Best practices
An Internet Routing Registry (IRR) record is what notifies internet service providers (ISPs) of how you are allowing your resources to be used. It is necessary to keep your IRR entries up to date so that it is public information that Cloudflare has permission to advertise your prefix or prefixes and to ensure that your traffic can be properly routed on the internet.
The American Registry for Internet Numbers (ARIN) maintains an IRR that allows registrants of AS numbers and IP addresses to publish that information so that ISPs can make appropriate routing decisions. This helps ensure ISPs will recognize your routes as legitimate and enables them to ignore unauthorized routes published by someone else.
You can add or update an IRR entry by following the directions within any of the recommended internet registries listed in the Internet Routing Registry ↗.
If you own your own subnet, use the RIPE and APNIC routing registries. These registries allow you to verify subnet ownership.
If you lease your subnet, follow these guidelines:
- When you do not need ownership verification, use the AFRINIC or NTT routing registry.
- When you submit a route object via email, use the ARIN registry. Address blocks owned by others do not appear in the ARIN interface.
The recommended registries are AFRINIC, APNIC, ARIN, NTT, RADB, and RIPE.
Each routing registry has its own set of instructions to configure an IRR entry. Refer to the table below for more information.
Verify your Internet Routing Registry (IRR) entries to ensure that the IP prefixes Cloudflare advertises for you match the correct autonomous system numbers (ASNs).
Each IRR entry record must include the following information:
- Route: Each IP prefix Cloudflare advertises for you.
- Origin ASN: Your ASN, or if you do not have your own ASN, the Cloudflare ASN (AS13335).
- Source: The name of the routing registry, for example, AFRINIC, APNIC, ARIN, RADB, RIPE, or NTT.
Add or update IRR entries when they meet any of these criteria:
- The entry is missing.
- The entry is incomplete or inaccurate — for example, when the route object does not show the correct origin.
- The entry is complete but requires updating — for example, when they correspond to supernets but need to correspond to subnets used in Magic Transit.
You are strongly encouraged to verify IRR entries for the exact prefixes you will use to onboard with Cloudflare.
IRR entries for less specific prefixes are acceptable as long as you understand and accept the following risk: if you modify your IRR entries in the future (for example, by changing your ASN) and the IRR entry for the supernet no longer matches the prefix or origin mapping in your Magic Transit configuration, the prefix will have reduced reachability due to networks Cloudflare peers with automatically filtering the prefix. Having specific IRR entries helps minimize (but not entirely remove) this risk.
To verify your prefix and ASN route, use the tools and methods outlined on the table below:
Data to verify | Tool | Method | Output |
---|---|---|---|
Subnet prefix IP for the ASN | IRR Explorer | Search for the subnet prefix IP, for example, 162.211.156.0/24 . | List of ASN numbers, source (route registry), and any associated errors. |
ASN for the subnet prefix | IRR Explorer | Search for the ASN, for example AS13335 . | List of prefixes, source, and any associated errors. |
Your origin ASN and routing data | WHOIS lookup | In a terminal, use this
The host | IRR route, origin, and source information. |
The <IRR entry section>
in the WHOIS output shows the correct IRR entry information for the specified network. In this example, the network prefix is 1.1.1.0/24
, and the output includes the route, origin ASN, and route registry, which in this example is APNIC: