Automated first pass

Author: RebeccaTamachiro

src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx

@@ -8,7 +8,15 @@ sidebar:
   order: 2
 ---
 
-import { GlossaryTooltip, Render, TabItem, Tabs, Details, DashButton, DirectoryListing } from "~/components";
+import {
+	GlossaryTooltip,
+	Render,
+	TabItem,
+	Tabs,
+	Details,
+	DashButton,
+	DirectoryListing,
+} from "~/components";
 
 Consider the sections below for step-by-step instructions on managing DNS records at Cloudflare.
 
@@ -37,6 +45,7 @@ To create a DNS record in the dashboard:
 4. Complete the required fields, which vary per record. Particularly important fields (for some records) include:
    - **Proxy status**: For `A`, `AAAA`, and `CNAME` records, decide whether hostname traffic is <GlossaryTooltip term="proxy status" link="/dns/proxy-status/">proxied through Cloudflare</GlossaryTooltip>.
    - **TTL**: Short for [_Time to Live_](/dns/manage-dns-records/reference/ttl/), this field controls how long each record is valid and — as a result — how long it takes for record updates to reach your end users.
+   - **Private network routing**: For `A` and `AAAA` records, route traffic to private origins through your tunnels. Refer to [Private network routing](/dns/manage-dns-records/how-to/private-network-routing/).
    - **Comment** and **Tag**: [Record attributes](/dns/manage-dns-records/reference/record-attributes/) meant for your reference.
 5. Select **Save**.
 
@@ -114,4 +123,4 @@ This allows you to route requests using products such as [Redirect Rules](/rules
 
 ## Further guidance
 
-<DirectoryListing folder="/dns/manage-dns-records/how-to/"/>
+<DirectoryListing folder="/dns/manage-dns-records/how-to/" />

src/content/docs/dns/manage-dns-records/how-to/private-network-routing.mdx

@@ -0,0 +1,125 @@
+---
+pcx_content_type: how-to
+description: Route DNS record traffic to private origins through tunnels.
+products:
+  - dns
+title: Private network routing
+sidebar:
+  order: 8
+  badge: Beta
+tags:
+  - Private networks
+---
+
+import { Tabs, TabItem, DashButton, Plan } from "~/components";
+
+<Plan type="enterprise" />
+
+Private network routing lets you proxy HTTP/HTTPS traffic from public hostnames to origins in your private network. When you enable this setting on a DNS record, Cloudflare routes traffic through your configured tunnel instead of over the public internet.
+
+:::note
+This feature is in closed beta. Contact your account team to request access and the **Private Origins Allowed** entitlement.
+:::
+
+## Prerequisites
+
+Before you enable private network routing, you need:
+
+- An active tunnel connection to Cloudflare through one of the supported on-ramp methods ([Cloudflare WAN](/cloudflare-wan/), [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/), [IPsec](/cloudflare-wan/configuration/manually/how-to/configure-tunnel-endpoints/), [GRE](/cloudflare-wan/configuration/manually/how-to/configure-tunnel-endpoints/), or [CNI](/network-interconnect/)).
+- The **Private Origins Allowed** entitlement enabled on your account.
+
+## Supported records and IP ranges
+
+Private network routing is available for `A` (IPv4) and `AAAA` (IPv6) records only. Records must be [proxied](/dns/proxy-status/).
+
+The following private address ranges are automatically detected:
+
+| Range            | Description        |
+| ---------------- | ------------------ |
+| `10.0.0.0/8`     | Private (RFC 1918) |
+| `172.16.0.0/12`  | Private (RFC 1918) |
+| `192.168.0.0/16` | Private (RFC 1918) |
+
+When you use an IP address from one of these ranges, the **Use private network routing** toggle turns on automatically. You can also turn it on manually for public IP addresses that are only reachable through your tunnel.
+
+## Enable private network routing
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. Go to **DNS** > **Records**.
+
+   <DashButton url="/?to=/:account/:zone/dns/records" />
+
+2. Select **Add record** or select **Edit** on an existing `A` or `AAAA` record.
+3. Enter the origin IP address.
+4. Verify that **Proxy status** is enabled (orange cloud).
+5. Turn on **Use private network routing**.
+6. Select **Save**.
+
+:::note
+For private IP addresses (for example, `10.0.0.50`), the toggle turns on automatically. For public IP addresses used with private infrastructure, turn on the toggle manually.
+:::
+
+</TabItem>
+
+<TabItem label="API">
+
+To create a record with private routing enabled, use a [POST request](/api/resources/dns/subresources/records/methods/create/) and set `private_routing` to `true`:
+
+```bash
+curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--header "Content-Type: application/json" \
+--data '{
+  "type": "A",
+  "name": "app.example.com",
+  "content": "10.0.0.50",
+  "proxied": true,
+  "private_routing": true
+}'
+```
+
+To enable private routing on an existing record, use a [PATCH request](/api/resources/dns/subresources/records/methods/edit/):
+
+```bash
+curl --request PATCH \
+"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records/{record_id}" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--header "Content-Type: application/json" \
+--data '{
+  "private_routing": true
+}'
+```
+
+</TabItem> </Tabs>
+
+## API field behavior
+
+| Scenario                                 | `private_routing` value |
+| ---------------------------------------- | ----------------------- |
+| New `A`/`AAAA` record with private IP    | Auto-set to `true`      |
+| New `A`/`AAAA` record with public IP     | Defaults to `false`     |
+| Private IP with `private_routing: false` | Returns error           |
+| Non-`A`/`AAAA` record types              | Field not supported     |
+| Account without entitlement              | Field not visible       |
+
+## Limitations
+
+- **Record types**: Only `A` and `AAAA` records support private network routing.
+- **Proxy status**: Records must be proxied. DNS-only records cannot use private routing.
+- **Virtual networks**: Traffic routes through your default [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/). Selecting a specific virtual network is not supported.
+
+## Troubleshooting
+
+### Traffic not reaching origin
+
+If traffic is not reaching your private origin:
+
+1. Verify your tunnel is active and healthy in the Cloudflare dashboard.
+2. Confirm the origin IP is routable within your private network.
+3. Check that `private_routing` is set to `true` on the DNS record.
+4. Verify the record has proxy status enabled.
+
+### Error 1002: DNS points to prohibited IP
+
+This error occurs when you proxy a private IP address without the **Private Origins Allowed** entitlement. Contact your account team to enable this entitlement.

src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx

@@ -36,20 +36,22 @@ At least one **IP address resolution** record is required for each domain on Clo
 
 These records include the following fields:
 
-<Render file="records-name-field" product="dns" />
-- **IPv4/IPv6 address**: Your origin server address (cannot be a [Cloudflare IP](https://www.cloudflare.com/ips))
+<Render file="records-name-field" product="dns" />- **IPv4/IPv6 address**: Your
+origin server address (cannot be a [Cloudflare
+IP](https://www.cloudflare.com/ips))
 
-  :::note
+:::note
 
-  Cloudflare uses the [canonical notation](https://www.rfc-editor.org/rfc/rfc5952.html#section-4.2) to store DNS records. This means that an AAAA record with content `fe80::0:0:1` is stored and returned as `fe80::1`, for example.
+Cloudflare uses the [canonical notation](https://www.rfc-editor.org/rfc/rfc5952.html#section-4.2) to store DNS records. This means that an AAAA record with content `fe80::0:0:1` is stored and returned as `fe80::1`, for example.
 
-  Alternative notations of IPv4 addresses (`1.1` for `1.0.0.1`, for example) are not supported for A records.
-  :::
+Alternative notations of IPv4 addresses (`1.1` for `1.0.0.1`, for example) are not supported for A records.
+:::
 
 - **TTL**: Time to live, which controls how long DNS resolvers should cache a response before revalidating it.
   - If the **Proxy Status** is **Proxied**, this value defaults to **Auto**, which is 300 seconds.
   - If the **Proxy Status** is **DNS Only**, you can customize the value.
 - **Proxy status**: For more details, refer to [Proxied DNS records](/dns/proxy-status/).
+- **Private network routing**: Route traffic to private origins through your tunnels. For more details, refer to [Private network routing](/dns/manage-dns-records/how-to/private-network-routing/).
 
 #### Example API call
 
@@ -108,13 +110,13 @@ When creating A or AAAA records [using the API](/dns/manage-dns-records/how-to/c
 
 These records include the following fields:
 
-
-<Render file="records-name-field" product="dns" />
-- **Target**: The hostname where traffic should be directed (`example.com`).
-- **TTL**: Time to live, which controls how long DNS resolvers should cache a response before revalidating it.
-  - If the **Proxy Status** is **Proxied**, this value defaults to **Auto**, which is 300 seconds.
-  - If the **Proxy Status** is **DNS Only**, you can customize the value.
-- **Proxy status**: For more details, refer to [Proxied DNS records](/dns/proxy-status/).
+<Render file="records-name-field" product="dns" />- **Target**: The hostname
+where traffic should be directed (`example.com`). - **TTL**: Time to live, which
+controls how long DNS resolvers should cache a response before revalidating it.
+- If the **Proxy Status** is **Proxied**, this value defaults to **Auto**, which
+is 300 seconds. - If the **Proxy Status** is **DNS Only**, you can customize the
+value. - **Proxy status**: For more details, refer to [Proxied DNS
+records](/dns/proxy-status/).
 
 #### Proxied CNAME records