Cloudflare's Secure Access Service Edge (SASE) platform is enhancing its support for hostname- and domain-based policies, driven by customer demand. The first milestone in this mission is the release of egress policies by hostname, domain, content category, and application in open beta. This feature allows customers to control traffic flow based on hostname, domain, content categories, or applications, simplifying their security policies. Egress policies are part of Cloudflare Gateway, which operates as both a layer 4 and layer 7 proxy. To support egress policies by hostname, Cloudflare uses a "synthetic IP" mechanism that associates the DNS query for a hostname with its destination IP address. This feature is currently only supported on specific on-ramps, such as WARP client, PAC files, and Browser Isolation, but plans to expand support in the future. The new feature aims to simplify customers' egress policies, reduce the need for manual management of individual hostnames, and enhance security in Cloudflare's SASE deployments.