A quick confirmation on understanding

Hi, I would just like an understanding of what it is you guys do as users when utilising Cloudflare zero trust. I just feel as if I’ve burned too much time now and if in doubt just ask. Each question comes with an understanding footnote as such.

scenario: Proxmox server with multiple vm’s. I can tunnel into certain web applications and even SSH to certain servers when needed.

My questions are simple only require quick answers.

Where would you put your tunnel and would you add each device? - I would just install on Proxmox and then have private IP’s routed that way.

What does device enrollment do? Am I to enroll each device, install a cloud cert and also install WARP for zero trust? - As long as I can talk to a device why should I have to enroll it. Is there a simple methodology you follow when adding another device?

So I’m in this situation where I can talk to certain servers or applications but have a feeling I just may have gotten confused about when and how to use the tunnels from a scenario point of view especially when using vms.