Skip to content

GatewayRule

Source: src/Cloudflare/Gateway/Rule.ts

A Cloudflare Zero Trust Gateway rule.

Gateway rules sit on the WARP/Gateway data plane and run before Access: they decide whether to allow, block, override, isolate, or redirect a request based on wirefilter expressions over the request traffic, the authenticated identity, and the device posture. The most common companion to {@link AccessApplication} with a private destination is a dns rule with action: "override" that points an internal hostname at a Cloudflare Tunnel — without it, WARP intercepts the lookup but has nowhere to send the answer.

DNS override for a private app

Section titled “DNS override for a private app”
const adminDns = yield* Cloudflare.GatewayRule("AdminMicroagiDns", {
  name: "research-admin-microagi-dns-override",
  action: "override",
  filters: ["dns"],
  traffic: 'any(dns.domains[*] == "cluster-admin.microagi")',
  ruleSettings: {
    overrideHost: `${tunnel.tunnelId}.cfargotunnel.com`,
  },
  enabled: true,
});

Block a category

Section titled “Block a category”
yield* Cloudflare.GatewayRule("BlockPhishing", {
  name: "block-phishing",
  action: "block",
  filters: ["http"],
  traffic: "any(http.request.uri.content_category[*] in {178})",
});