diff --git a/CHANGES.md b/CHANGES.md
index 0cfd67ae..51ec9411 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,15 +1,28 @@
 **Experimental**: This is a new format for release notes. The format and availability is subject to change.
 
-## UNRELEASED
-
-### Backward Incompatible Changes
-
-- none
+## 2021.3.0
 
 ### New Features
 
 - [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) specific commands
   now show up in the `cloudflared tunnel route --help` output.
+- There is a new ingress type that allows cloudflared to proxy SOCKS5 as a bastion. You can use it with an ingress
+  rule by adding `service: socks-proxy`. Traffic is routed to any destination specified by the SOCKS5 packet but only
+  if allowed by a rule. In the following example we allow proxying to a certain CIDR but explicitly forbid one address
+  within it:
+```
+ingress:
+  - hostname: socks.example.com
+    service: socks-proxy
+    originRequest:
+      ipRules:
+        - prefix: 192.168.1.8/32
+          allow: false
+        - prefix: 192.168.1.0/24
+          ports: [80, 443]
+          allow: true
+```
+  
 
 ### Improvements
 
@@ -18,14 +31,13 @@
   `cloudflared tunnel --config config.yaml run`
 - Warnings are now shown in the output logs whenever cloudflared is running without the most recent version and
   `no-autoupdate` is `true`.
-- Access tokens are now stored per Access App instead of per request path.
-
+- Access tokens are now stored per Access App instead of per request path. This decreases the number of times that the
+  user is required to authenticate with an Access policy redundantly.
 
 ### Bug Fixes
 
 - GitHub [PR #317](https://github.com/cloudflare/cloudflared/issues/317) was broken in 2021.2.5 and is now fixed again.
 
-
 ## 2021.2.5
 
 ### New Features