Existing documentation URL(s)

https://developers.cloudflare.com/cloudflare-one/traffic-policies/proxy/#udp

What changes are you suggesting?

Current documentation on UDP proxy says:

When the UDP proxy is enabled, Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to HTTP/3 inspection.

Documentation on HTTP/3 inspection then subsequently says this only takes place when UDP proxy is enabled, a user-side certificate is deployed and TLS decryption is switched on.

This leaves it ambiguous whether HTTP/3 traffic will be forced into HTTP/2 if the user enables UDP proxy only, without also enabling TLS decryption. My own testing of this particular configuration in Zero Trust confirms that HTTP/3 traffic is not forced into HTTP/2.

For users who do not intend to apply HTTP policies but do wish to enforce network policies, the prospect of losing HTTP/3 performance benefits may discourage them from enabling UDP proxy. To avoid misunderstanding, I would recommend slight adjustment to the documentation on UDP proxy to say:

For HTTP/3 traffic to be logged and filtered, you need to enable both UDP proxy and TLS decryption so that Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. For more information, refer to HTTP/3 inspection.

Additional information

No response