Cloudflare Docs
Data Localization Suite
Visit Data Localization Suite on GitHub
Set theme to dark (⇧+D)

Use Zero Trust with Data Localization Suite

In the following sections, we will give you some details about how different Zero Trust products can be used with the Data Localization Suite.

​​ Gateway

Regional Services can be used with Gateway in all supported regions. Be aware that Regional Services only apply when using the WARP client in Gateway with WARP mode.

​​ Egress policies

Enterprise customers can purchase a dedicated egress IP (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. This allows your egress traffic to geolocate to the city selected in your egress policies.

​​ HTTP policies

As part of Regional Services, Cloudflare Gateway will only perform TLS decryption when using the WARP client (in default Gateway with WARP mode).

​​ Data Loss Prevention (DLP)

You are able to log the payload of matched DLP rules and encrypt them with your public key so that only you can examine them later.

Cloudflare cannot decrypt encrypted payloads.

​​ Network policies

You are able to configure SSH proxy and command logs. Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs.

​​ DNS policies

Note that due to the nature of Cloudflare’s anycast network, Gateway DNS traffic cannot yet be localized using the Data Localization Suite.

Refer to the WARP Settings section below for more information.

​​ Custom certificates

You can bring your own certificate to Gateway but these cannot yet be restricted to a specific region.

​​ Logs and Analytics

By default, Cloudflare will store and deliver logs from data centers across our global edge network. To maintain regional control over your data, you can use Customer Metadata Boundary and restrict data storage to a specific geographic region.

Customer Metadata Boundary for USCustomer Metadata Boundary for EU
Gateway DNS✅ All logs available✘ All logs sent to US
Gateway HTTP✅ All logs available✅ Logpush can be used from EU
🚧 Logs and Analytics in the dashboard not yet available
Gateway Network✅ Log region can be configured to US✅ Logpush can be used from EU
🚧 Logs and Analytics in the dashboard not yet available

Customers also have the option to reduce the logs that Cloudflare stores:

​​ Access

To ensure that all reverse proxy requests for applications protected by Cloudflare Access will only occur in FedRAMP-compliant data centers, you should use Regional Services with the region set to FedRAMP.

​​ Cloudflare Tunnel

You can configure Cloudflare Tunnel to only connect to data centers within the United States, regardless of where the software was deployed.

​​ WARP settings

​​ Local Domain Fallback

You can use the WARP setting Local Domain Fallback in order to use a private DNS resolver, which you can manage yourself.

​​ Split Tunnels

Split Tunnels allow you to decide which IP addresses/ranges and/or domains are routed through or excluded from Cloudflare.