[Cloudflare One] Add network-to-network get-started page (cloudflare#28876)

codyanthony850 · caley-b · web-flow · commit d098820ea46b · 2026-03-11T17:00:57.000-05:00
* [Cloudflare One] Add network-to-network get-started page Add get-started page for the Replace VPN network-to-network wizard (PCX-20917). Covers the 6-step WARP Connector site-to-site flow: define segments, deploy connectors, forward traffic, verify. Also adds the network-to-network card to the Replace VPN index page. * [Cloudflare One] ELI5 clarity pass on network-to-network Replace jargon with plain language for non-technical audience: - bidirectionally -> send and receive traffic in both directions - Add inline definition for IP range on first use - Explain why IP ranges must not overlap - Add consequence statement for skipping Step 5 - Add IPv4 address examples to help identify correct format - Define Split Tunnel Exclude list inline * [Cloudflare One] Remove unvalidated SSH troubleshoot bullet The SSH drop during install is already covered by the caution box in Step 2. The troubleshoot bullet added Split Tunnel workaround advice that has not been fully validated. The install partial documents this separately for the manual setup flow. * [Cloudflare One] Remove IP forwarding persistence troubleshoot bullet Post-setup hardening concern, not relevant to the quick-start flow. Already documented in the WARP Connector install partial. * [Cloudflare One] Simplify troubleshoot section to reference links only Remove first-party firewall bullet — duplicates advice already in the WARP Connector install partial. Matches the device-to-network sibling pattern of linking to reference docs instead of inlining troubleshoot steps. * [Cloudflare One] Replace technical examples with relatable use case Database replication and cross-site administration are not relatable for the SMB target audience. Use file server and internal application examples instead. * [Cloudflare One] Align WARP Connector intro with dashboard terminology The dashboard introduces 'network connector' as a concept before naming WARP Connector. Mirror the device-to-network sibling pattern ('is a network connector that...'). * [Cloudflare One] Clarify WARP Connector role in How it works Explain why only one device per network needs the install: that device handles traffic for the entire network. Drop gateway jargon and redundant second paragraph about security policies (already covered in Recommended next steps). * [Cloudflare One] Remove unvalidated IP range examples and inline definition Drop the inline IP range definition (Sam either knows their range or needs to check their router, not read a parenthetical). Drop the common ranges list and IPv4 pattern examples from the note — we have not validated these as appropriate recommendations and the step instructions already show the expected format. * [Cloudflare One] Drop IPv6 note — UI already validates for IPv4 Confirmed the wizard rejects IPv6 input with an error message. The note was redundant with UI validation. Keep the 'check your router' tip since that is genuinely useful for users who do not know their IP range. * [Cloudflare One] Remove unvalidated SSH caution from Step 2 Consistent with earlier decision to remove the SSH troubleshoot bullet. The behavior has not been fully validated. * [Cloudflare One] Make Access application description more concrete Align with device-to-network pattern: specify what 'destinations' means in this context (services or hosts on connected networks). * [Cloudflare One] Fix anchor text to match destination page title 'WARP Connector site-to-site' is the sidebar label, not the page title. Use the actual title: 'Connect two or more private networks'. * [Cloudflare One] Fix anchor text for WARP Connector tips link Match destination page title: 'Tips and best practices' not 'WARP Connector tips'. * Update src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx Co-authored-by: Caley Burton <caley@cloudflare.com> * Update src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx Co-authored-by: Caley Burton <caley@cloudflare.com> * [Cloudflare One] Address reviewer feedback on network-to-network page - Fix empty product bullet in frontmatter from Caley's suggestion - Add printer to intro use cases (Alexa #3) - Rephrase Step 1 to clarify dashboard creates config but user still installs the connector (Alexa #5) - Replace 'wizard generates' with 'dashboard provides' in Step 5 (Alexa #6) - Reframe device profile bullet to focus on independent routing control for connectors vs user devices (Alexa #7) --------- Co-authored-by: Caley Burton <caley@cloudflare.com>
diff --git a/src/content/docs/cloudflare-one/setup/replace-vpn/index.mdx b/src/content/docs/cloudflare-one/setup/replace-vpn/index.mdx
@@ -23,6 +23,15 @@ How you set this up depends on what needs to connect to what. Choose the scenari
 	connection. Best for remote access to private networks.
 </LinkTitleCard>
 
+<LinkTitleCard
+	title="Network to network"
+	href="/cloudflare-one/setup/replace-vpn/network-to-network/"
+	icon="seti:db"
+>
+	Connect two or more private networks bidirectionally through Cloudflare. Best
+	for linking offices, data centers, or cloud environments.
+</LinkTitleCard>
+
 </CardGrid>
 
 :::note
diff --git a/src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx b/src/content/docs/cloudflare-one/setup/replace-vpn/network-to-network.mdx
@@ -0,0 +1,109 @@
+---
+pcx_content_type: get-started
+title: "Network to network"
+sidebar:
+  order: 3
+  label: Network to network
+description: Connect two private networks using WARP Connectors and Cloudflare's network.
+products:
+  - cloudflare-one
+tags:
+  - Linux
+  - Private networks
+---
+
+import { InlineBadge } from "~/components";
+
+Connect two separate private networks so devices on each network can send and receive traffic in both directions through Cloudflare. This is useful when you need to link office locations, data centers, or cloud environments. For example, employees in one office could access a file server, printer, or internal application in another office.
+
+To explore other connection scenarios, refer to [Replace your VPN](/cloudflare-one/setup/replace-vpn/).
+
+This guide follows the same steps as the **Get Started** experience in the [Cloudflare One dashboard](https://one.dash.cloudflare.com).
+
+## How it works
+
+[WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) <InlineBadge preset="beta" /> is a network connector that you install on a single Linux device in each network. That device handles traffic for the entire network: it sends outbound traffic to Cloudflare and receives inbound traffic back, then passes it to the right device on the network. Because of this, other devices on the network do not need to install any software.
+
+## Prerequisites
+
+- A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to [Get started](/cloudflare-one/setup/).
+- A Linux device or virtual machine on your first private network. This is where you install your first WARP Connector.
+- A second Linux device or virtual machine on a separate private network. This is where you install your second WARP Connector.
+
+:::note
+WARP Connector is currently Linux-only. For more details on requirements and limitations, refer to [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/).
+:::
+
+## Step 1: Define a network segment
+
+A network segment identifies the IP range of a private network you want to connect. When you define a segment, the dashboard creates a WARP Connector configuration and sets up the routes that tell Cloudflare how to reach your network. You install and run the connector in the next step.
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com), select the **Get Started** tab.
+2. For **Replace my client-based or site-to-site VPN**, select **Get started**.
+3. For **Network to network**, select **Continue**.
+4. On the **Route traffic between private networks** screen, select **Continue**.
+5. Enter the IP range of your first network segment (for example, `10.0.0.0/24`).
+6. Enter a name for this network segment (for example, `office-a`).
+7. Select **Continue**.
+
+:::note
+If you are not sure of your network's IP range, check your router or network settings.
+:::
+
+## Step 2: Deploy first connector
+
+Install the WARP Connector on a Linux device in your first network segment. The dashboard generates commands specific to your operating system.
+
+1. Select your device's operating system from the dropdown.
+2. Copy and run the commands shown in the dashboard on your Linux device. The dashboard provides three sets of commands:
+   1. **Install WARP**: Sets up the package repository and installs the `cloudflare-warp` package.
+   2. **Enable IP forwarding**: Allows the device to forward traffic between networks.
+   3. **Run the WARP Connector with token**: Registers the connector with your Cloudflare account and connects it.
+
+3. After the connector deploys, the dashboard confirms your network segment is active.
+4. Select **Continue**.
+
+## Step 3: Define a second segment
+
+Repeat the same process as [Step 1](#step-1-define-a-network-segment) for your second network. The IP range must not overlap with your first segment. Each network needs its own unique range so Cloudflare can route traffic to the correct destination (for example, `10.0.1.0/24` if your first segment is `10.0.0.0/24`).
+
+## Step 4: Deploy second connector
+
+Repeat the same process as [Step 2](#step-2-deploy-first-connector) on a Linux device in your second network segment. After the connector deploys, the dashboard confirms your network segment is active.
+
+## Step 5: Forward device traffic
+
+If the WARP Connector is installed on your network's router (the device that serves as the default gateway), other devices on the network automatically send traffic through it. No additional configuration is needed, and you can skip this step.
+
+If the WARP Connector is installed on a different device, other devices on the network need a static route so they know to send cross-network traffic to the WARP Connector device. Without this route, devices do not know where to send traffic destined for the other network, and the connection does not work. The dashboard provides OS-specific commands for the devices you want to forward traffic from.
+
+1. Select the operating system of the device you want to configure.
+2. Select the tunnel you want to route traffic through.
+3. Copy and run the generated command on the target device.
+4. Repeat for additional devices as needed, or select **Continue** to proceed to the final step.
+
+For more details on routing options, refer to [Connect two or more private networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-site/#4-route-traffic-from-subnet-to-warp-connector).
+
+## Step 6: Verify your connection
+
+The dashboard confirms that your connectors can reach devices in the opposite network segment. Devices on both networks can now communicate through Cloudflare.
+
+To verify connectivity, try reaching a device on the opposite network (for example, `ping 10.0.1.100` from a device on your first network).
+
+## Recommended next steps
+
+After verifying your connection, consider securing your connected networks with policies and access controls:
+
+- **Set up Gateway policies**: By default, all traffic between your network segments flows through Cloudflare without restriction. Gateway policies let you scan, filter, and log traffic between your networks. For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/), [Network policies](/cloudflare-one/traffic-policies/network-policies/), and [HTTP policies](/cloudflare-one/traffic-policies/http-policies/).
+- **Create an Access application**: Restrict access to specific services or hosts on your connected networks with identity-based rules. For more information, refer to [Secure a private IP or hostname](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/).
+- **Create a device profile**: Control which traffic your connectors route through Cloudflare independently from your user devices. For more information, refer to [Connect two or more private networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-site/).
+- **Explore more with Zero Trust**: Review your connectors, policies, and routes in the [Cloudflare One dashboard](https://one.dash.cloudflare.com).
+
+For in-depth guidance on policy design and device posture checks, refer to the [Replace your VPN learning path](/learning-paths/replace-vpn/concepts/).
+
+## Troubleshoot
+
+If you have issues connecting, refer to these resources:
+
+- [Tips and best practices](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/tips/): review common WARP Connector configuration tips and troubleshooting strategies.
+- [Troubleshoot tunnels](/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/): diagnose tunnel connectivity and routing problems.
