Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Network policies

With Teams, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare for Teams integrates with your identity provider, it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they’re accessing that resource from.

Build a network policy by configuring the following elements:


Just like actions in DNS and HTTP policies, actions in network policies define which decision you want to apply to a given set of elements. You can assign one action per policy.

These are the action types you can choose from:


Policies with Allow actions allow network traffic to reach certain IPs or ports. For example, the following configuration allows specific users to reach a given IP address:

Destination IPIn92.100.02.102Allow


Policies with Block actions block network traffic from reaching certain IPs or ports. For example, the following configuration blocks all traffic directed to port 443:

Destination PortIn443Block

Network Override

Policies with Network Override actions do not inspect traffic directed to, or coming from, certain IPs or ports. For example, the following configuration overrides traffic to a public IP to a Private IP based on a user’s identity:

Destination IPIn95.92.143.151Network Override
User EmailIn*
Override IP10.0.0.1


Build expressions to determine the set of elements you want to impact with your policy. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field.


Gateway matches network traffic against the following selectors, or criteria:

  • Destination IP
  • Destination Port
  • Source IP
  • Source Port
Destination IPThe IP address of the request’s target
Destination PortThe port number of the request’s target
Source IPThe IP address of the user making the request
Source PortThe port number of the user’s request


Operators are the way Gateway matches traffic to a selector. Matching happens as follows:

isexact match, equals
is notall except exact match
inin any of defined entries
not innot in defined entries
matches regexregex evaluates to true
does not match regexall except when regex evals to true