I can't seem to get Access Policy works for private network


I added a private network for developers to connect to our Staging Database via Zero Trust.
It works correctly and the connection to our database (via a DNS which resolves to private IP) can be established if our developers is connected via ZeroTrust

I then wanted to setup an access policy against this private network access.
I created a new Application with type set to Private Network.
When creating the application I can specify SNI or IP as the destination. I choose SNI and put the private DNS url as the value.

2 policies were then created automatically Allow rule and Block rule. I tried testing the policy by simply disabling the Allow rule. However, everyone can still establish connection to the DNS specified in the SNI just fine. It is as if the policy does not do anything.

Is there something that I might be missing?

1 Like

I got the same error, it works with Destination IP but SNI.

I know the reason:

Local Domain Fallback

Add domains to route DNS queries to resolvers locally connected to your device. Domains added to the Local Domain Fallback list bypass Cloudflare’s filtering and logging.To apply filtering and logging to DNS queries, create Resolver policies to route to custom resolvers on your Zero Trust network.

And the function is not Free :frowning: