Fantastic - I will experiment.
To allow easier migration to this new cloudflare model (this is what messed us up with IPv6 from IPv4) would be great if we could define in cloudflare for teams that JUST the cloudflare ranges defined route over WARP. Ie, an nothing but this routes (vs an everything but this).
This would allow for deployment IN OFFICE / inside the existing network perimeter more easily and allow workloads to co-exist.
Similarly, for work from home, we have just some workloads that need to go over WARP to office. Local printers, music, etc etc don’t, and we never know what remote users local network looks like. So again, the split tunnel option, but focused on routing JUST workloads for zones in IP ranges defined would allow for an easier ramp up (eventually I could see going fully onto the model).
THis might also work as a defined exception to an exclusion from routing if that’s a request. Ie, don’t route 0.0.0.0/0, DO route 192.168.47.0/24 is routed. This may solve some other split tunnel needs. But the first is my preference, just a simple route only workloads on zero trust model.
I think cloudflare could really clean up relative to alternatives here with this. If you can support MOST ip workloads using a simple to install client without messing up access to local printers / youtube etc (biggest source of user complaints comes from this, and the overhead of doing carveouts per user is too high) cloudflare is going to dominate as long as WARP network latency is not bad. And not everyone wants all their home traffic going over some work managed gateways.