New reference architecture diagram - Magic WAN Connector deployment options

[securitypedant]

Summary

New reference architecture diagram - Magic WAN Connector deployment options

• The documentation style guide has been adhered to.
• If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
• Files which have changed name or location have been allocated redirects.

[hyperlint-ai]

1 files reviewed, 12 total issue(s) found.

[cloudflare-workers-and-pages]

Deploying cloudflare-docs with    Cloudflare Pages

Latest commit:	0b20394
Status:	✅  Deploy successful!
Preview URL:	https://e32d9b26.cloudflare-docs-7ou.pages.dev
Branch Preview URL:	https://sthorpe-ra-magic-wan-connect.cloudflare-docs-7ou.pages.dev

View logs

[github-actions]

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/reference-architecture/diagrams/sase/magic-wan-connector-deployment/	https://sthorpe-ra-magic-wan-connect.cloudflare-docs-7ou.pages.dev/reference-architecture/diagrams/sase/magic-wan-connector-deployment/

[marciocloudflare]

Suggested change

	- **Connector replacing the CPE** (Figure 1a) \- When the link is an Internet connection and the organization does not have any real use of existing equipment since the Connector supports all the required networking features such as DHCP, DNS, NAT, Trunking (801.1Q), IP access lists, breakout traffic, etc. Examples could be:
	- **Connector replacing the CPE** (Figure 1a): When the link is an Internet connection and the organization does not have any real use of existing equipment since the Connector supports all the required networking features such as DHCP, DNS, NAT, Trunking (801.1Q), IP access lists, breakout traffic, etc. Examples could be:

[marciocloudflare]

Suggested change

	1. The transition from MPLS to Internet-based connectivity, where the MPLS router probably does not add any value in the deployment.
	2. An Internet-facing CPE reaching, or already having exceeded, its end of life.
	3. An Internet-facing CPE that is redundant with Magic WAN Connector and can be removed for simplicity's sake.
	- The transition from MPLS to Internet-based connectivity, where the MPLS router probably does not add any value in the deployment.
	- An Internet-facing CPE reaching, or already having exceeded, its end of life.
	- An Internet-facing CPE that is redundant with Magic WAN Connector and can be removed for simplicity's sake.

[marciocloudflare]

We only use numbers for steps that have to be performed in a particular order. I think here we should change to a regular unordered list.

[marciocloudflare]

Suggested change

	- **Connector north of the CPE** (Figure 1b) \- This option might be preferred when the existing CPE is a firewall, and the organization wants to keep it for:
	- **Connector north of the CPE** (Figure 1b): This option might be preferred when the existing CPE is a firewall, and the organization wants to keep it for:

[marciocloudflare]

Suggested change

	1. Additional LAN protection as a result of a defense-in-depth approach.
	2. Advanced segmentation requirements, for example allowing/blocking traffic between segments based on various Layer 3 to Layer 7 rules, since Magic WAN Connector supports segmentation only on layers 3 and 4 of the OSI model.
	- Additional LAN protection as a result of a defense-in-depth approach.
	- Advanced segmentation requirements, for example allowing/blocking traffic between segments based on various Layer 3 to Layer 7 rules, since Magic WAN Connector supports segmentation only on layers 3 and 4 of the OSI model.

[marciocloudflare]

Suggested change

	- **Connector south of the CPE** (Figure 1c) \- Reasons for installing Magic WAN Connector south of an existing Internet-facing CPE might be:
	- **Connector south of the CPE** (Figure 1c): Reasons for installing Magic WAN Connector south of an existing Internet-facing CPE might be:

[marciocloudflare]

Suggested change

In this example, the organization wants Cloudflare to protect all Internet web traffic (HTTP/HTTPS), while the rest of the traffic flows out via the existing firewall. The latter could be traffic towards existing VPNs, or non-web traffic exiting the site, but protected by the on-prem firewall. This method could take the advantage of local device policy-based routing (PBR) capabilities, for example:

In this example, the organization wants Cloudflare to protect all Internet web traffic (HTTP/HTTPS), while the rest of the traffic flows out via the existing firewall. The latter could be traffic towards existing VPNs, or non-web traffic exiting the site, but protected by the on-premises firewall. This method could take the advantage of local device policy-based routing (PBR) capabilities, for example:

[marciocloudflare]

Suggested change

	4. All other traffic exits via the on premises firewall
	4. All other traffic exits via the on-premises firewall

[marciocloudflare]

Suggested change

	1. Local devices use the on premises firewall as their default gateway
	1. Local devices use the on-premises firewall as their default gateway

[marciocloudflare]

Suggested change

	1. **Internet security**: Segment 1 adheres to Cloudflare security policies, bypassing the local firewall policy.
	2. **Site-to-site connectivity**: Segment 1 can connect to local segments in other locations (or entire sites, for example Site 2), depending on the organization's policy.
	- **Internet security**: Segment 1 adheres to Cloudflare security policies, bypassing the local firewall policy.
	- **Site-to-site connectivity**: Segment 1 can connect to local segments in other locations (or entire sites, for example Site 2), depending on the organization's policy.

[marciocloudflare]

Suggested change

	1. **Intra-segment**: Traffic between LAN ports on the same Connector is blocked by default, hence, Subnet A and Subnet B in Segment 1 cannot talk to each other. The administrator would have to explicitly allow this traffic flow by using configuration logic similar to IP access lists. This ability to hairpin local traffic via the Connector's LAN ports, avoids traffic tromboning via the Cloudflare platform (that is, travel out and back in via the Magic WAN tunnel), which could result in those segments losing connectivity to each other in the event of Internet circuit outage. Therefore, this capability allows local nodes that do not necessarily require Internet access to function, for example printers, file servers, network attached storage (NAS) nodes, and various Internet of Things (IoT) devices, to continue being accessible by local hosts in different segments during Internet outages.
	2. **Inter-segment**: Magic WAN Connector does not allow any inbound traffic on its WAN ports. Therefore, Segments 1 and 2 cannot talk to each other.
	- **Intra-segment**: Traffic between LAN ports on the same Connector is blocked by default, hence, Subnet A and Subnet B in Segment 1 cannot talk to each other. The administrator would have to explicitly allow this traffic flow by using configuration logic similar to IP access lists. This ability to hairpin local traffic via the Connector's LAN ports, avoids traffic tromboning via the Cloudflare platform (that is, travel out and back in via the Magic WAN tunnel), which could result in those segments losing connectivity to each other in the event of Internet circuit outage. Therefore, this capability allows local nodes that do not necessarily require Internet access to function, for example printers, file servers, network attached storage (NAS) nodes, and various Internet of Things (IoT) devices, to continue being accessible by local hosts in different segments during Internet outages.
	- **Inter-segment**: Magic WAN Connector does not allow any inbound traffic on its WAN ports. Therefore, Segments 1 and 2 cannot talk to each other.