Skip to content

[Cloudflare One] Add recommended network policy for conferencing UDP traffic #30804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kennyj42 wants to merge 2 commits into
base: production
Choose a base branch
from
Open

[Cloudflare One] Add recommended network policy for conferencing UDP traffic #30804

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c09361b
[Cloudflare One] Add recommended network policy for conferencing UDP …
kennyj42 May 13, 2026
7a11010
Clarify client reference in network policy documentation
kennyj42 May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions ...secure-internet-traffic/build-network-policies/recommended-network-policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,70 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_ssh_internet_allowlist"
</TabItem>
</Tabs>

## All-NET-UDP-Conferencing-Allow

Allow UDP traffic for well-known audio and video conferencing applications. Voice and video calls in apps such as Discord, Zoom, Microsoft Teams, Google Meet, and Slack rely on UDP. Without an explicit allow rule placed before `All-NET-NO-HTTP-HTTPS-Internet-Deny`, these applications will lose audio and video functionality when the Cloudflare client is connected.

Create a Gateway list (for example, _Conferencing-Domains_) containing the domains used by your organization's conferencing applications. Common domains include:

- `discord.com`, `discord.gg`, `discord.media`, `discordapp.com`
- `zoom.us`, `zoom.com`
- `teams.microsoft.com`, `skype.com`
- `meet.google.com`
- `slack.com`

<Tabs syncKey="dashPlusAPI">

<TabItem label="Dashboard">

| Selector | Operator | Value | Logic | Action |
| -------------- | -------- | ---------------------- | ----- | ------ |
| SNI Domain | in list | _Conferencing-Domains_ | | Allow |

</TabItem>

<TabItem label="API">

<APIRequest
path="/accounts/{account_id}/gateway/rules"
method="POST"
json={{
name: "All-NET-UDP-Conferencing-Allow",
description:
"Allow UDP traffic for audio and video conferencing applications",
precedence: 45,
enabled: true,
action: "allow",
filters: ["l4"],
traffic:
"any(net.sni.domains[*] in $<CONFERENCING_DOMAINS_LIST_UUID>)",
}}
/>

</TabItem>

<TabItem label="Terraform">

```tf
resource "cloudflare_zero_trust_gateway_policy" "all_net_udp_conferencing_allow" {
account_id = var.cloudflare_account_id
name = "All-NET-UDP-Conferencing-Allow"
description = "Allow UDP traffic for audio and video conferencing applications"
precedence = 45
enabled = true
action = "allow"
filters = ["l4"]
traffic = "any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.conferencing_domains.id})"
}
```

</TabItem>
</Tabs>

:::note
Place this policy before any broad non-HTTP/HTTPS block rule. If you only want to allow UDP (not all protocols) for these domains, add **Detected Protocol** `is` `UDP` as an additional selector.
:::

## All-NET-NO-HTTP-HTTPS-Internet-Deny

Block all non-web traffic towards the Internet. By using the **Detected Protocol** selector, you will ensure alternative ports for HTTP and HTTPS are allowed.
Expand Down