Order of enforcement
With Cloudflare Gateway, you can enable and configure any combination of DNS, network, and HTTP policies.
flowchart TB %% Accessibility accTitle: Gateway order of enforcement accDescr: Flowchart describing the order of enforcement for Gateway policies. %% In with user traffic start(["Traffic"])-->dns0[/"DNS query"/]-->dns1 start-->http0{{"HTTP(S) request on port 80 or 443?"}} http0-- "Yes" -->http1 http0-- "No" -->network0 %% DNS policies subgraph DNS dns1["DNS policies"] style DNS text-align:left dns1-- "Resolved by" -->dns2["1.1.1.1"] dns1-.->dns3 %% DNS resolution subgraph Resolution dns2["1.1.1.1"] dns3["Resolver policies <br />(Enterprise users only)"]-- "Resolved by" -->dns4["Custom resolver"] end end dns2["1.1.1.1"]----->internet dns4----->internet dns4-.->cloudflare["Private network services <br />(Cloudflare Tunnel, Magic WAN, etc.)"] %% Proxied by Gateway subgraph Proxy %% HTTP policies subgraph HTTP http1{{"Do Not Inspect policies"}} http1-."Inspect".->http2["Isolate policies <br />(with add-on)"] http2-->http3["Allow, Block, Do Not Scan policies"] end http1-- "Do Not Inspect" -->network0 http3-->network0 network0[/"Network connections"/]-->network1 %% Network policies subgraph Network network1["Network policies"] end end %% Egress subgraph Egress network1-.->egress1["Egress policies <br />(Enterprise users only)"] end %% Finish network1-- "Egress with Cloudflare IP" -->internet([Internet]) egress1-- "Egress with dedicated IP" -->internet
Gateway applies your policies in the following order:
- DNS policies with selectors evaluated before resolution
- DNS policies with selectors evaluated after resolution
- HTTP policies
- Network policies
- Egress policies (if applicable)
DNS policies are standalone. For example, if you block a site with a DNS policy but do not create a corresponding HTTP policy, users can still access the site if they know its IP address.
Next, Gateway evaluates HTTP policies in a specific order. For example, if you block a specific source IP in an HTTP policy but allow the IP range in a network policy, the IP address will be blocked.
Lastly, if traffic passes your HTTP policies, Gateway checks the traffic against your network policies. For example, even if you create a Do Not Inspect HTTP policy for a site, it can be blocked by a subsequent network policy.
For proxied HTTP/3 traffic, Gateway applies your policies in the following order:
- DNS policies
- Network policies
- HTTP policies
Gateway evaluates DNS policies first in order of DNS resolution, then in order of precedence.
When DNS queries are received, Gateway evaluates policies with pre-resolution selectors, resolves the DNS query, then evaluates policies with post-resolution selectors. This means policies with selectors evaluated before DNS resolution take precedence. For example, the following set of policies will block example.com
:
Precedence | Selector | Operator | Value | Action |
---|---|---|---|---|
1 | Resolved Country IP Geolocation | is | United States | Allow |
2 | Domain | is | example.com | Block |
Despite an explicit Allow policy ordered first, policy 2 takes precedence because the Domain selector is evaluated before DNS resolution.
If a policy contains both pre-resolution and post-resolution selectors, Gateway will evaluate the entire policy after DNS resolution. For information on when each selector is evaluated, refer to the list of DNS selectors.
Gateway evaluates network policies in order of precedence.
Gateway applies HTTP policies based on a combination of action type and order of precedence:
- All Do Not Inspect policies are evaluated first, in order of precedence.
- If no policies match, all Isolate policies are evaluated in order of precedence.
- All Allow, Block and Do Not Scan policies are evaluated in order of precedence.
This order of enforcement allows Gateway to first determine whether decryption should occur. If a site matches a Do Not Inspect policy, it is automatically allowed through Gateway and bypasses all other HTTP policies.
Next, Gateway checks decrypted traffic against your Isolate policies. When a user makes a request which triggers an Isolate policy, the request will be rerouted to a remote browser.
Lastly, Gateway evaluates all Allow, Block, and Do Not Scan policies. These policies apply to both isolated and non-isolated traffic. For example, if example.com
is isolated and example.com/subpage
is blocked, Gateway will block the subpage inside of the remote browser.
Order of precedence refers to the priority of individual policies within the DNS, network, or HTTP policy builder (lowest value first, or from top to bottom as shown in the dashboard). You can modify the order of precedence by dragging and dropping individual policies in the dashboard.
In Gateway, the order of precedence follows the first match principle — once a site matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. Therefore, we recommend putting the most specific policies and exceptions at the top of the list and the most general policies at the bottom.
Suppose you have a list of policies arranged in the following order of precedence:
- DNS policies:
Precedence Selector Operator Value Action 1 Host is example.com
Block 2 Host is test.example.com
Allow 3 Domain matches regex .\
Block - HTTP policies:
Precedence Selector Operator Value Action 1 Host is example.com
Block 2 Host is test2.example.com
Do Not Inspect - Network policies:
Precedence Selector Operator Value Action 1 Destination Port is 80
Block 2 Destination port is 443
Allow 3 SNI Domain is test.example.com
Block
When a user goes to https://test.example.com
, Gateway performs the following operations:
-
Evaluate DNS request against DNS policies:
- Policy #1 does not match
test.example.com
— move on to check Policy #2. - Policy #2 matches, so DNS resolution is allowed.
- Policy #3 is not evaluated because there has already been an explicit match.
- Policy #1 does not match
-
Evaluate HTTPS request against HTTP policies:
- Policy #2 is evaluated first because Do Not Inspect always takes precedence over Allow and Block. Since there is no match, move on to check Policy #1.
- Policy #1 does not match
test.example.com
. Since there are no matching Block policies, the request passes the HTTP filter and moves on to network policy evaluation.
-
Evaluate HTTPS request against network policies:
- Policy #1 does not match because port 80 is used for standard HTTP, not HTTPS.
- Policy #2 matches, so the request is allowed and proxied to the upstream server.
- Policy #3 is not evaluated because there has already been an explicit match.
Therefore, the user is able to connect to https://test.example.com
.