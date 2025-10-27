Breakout traffic
Breakout traffic allows you to define which applications should bypass Cloudflare's security filtering, and go directly to the Internet. It works via DNS requests inspection. This means that if your network is caching DNS requests, Breakout traffic will only take effect after you cache entries expire and your client issues a new DNS request that Appliances can detect. This can take several minutes.
flowchart LR accTitle: In this example, the applications go directly to the Internet, skipping Cloudflare's security. filtering a(Appliances) --> b(Cloudflare) -->|Filtered traffic|c(Internet) a-- Breakout traffic ---d(Application1) & e(Application2) --> c classDef orange fill:#f48120,color: black class a,b orange
In the graph above, Applications 1 and 2 are configured to bypass Cloudflare's security filtering, and go straight to the Internet
Before you can add or remove Breakout traffic applications to your Appliances, you need to create an account-level list with the applications that you want to configure. Currently, adding to or modifying this list is only possible via API, through the
managed_app_id endpoint.
To add applications to your account:
Send a
POST request to add new apps to your account.
At least one of the following token permissions
is required:
Required API token permissions
Magic WAN Write
Magic Transit Write
You can now add this new app to the Breakout traffic list in your Appliances.
Add an application to Appliances
You need to configure Breakout traffic applications for each of your existing sites, as this is a per-site configuration.
- Log in to the Cloudflare One dashboard, and go to Networks.
- Go to Connectors > Appliances > Profiles.
- Select the Connector you want to configure > Edit.
- Select Traffic Steering.
- In Breakout traffic, select Add.
- Select one or more applications that should bypass Cloudflare filtering from the list. You can also use the search box.
- Select Save.
The traffic for the application you chose will now go directly to the Internet and bypass Cloudflare's filtering.
-
Send a
GETrequest to list the applications associated with an account.
At least one of the following token permissions is required:
Required API token permissions
Magic WAN Write
Magic WAN Read
Magic Transit Read
Magic Transit Write
Take note of the
"managed_app_id"value for any application you want to add.
-
Send a
POSTrequest to add new apps to the Breakout traffic policy.
At least one of the following token permissions is required:
Required API token permissions
Magic WAN Write
Magic Transit Write
Delete an application from Appliances
- Log in to the Cloudflare One dashboard, and go to Networks.
- Go to Connectors > Appliances > Profiles.
- Select the Connector you want to configure > Edit.
- Select Traffic Steering.
- In Breakout traffic, find the application you want to delete > select the three dots next to it > Remove.
- (Optional) If you have several pages of applications, you can use the search box to quickly find the application you are looking for.
You need to delete Breakout traffic applications for each of your existing sites, as this is a per-site configuration.
-
Send a
GETrequest to list the applications associated with a site.
At least one of the following token permissions is required:
Required API token permissions
Magic WAN Write
Magic WAN Read
Magic Transit Read
Magic Transit Write
Take note of the
"id"value for the application that want to delete.
-
Send a
DELETErequest to delete an application from the Breakout traffic policy.
If you have Appliances and WARP clients deployed in your premises, Appliances automatically routes WARP traffic to the Internet rather than WAN Tunnels IPsec tunnels. This prevents traffic from being encapsulated twice.
You may need to configure your firewall to allow this new traffic. Make sure to allow the following IPs and ports:
- Destination IPs:
162.159.193.0/24,
162.159.197.0/24
- Destination ports:
443,
500,
1701,
2408,
4443,
4500,
8095,
844
Refer to WARP with firewall for more information on this topic.
