The Cloudflare One Appliance (formerly Magic WAN Connector) software is certified for use on the Dell Networking Virtual Edge Platform ↗. It can be purchased with software pre-installed through our partner network for plug-and-play connectivity to Cloudflare One.

Security and other information

Cloudflare ensures the Cloudflare One Appliance device is secure and is not altered via TPM/Secure boot (does not apply to Virtual Appliance).

Connectivity to the Cloudflare global network is secure and all traffic is encrypted through IPsec tunneling. The Cloudflare One Appliance uses ESP-in-UDP with GCM-AES-256 encryption. Cloudflare uses a non-IKE keying protocol built into our control plane, secured with TLS.

Customers have the ability to layer on additional security features/policies that are enforced at the Cloudflare network.

ICMP traffic

ICMP traffic is routed through the Internet and bypasses Cloudflare Gateway. This enables you to ping resources on the Internet from the Cloudflare One Appliance directly, which can be useful for debugging.

VLAN ID

This feature allows you to have multiple virtual LANs ↗ (VLANs) configured over the same physical port on your Cloudflare One Appliance. VLAN tagging adds an extra header to packets ↗ in order to identify which VLAN the packet belongs to and to route it appropriately. This effectively allows you to run multiple networks over the same physical port.

A non-zero value set up for the VLAN ID field in your WAN/LAN is used to handle VLAN-tagged traffic. Cloudflare uses the VLAN ID to handle traffic coming into your Cloudflare One Appliance device, and applies a VLAN tag with the configured VLAN ID for traffic going out of your Cloudflare One Appliance through WAN/LAN.

You can setup VLAN IDs both for WAN and LAN. For instructions on setting up VLAN IDs, refer to Configure hardware Appliance or Configure Virtual Appliance.

High availability configurations

Terminology

Primary/Secondary : Used to identify the two nodes which are part of a high availability (HA) configuration pair of Cloudflare One Appliances. This identity allows the node to identify which configuration is attributed to it — for example, specifying a primary and secondary IP in a LAN configuration. This identity is configured by the user on the Cloudflare dashboard.

: Used to identify the two nodes which are part of a high availability (HA) configuration pair of Cloudflare One Appliances. This identity allows the node to identify which configuration is attributed to it — for example, specifying a primary and secondary IP in a LAN configuration. This identity is configured by the user on the Cloudflare dashboard. Active/Standby: These are states that the two nodes in a HA pair will dynamically assume based on an election process. Only one node at any time is expected to be active.

High availability

A site set up in high availability (HA) mode has two Cloudflare One Appliances with the same configuration but replicated in two nodes. In case of failure of one Cloudflare One Appliance, the other Cloudflare One Appliance becomes the active node, taking over configuration of the LAN gateway IP and allowing traffic to continue without disruption.

Active/Standby Election

During the LAN configuration, one of the LAN links is configured as a HA link, which is used to exchange heartbeats, resulting in the active / standby election of nodes.

The state election uses a PRIORITY parameter where the node with the higher priority becomes active and the other assumes the standby state. If the priority is the same, the state machine automatically picks one of the nodes as active.

The HA pair is configured in non-preemptive mode, meaning that once a node becomes active, it will remain active unless its priority drops below that of the other node.

Configuration

The two Cloudflare One Appliances of a high availability (HA) pair are part of a single site. You designate the Cloudflare One Appliance as primary and secondary in the Cloudflare dashboard.

Note The HA link cannot be connected back-to-back. It has to be connected over a switch. This is because, in a direct connection, if the link is unplugged on one end, the other end also detects a link failure. Since we have configured the system to enter a FAULT state when the HA link goes down, the affected node will be unable to function as the active node.

Failure detection and failover

The Cloudflare One Appliance's health can be in one of three states:

Good : All health parameters are good

: All health parameters are good Degraded : One of the following is true: Health of at least one configured tunnel is DOWN At least one of the LAN links is disconnected (physically unplugged)

: One of the following is true: Down : If one of the following is true: Health of all tunnels is DOWN All LAN interfaces are disconnected Cloudflare One Appliance's software is not healthy

: If one of the following is true:

A failover happens when the active node's health declines to a level lower than that of the standby node. For example, from GOOD to DEGRADED , or from DEGRADED to DOWN . In the case of a failover where one Cloudflare One Appliance is acting as a DHCP server, DHCP leases will be synchronized.

When a failover occurs, traffic is moved to the new active node. It could take up to 30 seconds for traffic to be fully restored over the new active node.

WAN settings

This is where you add and configure your WAN connections. Each configured WAN will create one IPsec tunnel, unless you have more than one anycast IP configured in your account.

When you have more than one anycast IP configured in your account (set up during your Cloudflare WAN (formerly Magic WAN) onboarding), Cloudflare One Appliance will automatically create at most two tunnels per WAN port. This improves reliability and performance, and requires no additional configuration on your part.

When you have multiple WANs you can attribute different priorities to each one. Lower values mean a higher priority. This translates in Cloudflare One Appliance routing traffic through the higher priority WANs or, more precisely, over the IPsec tunnels established over that interface. On the other hand, if you configure multiple WANs of equal priority, traffic will be distributed over those links through Equal-Cost Multi-Path (ECMP routing).

Creating several WAN connections also means Cloudflare One Appliance can failover between circuits according to their health.

High-capacity use cases

For high-capacity use cases, multiple tunnels can be established with equal priority. Outgoing traffic is then distributed across all available connections using an ECMP routing algorithm, which balances the load base.

Configure multiple tunnels in the same WAN profile

If you do not have more than one anycast IP configured in your account, and you need to configure multiple tunnels for the same WAN profile, set up multiple WAN connections. Each WAN is assigned one IPsec tunnel.

WAN settings

Interface number: When using the hardware version of Cloudflare One Appliance, this refers to the Ethernet port that you are using for your WAN. If you need a throughput higher than 1 Gbps, you can use one of the SFP+ ports. For details on supported hardware, refer to SFP+ port information.

If you are using Virtual Appliance, this needs to correspond to the virtual network interface on the Virtual Appliance instance you have set up in your virtual machine.

When using the hardware version of Cloudflare One Appliance, this refers to the Ethernet port that you are using for your WAN. If you need a throughput higher than 1 Gbps, you can use one of the SFP+ ports. For details on supported hardware, refer to SFP+ port information. If you are using Virtual Appliance, this needs to correspond to the virtual network interface on the Virtual Appliance instance you have set up in your virtual machine. VLAN ID : Allows you to have multiple virtual WANs configured over the same port on your Cloudflare One Appliance. Refer to VLAN ID for more information.

: Allows you to have multiple virtual WANs configured over the same port on your Cloudflare One Appliance. Refer to VLAN ID for more information. Priority : Assigns a priority to the WAN interface. Lower numbers have higher priority. For details on how Cloudflare calculates priorities, refer to Traffic steering.

: Assigns a priority to the WAN interface. Lower numbers have higher priority. For details on how Cloudflare calculates priorities, refer to Traffic steering. Health check rate: Configures the health check frequency for your WAN. Options are low, mid, and high. For details, refer to Update tunnel health checks frequency.

Configures the health check frequency for your WAN. Options are low, mid, and high. For details, refer to Update tunnel health checks frequency. Addressing: Configures the Cloudflare One Appliance to work in a DHCP or static IP environment.

LAN settings

Interface number: When using the hardware version of Cloudflare One Appliance, this refers to the Ethernet port that you are using for your LAN. If you need a throughput higher than 1 Gbps, you can use one of the SFP+ ports. For details on supported hardware, refer to SFP+ port information.

If you are using the Virtual Appliance, this needs to correspond to the virtual LAN interface on the Virtual Appliance instance you have set up in your virtual machine.

When using the hardware version of Cloudflare One Appliance, this refers to the Ethernet port that you are using for your LAN. If you need a throughput higher than 1 Gbps, you can use one of the SFP+ ports. For details on supported hardware, refer to SFP+ port information. If you are using the Virtual Appliance, this needs to correspond to the virtual LAN interface on the Virtual Appliance instance you have set up in your virtual machine. VLAN ID : Allows you to have multiple virtual LANs configured over the same port on your Cloudflare One Appliance. Refer to VLAN ID for more information.

: Allows you to have multiple virtual LANs configured over the same port on your Cloudflare One Appliance. Refer to VLAN ID for more information. Static addressing: Configures the type of IP addressing for your Appliance. Depending on your use case, this is where you configure your LAN interface IP address, or enable DHCP server or DHCP relay. For details, refer to DHCP options.

Configures the type of IP addressing for your Appliance. Depending on your use case, this is where you configure your LAN interface IP address, or enable DHCP server or DHCP relay. For details, refer to DHCP options. Static NAT prefix : Enable NAT (network address translation). This is an optional setting.

: Enable NAT (network address translation). This is an optional setting. Routed subnets: Configures additional subnets behind a layer 3 router. For details, refer to Routed subnets.

Restrict traffic to your premises

Depending on your use case, you can define policies in your Cloudflare One Appliance to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features. The default behavior is to drop all LAN-to-LAN traffic. These policies can be created for specific subnets, and link two LANs.

For details, refer to Network segmentation.