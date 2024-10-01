Magic Transit customers using BYOIP can also benefit from the performance, reliability, and security that Cloudflare offers for HTTP-based applications.
This documentation covers using the Cloudflare API to configure service bindings within Cloudflare’s IP Address Management framework. Service bindings allow BYOIP customers to selectively route traffic on a per-IP address basis to the CDN pipeline (which includes Cache, Web Application Firewal (WAF), and more).
It is also possible to define service bindings to route traffic to the Spectrum pipeline selectively. However, this is not in the scope of this guide.
It is important to note that traffic routed to the CDN pipeline is protected at Layers 3 and 4 by the inherent DDoS protection capabilities native to the CDN pipeline.
Before you begin
Efficiency is paramount when planning how you will implement service bindings. Implementing service bindings through an aggregated CIDR block is strongly recommended.
Best practice: Add one discrete CDN service binding for 203.0.113.16 with a /29 netmask.
Once a service binding is created (or deleted), it will take four to six hours to propagate across Cloudflare’s global network. Services for the IP addresses in scope will likely be disrupted during this window.
1. Get account information
Log in to your Cloudflare account and get your account ID and API token. The token permissions should include Account - IP Prefixes - Edit.
Make a GET request to the List Services endpoint and take note of the id associated with the CDN service.
Use the List Prefixes endpoint and take note of the id associated with the prefix (cidr) you will configure.
At this point, continuing the example, you should have a mapping similar to the following:
Variables
Description
{service_id}
The ID of the CDN service within Cloudflare.
Example: 969xxxxxxxx000xxx0000000x00001bf
{prefix_id}
The ID of the Magic Transit protected prefix (203.0.113.100/24) you want to configure.
Example: 6b25xxxxxxx000xxx0000000x0000cfc
To confirm you currently only have a Magic Transit service binding and that it spans across your entire prefix, make a GET request to the List Service Bindings endpoint. Replace the {prefix_id} in the URI path by the actual prefix ID you got from the previous step.
2. Create service binding
Make a POST request to the Create service binding endpoint, indicating the IP address you want to bind to the CDN. Specify the corresponding network mask as needed.
Continuing the example, 203.0.113.100/32 designates an IP address that is within the Magic Transit protected prefix 203.0.113.0/24.
Replace the {prefix_id} in the URI with your prefix ID from previous steps. Within the request body, the cidr value should correspond to the IP address or subnet that you are configuring for use with CDN.
In the response body, the initial provisioning state should be provisioning.
Complete the required fields, setting the Proxy status to proxied.
Select Save.
To create records with the API, use a POST request. For field definitions, select a record type under the request body specification.
While the DNS record proxy status and address map will determine how Cloudflare’s authoritative DNS responds to requests for your hostnames, the IP addresses specified in A/AAAA records will determine how Cloudflare reaches the configured origin.
Example
Type
Name
IP address
Proxy status
TTL
A
www
203.0.113.150
Proxied
Auto
At this point, if an address map for a zone example.com specifies that Cloudflare should use 203.0.113.100 for proxied records and the above record exists in the same zone, you can expect the following:
Cloudflare responds to DNS requests with 203.0.113.100.
Cloudflare proxies requests through the CDN and then routes the requests via GRE or CNI to the origin server 203.0.113.150 (Magic Transit protected prefix).