IPSEC Tunnels
List IPsec tunnels
List IPsec tunnel details
Create an IPsec tunnel
Update IPsec Tunnel
Delete IPsec Tunnel
Update multiple IPsec tunnels
Generate Pre Shared Key (PSK) for IPsec tunnels
ModelsExpand Collapse
class IPSECTunnelListResponse: …
ipsec_tunnels: Optional[List[IPSECTunnel]]
A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255.
When true, the tunnel can use a null-cipher (ENCR_NULL) in the ESP tunnel (Phase 2).
True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
bgp: Optional[IPSECTunnelBGP]
Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table.
MD5 key to use for session authentication.
Note that this is not a security measure. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is only supported for preventing misconfiguration, not for defending against malicious attacks.
The MD5 key, if set, must be of non-zero length and consist only of the following types of character:
- ASCII alphanumerics:
[a-zA-Z0-9] - Special characters in the set
'!@#$%^&*()+[]{}<>/.,;:_-~= |`
In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A),
quotation mark ("), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed
(0x0C), and the question mark (?). Requests specifying an MD5 key with one or more of
these disallowed characters will be rejected.
custom_remote_identities: Optional[IPSECTunnelCustomRemoteIdentities]
A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified.
Must be of the form <custom label>.<account ID>.custom.ipsec.cloudflare.com.
This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint.
The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
health_check: Optional[IPSECTunnelHealthCheck]
direction: Optional[Literal["unidirectional", "bidirectional"]]The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
target: Optional[IPSECTunnelHealthCheckTarget]The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
class IPSECTunnelHealthCheckTargetMagicHealthCheckTarget: …The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127
class IPSECTunnelGetResponse: …
ipsec_tunnel: Optional[IPSECTunnel]
A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255.
When true, the tunnel can use a null-cipher (ENCR_NULL) in the ESP tunnel (Phase 2).
True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
bgp: Optional[IPSECTunnelBGP]
Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table.
MD5 key to use for session authentication.
Note that this is not a security measure. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is only supported for preventing misconfiguration, not for defending against malicious attacks.
The MD5 key, if set, must be of non-zero length and consist only of the following types of character:
- ASCII alphanumerics:
[a-zA-Z0-9] - Special characters in the set
'!@#$%^&*()+[]{}<>/.,;:_-~= |`
In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A),
quotation mark ("), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed
(0x0C), and the question mark (?). Requests specifying an MD5 key with one or more of
these disallowed characters will be rejected.
custom_remote_identities: Optional[IPSECTunnelCustomRemoteIdentities]
A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified.
Must be of the form <custom label>.<account ID>.custom.ipsec.cloudflare.com.
This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint.
The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
health_check: Optional[IPSECTunnelHealthCheck]
direction: Optional[Literal["unidirectional", "bidirectional"]]The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
target: Optional[IPSECTunnelHealthCheckTarget]The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
class IPSECTunnelHealthCheckTargetMagicHealthCheckTarget: …The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127
class IPSECTunnelCreateResponse: …
A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255.
When true, the tunnel can use a null-cipher (ENCR_NULL) in the ESP tunnel (Phase 2).
True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
bgp: Optional[BGP]
Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table.
MD5 key to use for session authentication.
Note that this is not a security measure. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is only supported for preventing misconfiguration, not for defending against malicious attacks.
The MD5 key, if set, must be of non-zero length and consist only of the following types of character:
- ASCII alphanumerics:
[a-zA-Z0-9] - Special characters in the set
'!@#$%^&*()+[]{}<>/.,;:_-~= |`
In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A),
quotation mark ("), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed
(0x0C), and the question mark (?). Requests specifying an MD5 key with one or more of
these disallowed characters will be rejected.
custom_remote_identities: Optional[CustomRemoteIdentities]
A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified.
Must be of the form <custom label>.<account ID>.custom.ipsec.cloudflare.com.
This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint.
The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
health_check: Optional[HealthCheck]
direction: Optional[Literal["unidirectional", "bidirectional"]]The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
target: Optional[HealthCheckTarget]The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
class HealthCheckTargetMagicHealthCheckTarget: …The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127
class IPSECTunnelUpdateResponse: …
modified_ipsec_tunnel: Optional[ModifiedIPSECTunnel]
A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255.
When true, the tunnel can use a null-cipher (ENCR_NULL) in the ESP tunnel (Phase 2).
True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
bgp: Optional[ModifiedIPSECTunnelBGP]
Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table.
MD5 key to use for session authentication.
Note that this is not a security measure. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is only supported for preventing misconfiguration, not for defending against malicious attacks.
The MD5 key, if set, must be of non-zero length and consist only of the following types of character:
- ASCII alphanumerics:
[a-zA-Z0-9] - Special characters in the set
'!@#$%^&*()+[]{}<>/.,;:_-~= |`
In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A),
quotation mark ("), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed
(0x0C), and the question mark (?). Requests specifying an MD5 key with one or more of
these disallowed characters will be rejected.
bgp_status: Optional[ModifiedIPSECTunnelBGPStatus]
custom_remote_identities: Optional[ModifiedIPSECTunnelCustomRemoteIdentities]
A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified.
Must be of the form <custom label>.<account ID>.custom.ipsec.cloudflare.com.
This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint.
The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
health_check: Optional[ModifiedIPSECTunnelHealthCheck]
direction: Optional[Literal["unidirectional", "bidirectional"]]The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
target: Optional[ModifiedIPSECTunnelHealthCheckTarget]The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
class ModifiedIPSECTunnelHealthCheckTargetMagicHealthCheckTarget: …The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127
class IPSECTunnelDeleteResponse: …
deleted_ipsec_tunnel: Optional[DeletedIPSECTunnel]
A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255.
When true, the tunnel can use a null-cipher (ENCR_NULL) in the ESP tunnel (Phase 2).
True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
bgp: Optional[DeletedIPSECTunnelBGP]
Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table.
MD5 key to use for session authentication.
Note that this is not a security measure. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is only supported for preventing misconfiguration, not for defending against malicious attacks.
The MD5 key, if set, must be of non-zero length and consist only of the following types of character:
- ASCII alphanumerics:
[a-zA-Z0-9] - Special characters in the set
'!@#$%^&*()+[]{}<>/.,;:_-~= |`
In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A),
quotation mark ("), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed
(0x0C), and the question mark (?). Requests specifying an MD5 key with one or more of
these disallowed characters will be rejected.
bgp_status: Optional[DeletedIPSECTunnelBGPStatus]
custom_remote_identities: Optional[DeletedIPSECTunnelCustomRemoteIdentities]
A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified.
Must be of the form <custom label>.<account ID>.custom.ipsec.cloudflare.com.
This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint.
The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
health_check: Optional[DeletedIPSECTunnelHealthCheck]
direction: Optional[Literal["unidirectional", "bidirectional"]]The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
target: Optional[DeletedIPSECTunnelHealthCheckTarget]The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
class DeletedIPSECTunnelHealthCheckTargetMagicHealthCheckTarget: …The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127
class IPSECTunnelBulkUpdateResponse: …
modified_ipsec_tunnels: Optional[List[ModifiedIPSECTunnel]]
A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255.
When true, the tunnel can use a null-cipher (ENCR_NULL) in the ESP tunnel (Phase 2).
True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
bgp: Optional[ModifiedIPSECTunnelBGP]
Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table.
MD5 key to use for session authentication.
Note that this is not a security measure. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is only supported for preventing misconfiguration, not for defending against malicious attacks.
The MD5 key, if set, must be of non-zero length and consist only of the following types of character:
- ASCII alphanumerics:
[a-zA-Z0-9] - Special characters in the set
'!@#$%^&*()+[]{}<>/.,;:_-~= |`
In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A),
quotation mark ("), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed
(0x0C), and the question mark (?). Requests specifying an MD5 key with one or more of
these disallowed characters will be rejected.
bgp_status: Optional[ModifiedIPSECTunnelBGPStatus]
custom_remote_identities: Optional[ModifiedIPSECTunnelCustomRemoteIdentities]
A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified.
Must be of the form <custom label>.<account ID>.custom.ipsec.cloudflare.com.
This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint.
The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
health_check: Optional[ModifiedIPSECTunnelHealthCheck]
direction: Optional[Literal["unidirectional", "bidirectional"]]The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
target: Optional[ModifiedIPSECTunnelHealthCheckTarget]The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false.
class ModifiedIPSECTunnelHealthCheckTargetMagicHealthCheckTarget: …The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to customer_gre_endpoint address. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target.
A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127