About this integration

This article describes how to integrate a Cloudflare SASE deployment with SurePath AI using Cloudflare Secure Web Gateway policy. Two integration methods are available: the preferred method uses a cloudflared tunnel combined with Cloudflare Access to authenticate users via a Cloudflare-issued JWT, and the alternative method uses Cloudflare Gateway policies alone. The preferred method is recommended for all new deployments because it ensures that every request reaching SurePath AI is fully attributed to an authenticated user, eliminating connector traffic entirely.

Prerequisites

The following steps are required for both integration methods.

Download the Cloudflare public service catalog

Log in to the SurePath AI admin console
Click Public Services in the GOVERN section
At the top right of the page, click the DOWNLOAD CATALOG button
- In the Download Format drop-down, choose Cloudflare Config
- Click DOWNLOAD
- The contents of this file are required to complete the Cloudflare configuration

Create the Cloudflare connector

For general information about Network Ingress Connector types and configuration, see Network Ingress Connectors.

Log in to the SurePath AI admin console
Click Connectors in the CONFIGURE section
At the top right of the page, click the ADD CONNECTOR button
- In the Name field, enter a name such as Cloudflare Connector
- In the Type drop-down, from the Network Ingress section, select Cloudflare
- Click SAVE
- Note the Connector ID value — it is required for the Cloudflare configuration

Preferred method: cloudflared tunnel with Cloudflare Access

How this method works

In this integration method, SurePath AI exposes its edge nodes as private network destinations accessible only through a cloudflared tunnel. When an employee on a WARP-enrolled device makes a request to a GenAI service, Cloudflare Gateway intercepts the DNS query and overrides the resolution to point at the SurePath AI edge. Before the request reaches SurePath AI, Cloudflare Access validates the user's identity using the WARP session and injects a signed JWT into the request. SurePath AI reads this JWT to attribute every request to a specific authenticated user. Because all traffic flows through the authenticated tunnel, no traffic reaches SurePath AI through an unauthenticated connector path.

High availability and failover

SurePath AI deploys three cloudflared tunnel replicas to provide high availability. If one tunnel replica becomes unavailable, Cloudflare automatically routes traffic through the remaining replicas without interruption.

Important: This method does not support automatic failback to the Cloudflare Gateway policies-only method. Admins should plan their deployment with this in mind and not assume the alternative method will serve as a fallback if the tunnel is unavailable.

Configuring Cloudflare Gateway policies

This method uses two required Cloudflare Secure Web Gateway policies: a DNS policy to redirect GenAI traffic to the SurePath AI edge, and an HTTP inspection policy to inject the SurePath AI connector header. An optional HTTP bypass policy can also be added for organizations that do not perform broad TLS inspection and want to limit inspection to GenAI traffic only.

All of the following steps begin from Cloudflare Zero Trust. Navigate to Gateway > Firewall policies before starting each policy below.

Creating the DNS policy

In the DNS tab, click Add a policy
- In the Policy name field, enter a name such as SurePath AI - GenAI DNS policy
- Optionally, enter a description such as DNS policy that directs GenAI traffic to SurePath AI
- In the Traffic sub-section, click Add condition
  - For the Selector drop-down, select Host
  - For the Operator drop-down, select matches regex
  - In the Value field, enter the contents from the Cloudflare Config file downloaded in the prerequisite step above
- In the Action drop-down, select Override
  - In the Override Hostname field, enter edge.surepath.ai and click off the field to set the value
At the bottom of the page, click Create policy

Creating the HTTP inspection policy

In the HTTP tab, click Add a policy
- In the Policy name field, enter a name such as SurePath AI - GenAI HTTP policy
- Optionally, enter a description such as HTTP policy that adds a custom SurePath AI header to all GenAI traffic
- In the Traffic sub-section, click Add condition
  - For the Selector drop-down, select Host
  - For the Operator drop-down, select matches regex
  - In the Value field, enter the contents from the Cloudflare Config file downloaded in the prerequisite step above
- In the Action drop-down, select Allow
  - In the Untrusted certificate action drop-down, select Pass Through
- Click Add a header
  - In the Custom header name field, enter X-SP-Connector-ID
  - In the Custom header value field, enter the Connector ID value from the prerequisite step above
At the bottom of the page, click Create policy

Creating the HTTP bypass policy (optional)

This policy is only needed for organizations that do not already perform broad TLS inspection and want to limit Cloudflare's inspection scope to GenAI traffic only. If TLS inspection is already applied broadly across all traffic, this policy is not required. When configured, it prevents Cloudflare from performing TLS inspection on non-GenAI traffic.

In the HTTP tab, click Add a policy
- In the Policy name field, enter a name such as SurePath AI - non-GenAI bypass
- Optionally, enter a description such as Bypasses TLS inspection for all non-GenAI traffic
- In the Traffic sub-section, click Add condition
  - For the Selector drop-down, select Host
  - For the Operator drop-down, select does not match regex
  - In the Value field, enter the contents from the Cloudflare Config file downloaded in the prerequisite step above
- In the Action drop-down, select Do Not Inspect
At the bottom of the page, click Create policy

Configuring Cloudflare Access

Cloudflare Access is used to authenticate users before their traffic reaches the SurePath AI edge. The Access Application and Access Policy are configured together in a single wizard. All of the following steps begin from Cloudflare Zero Trust.

Creating the Access Application

Go to Access > Applications
Click Add an application, then select Self-hosted
- In the Application name field, enter a name such as SurePath AI Edge
- Set the Session duration to the desired re-authentication interval (for example, 24 hours)
- Under App Launcher settings, disable visibility in the App Launcher — end users do not interact with this application directly
Click Next
- Click Add private IP for each SurePath AI edge IP address
  - In the IP address field, enter the SurePath AI edge IP address
  - In the Port field, enter 443
  - Repeat for each edge IP address — contact SurePath AI support to obtain the edge IP addresses for your deployment
Click Next
- Ensure WARP authentication identity is enabled so that enrolled devices authenticate automatically without presenting a login prompt
Click Next
- On the Policies step, click Add a policy
  - In the Policy name field, enter a name such as SurePath AI - Allow users
  - Under Action, select Allow
  - Under Include rules, add the users or groups that should have access to SurePath AI:
    To allow specific users, add individual email addresses
    To allow an entire email domain, add the domain (for example, @example.com)
    To allow an IdP-synced group, add the corresponding Cloudflare Access Group
  - Optionally, add Exclude rules to remove specific users or groups from scope
  - Click Save policy
Click Save application

Verifying the integration

To verify the configuration, follow the steps in the Verifying the SurePath AI integration article.

Alternative method: Cloudflare Gateway policies only

This method integrates SurePath AI using Cloudflare Secure Web Gateway DNS and HTTP policies without a cloudflared tunnel. It is supported for existing deployments but is not recommended for new deployments. Unlike the preferred method, traffic that cannot be attributed to a specific authenticated user will appear as connector traffic in SurePath AI reporting.

Configuring the Cloudflare Gateway policies

The Cloudflare configuration involves the creation of two Cloudflare Secure Web Gateway policies. The first is a DNS policy that steers GenAI traffic to the SurePath AI platform. The second is an HTTP policy that adds a SurePath AI-specific header to all GenAI traffic so that SurePath AI can identify embedded, non-web-based traffic that cannot be authenticated by a web browser. Both of these policies work together to give users a seamless experience and allow admins full visibility into their organization's GenAI usage.

All of the following steps begin from Cloudflare Zero Trust. Navigate to Gateway > Firewall policies before starting each policy below.

Note: In a future release, SurePath AI plans to offer the ability for the SurePath AI Cloudflare connector to automatically configure the Cloudflare policies needed to create this integration. If enabled, it will also allow automatic updates of the SurePath AI public service catalog. Without automatic updates, admins must manually update the Cloudflare configuration to receive traffic for new GenAI services.

Creating the Cloudflare Gateway DNS policy

In the DNS tab, click Add a policy
- In the Policy name field, enter a name such as SurePath AI - GenAI DNS policy
- Optionally, enter a description such as DNS policy that directs GenAI traffic to SurePath AI
- In the Traffic sub-section, click Add condition
  - For the Selector drop-down, select Host
  - For the Operator drop-down, select matches regex
  - In the Value field, enter the contents from the Cloudflare Config file downloaded in the prerequisite step above
- In the Identity sub-section:
  - With no value specified, this configuration applies to all users
  - To restrict the configuration to specific users or groups, use the Add condition button
- In the Action drop-down, select Override
  - In the Override Hostname field, enter edge.surepath.ai and click off the field to set the value
At the bottom of the page, click Create policy
The policy is created in an Enabled state. If desired, click the green slider in the Status column to disable the policy.

Creating the Cloudflare Gateway HTTP policy

In the HTTP tab, click Add a policy
- In the Policy name field, enter a name such as SurePath AI - GenAI HTTP policy
- Optionally, enter a description such as HTTP policy that adds a custom SurePath AI header to all GenAI traffic
- In the Traffic sub-section, click Add condition
  - For the Selector drop-down, select Host
  - For the Operator drop-down, select matches regex
  - In the Value field, enter the contents from the Cloudflare Config file downloaded in the prerequisite step above
- In the Identity sub-section:
  - With no value specified, this configuration applies to all users
  - To restrict the configuration to specific users or groups, use the Add condition button
- In the Device Posture sub-section:
  - With no value specified, this configuration applies to all devices regardless of posture
  - To restrict to a specific device posture, use the Add condition button
- In the Action drop-down, select Allow
  - In the Untrusted certificate action drop-down, select Pass Through
- Click Add a header
  - In the Custom header name field, enter X-SP-Connector-ID
  - In the Custom header value field, enter the Connector ID value from the prerequisite step above
At the bottom of the page, click Create policy
The policy is created in an Enabled state. If desired, click the green slider in the Status column to disable the policy.