloudflare-one/email-security/monitoring/search-email/ /cloudflare-one/email-security/investigation/search-email/ 301
 
+
+
 # ============================================================================
 # DYNAMIC REDIRECTS
 # ============================================================================
@@ -2579,3 +2581,30 @@
 
 # Network Flow (formerly Magic Network Monitoring)
 /magic-network-monitoring/* /network-flow/:splat 301
+
+# Cloudflare Tunnel flat structure redirects
+/tunnel/get-started/create-remote-tunnel/ /tunnel/setup/ 301
+/tunnel/get-started/create-remote-tunnel-api/ /tunnel/setup/ 301
+/tunnel/get-started/ /tunnel/setup/ 301
+/tunnel/configure-tunnels/tunnel-with-firewall/ /tunnel/configuration/#firewall-rules 301
+/tunnel/configure-tunnels/tunnel-availability/ /tunnel/configuration/#replicas-and-high-availability 301
+/tunnel/configure-tunnels/tunnel-permissions/ /tunnel/configuration/#tunnel-tokens 301
+/tunnel/configure-tunnels/cloudflared-parameters/ /tunnel/configuration/#run-parameters 301
+/tunnel/configure-tunnels/* /tunnel/configuration/ 301
+/tunnel/routing/dns/ /tunnel/routing/#dns-records 301
+/tunnel/routing/load-balancers/ /tunnel/routing/#load-balancing 301
+/tunnel/routing/protocols/ /tunnel/routing/#supported-protocols 301
+/tunnel/integrations/workers-vpc/ /tunnel/integrations/#workers-vpc 301
+/tunnel/integrations/load-balancing/ /tunnel/integrations/#load-balancing 301
+/tunnel/integrations/access/ /tunnel/integrations/#cloudflare-access 301
+/tunnel/integrations/spectrum/ /tunnel/integrations/#spectrum 301
+/tunnel/monitor-tunnels/logs/ /tunnel/monitoring/#logs 301
+/tunnel/monitor-tunnels/metrics/ /tunnel/monitoring/#metrics 301
+/tunnel/monitor-tunnels/notifications/ /tunnel/monitoring/#tunnel-health 301
+/tunnel/monitor-tunnels/* /tunnel/monitoring/ 301
+/tunnel/troubleshoot/common-errors/ /tunnel/troubleshooting/#common-errors 301
+/tunnel/troubleshoot/diag-logs/ /tunnel/monitoring/#diagnostic-logs 301
+/tunnel/troubleshoot/connectivity-prechecks/ /tunnel/troubleshooting/#connectivity-pre-checks 301
+/tunnel/troubleshoot/* /tunnel/troubleshooting/ 301
+/tunnel/downloads/license/ https://github.com/cloudflare/cloudflared/blob/master/LICENSE 301
+/tunnel/downloads/copyrights/ https://github.com/cloudflare/cloudflared 301

src/content/changelog/cloudflare-tunnel/2025-11-11-cloudflared-proxy-dns.mdx → src/content/changelog/cloudflare-tunnel-sase/2025-11-11-cloudflared-proxy-dns.mdx

@@ -2,7 +2,7 @@
 title: cloudflared proxy-dns command will be removed starting February 2, 2026
 description: To address a vulnerability in an underlying library, the `cloudflared proxy-dns` command will be removed from new `cloudflared` releases. Users are advised to migrate to the Cloudflare WARP client or WARP Connector.
 products:
- - cloudflare-tunnel
+  - tunnel
 date: 2025-11-11
 ---
 
@@ -26,4 +26,4 @@ The preferred method for enabling DNS-over-HTTPS on user devices is the [Cloudfl
 
 For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/).
 
-Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/) to Cloudflare for [filtering and logging](/cloudflare-one/traffic-policies/).
+Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/) to Cloudflare for [filtering and logging](/cloudflare-one/traffic-policies/).

src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx

@@ -4,7 +4,7 @@ description: Magic WAN and WARP Connector traffic can now privately route DNS qu
 products:
   - gateway
   - cloudflare-wan
-  - cloudflare-tunnel
+  - tunnel
 date: "2025-09-11"
 ---
 
@@ -13,4 +13,3 @@ date: "2025-09-11"
 Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites).
 
 To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](/dns/internal-dns/).
-

src/content/changelog/zero-trust-warp/2024-06-16-cloudflare-one.mdx

@@ -5,7 +5,7 @@ products:
   - access
   - browser-isolation
   - casb
-  - cloudflare-tunnel
+  - tunnel
   - dex
   - dlp
   - email-security-cf1

src/content/dash-routes/core-manually-defined.json

@@ -1 +1,7 @@
-[]
+[
+	{
+		"deeplink": "/?to=/:account/tunnels",
+		"name": "Tunnels",
+		"parent": ["Networking"]
+	}
+]

src/content/directory/cloudflare-tunnel-sase.yaml

@@ -0,0 +1,10 @@
+id: tUn3lSASE
+name: Cloudflare Tunnel for SASE
+
+entry:
+  title: Cloudflare Tunnel for SASE
+  group: Cloudflare One
+  url: /cloudflare-one/networks/connectors/cloudflare-tunnel/
+
+meta:
+  description: Connect private networks and resources to Cloudflare One

src/content/directory/tunnel.yaml

@@ -0,0 +1,14 @@
+id: rUdNKP
+name: Cloudflare Tunnel
+
+entry:
+  title: Cloudflare Tunnel
+  group: Core platform
+  additional_groups:
+    - Network security
+    - Application security
+    - Developer platform
+  url: /tunnel/
+
+meta:
+  description: Connect your origin servers, APIs, and services to Cloudflare without a publicly routable IP address

src/content/docs/cloudflare-one/changelog/tunnel.mdx

@@ -9,10 +9,10 @@
 
 import { ProductChangelog, Render } from "~/components";
 
-{/* <!-- All changelog entries live in src/content/changelogs/cloudflare-tunnel/. */}
+{/* <!-- All changelog entries live in src/content/changelogs/cloudflare-tunnel-sase/. */}
 
 <ProductChangelog
-	product="cloudflare-tunnel"
+	product="cloudflare-tunnel-sase"
 	hideEntry="2024-06-16-cloudflare-one"
 />
 
@@ -26,7 +26,7 @@
 
 **Bugfix for --grace-period**
 
 The new `cloudflared` build [2024.10.0](https://github.com/cloudflare/cloudflared/releases/tag/2024.10.0) has a bugfix related to the [--grace-period](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#grace-period) tunnel run parameter. `cloudflared` connectors will now abide by the specified waiting period before forcefully closing connections to Cloudflare's network.
 
 ## 2024-08-06
 

src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cipher-suites.mdx

@@ -7,14 +7,8 @@ sidebar:
   order: 11
 ---
 
-Cloudflare Tunnel connections use the cipher suites supported by `cloudflared`, which relies on the Go TLS library for its TLS implementation. These cipher suites apply to both the TLS connection between Cloudflare's network and `cloudflared`, and the HTTPS connection between `cloudflared` and your origin. In both cases, `cloudflared` negotiates the most secure cipher suite supported by both sides.
+import { Render } from "~/components";
 
-The following table lists the cipher suites supported by `cloudflared`:
-
-| Protocol support | Cipher suites |
-|------------------|----------------|
-| TLS 1.3 only | `TLS_AES_128_GCM_SHA256`<br />`TLS_AES_256_GCM_SHA384`<br />`TLS_CHACHA20_POLY1305_SHA256` |
-| TLS 1.2 only | `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`<br />`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`<br />`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`<br />`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`<br />`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`<br />`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` |
-| Up to and including TLS 1.2 | `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`<br />`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`<br />`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`<br />`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` |
+<Render file="tunnel/cipher-suites" product="cloudflare-one" />
 
 

src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/index.mdx

@@ -17,136 +17,10 @@ For instructions on configuring a locally-managed tunnel, refer to the [configur
 
 ## Update tunnel run parameters
 
-<Tabs> <TabItem label="Linux">
-
-On Linux, Cloudflare Tunnel installs itself as a system service using `systemctl`. By default, the service will be named `cloudflared.service`. To configure your tunnel on Linux:
-
-1. Open `cloudflared.service`.
-
-   ```sh
-   sudo systemctl edit --full cloudflared.service
-   ```
-
-2. Modify the `cloudflared tunnel run` command with the desired configuration flag. For example,
-
-   ```txt null {8}
-   [Unit]
-   Description=Cloudflare Tunnel
-   After=network.target
-
-   [Service]
-   TimeoutStartSec=0
-   Type=notify
-   ExecStart=/usr/local/bin/cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/cloudflared.log run --token <TOKEN VALUE>
-   Restart=on-failure
-   RestartSec=5s
-
-   [Install]
-   WantedBy=multi-user.target
-   ```
-
-3. Restart `cloudflared.service`:
-
-   ```sh
-   sudo systemctl restart cloudflared
-   ```
-
-4. To verify the new configuration, check the service status:
-
-	```sh
-	sudo systemctl status cloudflared
-	```
-	```sh output
-	● cloudflared.service - cloudflared
-     Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled)
-     Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago
-   Main PID: 2157 (cloudflared)
-      Tasks: 8 (limit: 1136)
-     Memory: 16.3M
-        CPU: 136ms
-     CGroup: /system.slice/cloudflared.service
-             └─2157 /usr/bin/cloudflared tunnel --loglevel info --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi...
-	```
-
-</TabItem> <TabItem label="macOS">
-
-On macOS, Cloudflare Tunnel installs itself as a launch agent using `launchctl`. By default, the agent will be called `com.cloudflare.cloudflared`. To configure your tunnel on macOS:
-
-1. Stop the `cloudflared` service.
-
-   ```sh
-   sudo launchctl stop com.cloudflare.cloudflared
-   ```
-
-2. Unload the configuration file.
-
-   ```sh
-   sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist
-   ```
-
-3. Open `/Library/LaunchDaemons/com.cloudflare.cloudflared.plist` in a text editor.
-
-4. Modify the `ProgramArguments` key with the desired configuration flag. For example,
-
-   ```txt
-   <plist version="1.0">
-       <dict>
-           <key>Label</key>
-           <string>com.cloudflare.cloudflared</string>
-           <key>ProgramArguments</key>
-           <array>
-               <string>/opt/homebrew/bin/cloudflared</string>
-               <string>tunnel</string>
-               <string>--logfile</string>
-               <string><PATH></string>
-               <string>--loglevel</string>
-               <string>debug</string>
-               <string>run</string>
-               <string>--token</string>
-               <string><TOKEN VALUE> </string>
-           </array>
-   ```
-
-5. Load the updated configuration file.
-
-   ```sh
-   sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist
-   ```
-
-6. Start the `cloudflared` service.
-
-   ```sh
-   sudo launchctl start com.cloudflare.cloudflared
-   ```
-
-</TabItem> <TabItem label="Windows">
-
-On Windows, Cloudflare Tunnel installs itself as a system service using the Registry Editor. By default, the service will be named `cloudflared`. To configure your tunnel on Windows:
-
-1. Open the Registry Editor.
-
-2. Go to **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Services** > **cloudflared**.
-
-3. Double-click **ImagePath**.
-
-4. Modify **Value data** with the desired configuration flag. For example,
-
-   ```txt
-   C:\Program Files (x86)\cloudflared\.\cloudflared.exe tunnel --loglevel info --logfile <PATH> run --token <TOKEN VALUE>
-   ```
-
-![Modify cloudflared service in the Registry Editor](~/assets/images/cloudflare-one/connections/connect-apps/remote-management-windows.png)
-
-</TabItem> </Tabs>
-
+<Render file="tunnel/update-run-parameters" product="cloudflare-one" />
 
 ## Update origin configuration
 
 To configure how `cloudflared` sends requests to your [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/):
 
-1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**.
-2. Choose a tunnel and select **Edit**.
-3. Select the **Published application routes** tab.
-4. Choose an application and select **Edit**.
-5. Under **Additional application settings**, modify one or more [origin configuration parameters](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/).
-6. Select **Save**.
+<Render file="tunnel/update-origin-configuration" product="cloudflare-one" />