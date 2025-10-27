Breakout traffic allows you to define which applications should bypass Cloudflare's security filtering, and go directly to the Internet. It works via DNS requests inspection. This means that if your network is caching DNS requests, Breakout traffic will only take effect after you cache entries expire and your client issues a new DNS request that Appliances can detect. This can take several minutes.

Warning Breakout traffic will not work for applications that use DNS-over-HTTPS.

In the graph above, Applications 1 and 2 are configured to bypass Cloudflare's security filtering, and go straight to the Internet

A note on security We recommend routing all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare's security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard. Refer to Traffic steering to learn how Cloudflare routes traffic.

Add an application to your account

Before you can add or remove Breakout traffic applications to your Appliances, you need to create an account-level list with the applications that you want to configure. Currently, adding to or modifying this list is only possible via API, through the managed_app_id endpoint.

To add applications to your account:

Send a POST request to add new apps to your account.

Required API token permissions At least one of the following token permissions is required: Magic WAN Write

Magic Transit Write

Create a new App curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /magic/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --json '{ "managed_app_id": "<APP_ID>", "name": "<APP_NAME>", "type": "<APP_TYPE>" }'

{ " result " : { " account_app_id " : "eb09v665c0784618a3e4ba9809258fd4" , " name " : "<APP_NAME>" , " type " : "<APP_TYPE>" , }, " success " : true , " errors " : [], " messages " : [] }

You can now add this new app to the Breakout traffic list in your Appliances.

Add an application to Appliances

You need to configure Breakout traffic applications for each of your existing sites, as this is a per-site configuration.

Dashboard

API Log in to the Cloudflare One dashboard, and go to Networks. Go to Connectors > Appliances > Profiles. Select the Connector you want to configure > Edit. Select Traffic Steering. In Breakout traffic, select Add. Select one or more applications that should bypass Cloudflare filtering from the list. You can also use the search box. Select Save. The traffic for the application you chose will now go directly to the Internet and bypass Cloudflare's filtering. Note You will need your account ID and API Key to use the API. Send a GET request to list the applications associated with an account. Required API token permissions At least one of the following token permissions is required: Magic WAN Write

Magic WAN Read

Magic Transit Read

Magic Transit Write List Apps curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /magic/apps" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " { " result " : [ { " managed_app_id " : "<APP_ID>" , " name " : "<APP_NAME>" , " type " : "File Sharing" , " hostnames " : [ "<app_name.com>" , "<app-name.info>" ] } ] } Take note of the "managed_app_id" value for any application you want to add. Send a POST request to add new apps to the Breakout traffic policy. Required API token permissions At least one of the following token permissions is required: Magic WAN Write

Magic Transit Write Create a new App Config curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /magic/sites/ $SITE_ID /app_configs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --json '{ "managed_app_id": "<MANAGED_APP_ID>", "breakout": true }' { " result " : { " account_app_id " : "<APP_ID>" , " name " : "<APP_NAME>" , " type " : "<BREAKOUT_OR_PRIORITY>" }, " success " : true , " errors " : [], " messages " : [] }

Delete an application from Appliances

Dashboard

API Log in to the Cloudflare One dashboard, and go to Networks. Go to Connectors > Appliances > Profiles. Select the Connector you want to configure > Edit. Select Traffic Steering. In Breakout traffic, find the application you want to delete > select the three dots next to it > Remove. (Optional) If you have several pages of applications, you can use the search box to quickly find the application you are looking for. Note You will need your account ID and API Key to use the API. You need to delete Breakout traffic applications for each of your existing sites, as this is a per-site configuration. Send a GET request to list the applications associated with a site. Required API token permissions At least one of the following token permissions is required: Magic WAN Write

Magic WAN Read

Magic Transit Read

Magic Transit Write List App Configs curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /magic/sites/ $SITE_ID /app_configs" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " { " result " : [ { " id " : "<APP_ID>" , " site_id " : "<SITE_ID>" , " managed_app_id " : "<APP_NAME>" , " breakout " : true } ] } Take note of the "id" value for the application that want to delete. Send a DELETE request to delete an application from the Breakout traffic policy. Terminal window curl "https://api.cloudflare.com/client/v4/accounts/%7Baccount_id%7D/magic/sites/%7Bsite_id%7D/app_configs/%7Bid%7D" \ --request DELETE { " result " : { " id " : "<APP_ID>" , " site_id " : "<SITE_ID>" , " managed_app_id " : "<APP_NAME>" , " breakout " : true }, " success " : true , " errors " : [], " messages " : [] }

WARP traffic

If you have Appliances and WARP clients deployed in your premises, Appliances automatically routes WARP traffic to the Internet rather than WAN Tunnels IPsec tunnels. This prevents traffic from being encapsulated twice.

You may need to configure your firewall to allow this new traffic. Make sure to allow the following IPs and ports:

Destination IPs : 162.159.193.0/24 , 162.159.197.0/24

: , Destination ports: 443 , 500 , 1701 , 2408 , 4443 , 4500 , 8095 , 844

Refer to WARP with firewall for more information on this topic.