Cloudflare Virtual Network routing table

The Cloudflare Virtual Network routing table is a virtual network overlay, private to your account, that spans all Cloudflare data centers globally. This overlay network provides:

The Cloudflare Virtual Network routing table supports routing the Cloudflare WAN traffic through anycast tunnels using GRE and Internet Protocol Security (IPsec) or CNI with Dataplane v2. You can add entries to the Cloudflare Virtual Network routing table through static route configuration or through routes learned through BGP peering (beta). Traffic can also be routed automatically according to tracked flow state.

Allowed IP ranges

The following IPv4 address ranges are allowed in the Cloudflare Virtual Network routing table:

RFC 1918 address space, specifically 10.0.0.0/8 , 172.16.0.0/12 , and 192.168.0.0/16 .

When using Cloudflare WAN and Cloudflare Tunnel together, consider the IP ranges utilized in the static routes of Cloudflare Tunnel when selecting static routes for Cloudflare WAN. For more information, refer to Cloudflare Tunnel.

For prefixes outside RFC 1918, contact your Cloudflare customer service manager.

Route prioritization

Cloudflare WAN steers traffic along tunnel routes based on route entry priorities.

Lower values have greater priority.

When the priority values for prefix entries match, Cloudflare uses equal-cost multi-path (ECMP) packet forwarding to route traffic. You can apply an optional weight value to static routes to modify ECMP tunnel distribution.

Cloudflare routing applies longest-prefix match. A more specific static route (like /30 ) always takes precedence over a less specific one (like /29 ), regardless of tunnel priority — unless you remove the more specific route.

When BGP and static routes have the same prefix and priority, Cloudflare enforces priority by preferring static routes over BGP routes. This ensures that manually configured static routes take precedence unless you explicitly deprioritize them.

Set priority and weights for static routes

The priority value for static routes is directly configured as part of the route object in the Cloudflare dashboard or through the API. For example:

Prefix NextHop Priority 10.10.10.100/24 TUNNEL_1_IAD 200 10.10.10.100/24 TUNNEL_2_IAD 200 10.10.10.100/24 TUNNEL_3_ATL 100 10.10.10.100/24 TUNNEL_4_ATL 100

In this example, tunnels with priority of 100 are preferred to tunnels with priority of 200 because lower numbers have greater priority.

Optionally, you can assign weights to distribute traffic more effectively among multiple tunnels. Weight values determine traffic proportion, with higher weights receiving more traffic. The maximum weight value is 256 .

In the following example, TUNNEL_2_IAD is likely to receive twice as much traffic as TUNNEL_1_IAD .

Prefix NextHop Priority Weight 10.10.10.100/24 TUNNEL_1_IAD 100 64 10.10.10.100/24 TUNNEL_2_IAD 100 128 10.10.10.100/24 TUNNEL_3_ATL 100 192 10.10.10.100/24 TUNNEL_4_ATL 100 255

Aside from priority, scoping static routes to specific geographic regions also impacts how traffic is steered. Refer to Scoping routes to specific regions for more details.

Set priority for BGP routes

When BGP advertises a route, Cloudflare automatically adds it to the Cloudflare Virtual Network routing table with a default priority of 100 which applies to all regions. However, if a static route exists with the same prefix and priority, the static route always takes precedence over the BGP route. Set a different priority for static routes (more or less than 100 ) depending on which you want to prioritize. Lower values have greater priority.

Additionally, when multiple BGP routes exist with the same prefix length and priority, ECMP distributes traffic across them using equal-cost multi-path (ECMP) routing.

Change route priorities with BGP attributes

Cloudflare supports traffic engineering through BGP communities and AS prepending. You can use these traffic routing techniques to set route priorities and perform traffic engineering across multiple interconnects.

BGP communities for setting route priority

The default BGP route priority is 100 . This base priority can be adjusted using communities. For example, when a route is tagged with the community 13335:60010 its priority is set to 10 . This makes it a higher priority than the default of 100 because lower numeric priorities are preferred.

The community values supported for setting base route priority are:

13335:60010 : Set base route priority to 10

: Set base route priority to 13335:60050 : Set base route priority to 50

: Set base route priority to UNSET : Set base route priority to 100

: Set base route priority to 13335:60150 : Set base route priority to 150

: Set base route priority to 13335:60200 : Set base route priority to 200

: Set base route priority to 13335:60901 : Set base route priority to 501000

: Set base route priority to 13335:60902 : Set base route priority to 1001000

Setting multiple base priority communities in the same prefix update message is a misconfiguration. In this situation, Cloudflare prefers the highest priority (lowest integer value).

AS path prepending for adjusting route priority

For each additional mention of your ASN in the received AS path, Cloudflare adds 10 to the route's base priority. By increasing the priority number, the route becomes less preferred.

For example, if your ASN is 65000 then the BGP UPDATE to Cloudflare will be:

# No change to base priority. AS_PATH: 65000 65200 # Add 10 to base priority for 1 prepend of 65000 AS_PATH: 65000 65000 65200 # Add 20 to base priority for 2 prepend of 65000 AS_PATH: 65000 65000 65000 65200

How communities and prepends work together

Cloudflare adjusts route priority when using AS prepending with communities. For example, if a route is tagged with 13335:60150 , the base priority is set to 150 . If you prepend your ASN twice, Cloudflare adds 10 for each prepend, increasing the route priority to 180 .

Automatic Return Routing (beta)

Automatic Return Routing (ARR) allows Cloudflare to track network flows from your Cloudflare WAN (formerly Magic WAN) connected locations, ensuring return traffic is routed back to the connection where it was received without requiring static or dynamic routes. This functionality requires the new Unified Routing mode (beta).

Instead of relying on static or dynamic routes for the return path, Cloudflare WAN learns flows and remembers which connection a given flow arrived on. For any matching return traffic, Cloudflare WAN uses this learned state to choose the next hop. This simplifies configuration, reduces the number of routes you must manage, and helps preserve symmetry for stateful traffic.

ARR provides the following benefits:

Removes the need for return routes : For supported traffic types like new TCP connections (TCP SYN), UDP, and ICMP echo traffic, Cloudflare WAN no longer requires a routing table entry to return traffic to the originating tunnel or interconnect.

: For supported traffic types like new TCP connections (TCP SYN), UDP, and ICMP echo traffic, Cloudflare WAN no longer requires a routing table entry to return traffic to the originating tunnel or interconnect. Maintains symmetric routing for flows : Responses to a given flow (for example, a TCP session) return over the same Cloudflare WAN connection that carried the initial request — important for stateful firewalls and middleboxes.

: Responses to a given flow (for example, a TCP session) return over the same Cloudflare WAN connection that carried the initial request — important for stateful firewalls and middleboxes. Supports overlapping IP space : Because the return path is tied to the learned connection state instead of a destination prefix in the routing table, Automatic Return Routing can support scenarios where different sites use overlapping private address space.

: Because the return path is tied to the learned connection state instead of a destination prefix in the routing table, Automatic Return Routing can support scenarios where different sites use overlapping private address space. Operates per connection: You decide which IPsec / GRE tunnels or network interconnects should use this behavior by enabling the feature on each connection.

How ARR works

When traffic that is eligible for Automatic Return Routing (ARR) arrives on a connection with ARR enabled, Cloudflare WAN creates a flow entry that records:

The source and destination IP addresses

The relevant ports or identifiers, depending on the protocol

The connection (tunnel or interconnect) that the traffic arrived on

For any subsequent packets that match this flow and require a next hop, Cloudflare WAN:

Checks for a matching Automatic Return Routing flow. If a match exists, routes the packet back to the same connection where the flow was learned, instead of consulting the Cloudflare Virtual Network routing table.

The initial request from your network to the Internet still uses your configured static or BGP routes. ARR only affects the return path for supported traffic after the flow is learned.

Traffic and destinations affected

Automatic Return Routing applies when:

Traffic is received on a tunnel or network interconnect where the feature is enabled.

The received traffic is one of:

New TCP connections (TCP SYN)

UDP

ICMP echo (ping) requests

The traffic is destined for:

Internet egress through Cloudflare

A WARP client

A private network connected to Cloudflare through Cloudflare Tunnel

A private network connected to Cloudflare through WARP Connector

In this initial release, ARR does not change routing for traffic between Cloudflare WAN connections (for example, traffic from one Cloudflare WAN tunnel or interconnect to another). That traffic continues to follow your configured Cloudflare WAN routes.

Unified Routing mode (beta)

The Unified Routing mode is the newer Cloudflare One data plane that uses a single routing fabric for all supported connection types. Unified Routing mode routes traffic across WARP, Cloudflare Tunnel, IPsec, GRE, and Cloudflare Network Interconnect (CNI) in a single system, making it easier to set up your Cloudflare One connections.

In the Cloudflare WAN dashboard, routing mode appears where you manage routes:

Routing mode: Unified — your account is on the unified data plane and supports the new routing features.

— your account is on the unified data plane and supports the new routing features. Routing mode: Legacy — your account uses the previous data plane and does not support all unified routing features.

Why use Unified Routing

Unified Routing is the future of the dedicated virtual network overlay that powers Magic Transit and Cloudflare One network connectivity.

For Cloudflare One customers, there are several reasons to consider moving to Unified Routing, as it is a prerequisite for several new capabilities:

Automatic Return Routing

BGP over IPsec/GRE

Cloudflare Source IPs using private IP space with customizable IPv4 range

Customizable Cloudflare One Client IPv4 ranges

IPv6 support

Improved performance between Cloudflare One Client and IPsec/GRE/CNI

Support for WARP Connector client and IPsec/GRE/CNI connectivity in the same account.

Beta limitations

The following limitations apply to accounts using Unified Routing mode. This list will get shorter as Cloudflare adds support for additional features.

Current beta limitations Details Performance Typically around 150 Mbps for each onramp Network analytics Not yet fully supported Basic packet captures Captures exclude Automatic Return Routing or BGP-over-tunnels traffic Full packet captures Not yet supported Advanced Cloudflare Network Firewall features: GeoIP/Country rules, IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, Managed Rulesets Not yet supported Gateway filtering rules Not supported on traffic where both the onramp and offramp is IPsec/GRE/CNI Load Balancer Not supported to IPsec/GRE/CNI destinations

Enroll in the Unified Routing beta

Unified Routing is currently in closed beta. To sign up:

Existing Cloudflare WAN or Magic Transit customers : Cloudflare recommends you evaluate the new functionality with your use case in a non-production account. Contact your account team to enable Unified Routing.

: Cloudflare recommends you evaluate the new functionality with your use case in a non-production account. Contact your account team to enable Unified Routing. New customers: Contact your account team to enable Unified Routing in a proof-of-concept for your use case.

Scoping routes to specific regions

If you have multiple connectivity paths to a network segment and want to apply different route prioritization based on where traffic arrives at the Cloudflare network, you can scope routes to specific Cloudflare data center regions. This is useful if you run your own anycast network and want your end-user traffic to arrive at your network location closest to the user.

When you scope a route to a Cloudflare data center region, it only shows up in the Cloudflare Virtual Network routing table in that region, along with all global routes that do not have any region scope. Route prioritization and ECMP logic apply across both region-scoped and global routes.

Note Scoping routes to specific regions is not supported with BGP peering, and is only available to statically configured routes at this time.

When using region-scoped routes, ensure that all prefixes have routes covering all regions. Otherwise, traffic may arrive at a Cloudflare region that is not covered by any route, in which case Cloudflare drops the traffic.

The following table exemplifies how to use geographic scoping for routes:

Prefix NextHop Priority Region code 10.10.10.100/24 TUNNEL_1_IAD 100 AFR 10.10.10.100/24 TUNNEL_2_IAD 100 EEUR 10.10.10.100/24 TUNNEL_3_ATL 100 ENAM 10.10.10.100/24 TUNNEL_4_ATL 100 ME 10.10.10.100/24 TUNNEL_5_ATL 100 WNAM 10.10.10.100/24 TUNNEL_4_ATL 100 ENAM

When there are multiple routes to the same prefix with equal priority, and those routes are assigned to different geographic regions (like WNAM and ENAM), traffic entering the network in a specific region — for example, WNAM — egresses through the route associated with that same region.

Region codes and associated regions

Cloudflare has nine geographic regions:

Region code Region AFR Africa APAC Asia Pacific EEUR Eastern Europe ENAM Eastern North America ME Middle East OC Oceania SAM South America WEUR Western Europe WNAM Western North America

Configure scoping for your traffic in the Region code section when adding or editing a static route. Refer to Create a static route and Edit a static route for more information.

Equal-cost multi-path routing

Equal-cost multi-path routing uses hashes calculated from packet ↗ data to determine the route chosen. The hash always uses the source and destination IP addresses. For TCP and UDP packets, the hash includes the source and destination ports as well. The ECMP algorithm divides the hash for each packet by the number of equal-cost next hops. The modulus (remainder) determines the route the packet takes.

Using ECMP has a number of consequences:

Routing to equal-cost paths is probabilistic.

Packets in the same session with the same source and destination have the same hash. The packets also use the same next hop.

Routing changes in the number of equal-cost next hops can cause traffic to use different tunnels. For example, dynamic reprioritization triggered by health check events can cause traffic to use different tunnels.

As a result, ECMP provides load balancing across tunnels with the same prefix and priority.

Note Packets in the same flow use the same tunnel unless the tunnel priority changes. Packets for different flows can use different tunnels depending on which tunnel the flow's 4-tuple — source and destination IP and source and destination port — hash to.

Examples

This diagram illustrates how ECMP distributes traffic equally across two paths with the same prefix and priority.

Normal traffic flow

flowchart LR accTitle: Tunnels diagram accDescr: This example has three tunnel routes, with traffic equally distributed across two paths. subgraph Cloudflare direction LR B[Cloudflare <br> data center] C[Cloudflare <br> data center] D[Cloudflare <br> data center] end Z("Load balancing for some <br> priority tunnels uses ECMP <br> (hashing on src IP, dst IP, <br> scr port, dst port)") --- Cloudflare A((User)) --> Cloudflare --- E[Anycast IP] E[Anycast IP] --> F[/"GRE Tunnel 1 / <br> priority 1 / <br> ~50% of flows"/] --> I{{Customer <br> data center/ <br> network 1}} E[Anycast IP] --> G[/"GRE Tunnel 2 / <br> priority 1 / <br> ~50% of flows"/] --> J{{Customer <br> data center/ <br> network 2}} E[Anycast IP] --> H[/GRE Tunnel 3 / <br> priority 2 / <br> 0% of flows/] --o K{{Customer <br> data center/ <br> network 3}}

Failover traffic flow: Scenario 1

Customer router failure

When Cloudflare WAN health checks determine that Tunnel 2 is unhealthy, Cloudflare WAN dynamically de-prioritizes that route, leaving Tunnel 1 as the sole top-priority route. As a result, Cloudflare WAN steers traffic away from Tunnel 2, and all traffic flows to Tunnel 1.

flowchart LR accTitle: Tunnels diagram accDescr: This example has Tunnel 2 unhealthy, and all traffic prioritized to Tunnel 1. subgraph Cloudflare direction LR B[Cloudflare <br> data center] C[Cloudflare <br> data center] D[Cloudflare <br> data center] end Z(Tunnel health is <br> determined by <br> health checks that <br> run from all Cloudflare <br> data centers) --- Cloudflare A((User)) --> Cloudflare --- E[Anycast IP] E[Anycast IP] --> F[/"Tunnel 1 / <br> priority 1 / <br> ~100% of flows"/]:::green --> I{{Customer <br> data center/ <br> network 1}} E[Anycast IP] --> G[/Tunnel 2 / <br> priority 3 / <br> unhealthy / 0% of flows/]:::red --x J{{Customer <br> data center/ <br> network 2}} E[Anycast IP] --> H[/Tunnel 3 / <br> priority 2 / <br> 0% of flows/] --o K{{Customer <br> data center/ <br> network 3}} classDef red fill:#EE4B2B,color: black classDef green fill:#00FF00,color: black

Failover traffic flow: Scenario 2

Intermediary Internet Service Provider (ISP) failure

When Cloudflare WAN determines that Tunnel 1 is unhealthy as well, that route is also de-prioritized, leaving Tunnel 3 with the top priority route. In that case, all traffic flows to Tunnel 3.

flowchart LR accTitle: Tunnels diagram accDescr: This example has Tunnel 1 and 2 unhealthy, and all traffic prioritized to Tunnel 3. subgraph Cloudflare direction LR B[Cloudflare <br> data center] C[Cloudflare <br> data center] D[Cloudflare <br> data center] end Z(Lower-priority tunnels <br> are used when <br> higher-priority tunnels <br> are unhealthy) --- Cloudflare A((User)) --> Cloudflare --- E[Anycast IP] E[Anycast IP] -- Intermediary <br> network issue --> F[/Tunnel 1 / <br> priority 3 / <br> unhealthy / 0% of flows/]:::red --x I{{Customer <br> data center/ <br> network 1}} E[Anycast IP] -- Intermediary <br> network issue --> G[/Tunnel 2 / <br> priority 3 / <br> unhealthy / 0% of flows/]:::red --x J{{Customer <br> data center/ <br> network 2}} E[Anycast IP] --> H[/Tunnel 3 / <br> priority 2 / <br> 100% of flows/]:::green --> K{{Customer <br> data center/ <br> network 3}} classDef red fill:#EE4B2B,color: black classDef green fill:#00FF00,color: black

When Cloudflare WAN determines that Tunnels 1 and 2 are healthy again, it re-prioritizes those routes, and traffic flow returns to normal.

ECMP and bandwidth utilization

Because ECMP is probabilistic, the algorithm routes roughly the same number of flows through each tunnel. However, it does not consider the amount of traffic already sent through a tunnel when deciding where to route the next packet.

For example, consider a scenario with many very low-bandwidth TCP connections and one very high-bandwidth TCP connection. Packets for the high-bandwidth connection have the same hash and thus use the same tunnel. As a result, that tunnel utilizes greater bandwidth than the others.

Note Cloudflare WAN supports a weight field that you can apply to a route so that a specified percentage of traffic uses a certain tunnel rather than other equal-cost tunnels. Refer to Route prioritization for more information. For example, in a scenario where you want to route 70% of your traffic through ISP A and 30% through ISP B, you can use the weight field to help achieve that. Because ECMP balances flows probabilistically, the use of weights is only approximate. For more on Cloudflare WAN tunnel weights, contact your Cloudflare customer service manager.

BGP information

Using BGP peering with your Cloudflare One or Magic Transit Virtual Network routing table allows you to:

Automate the process of adding or removing networks and subnets.

Take advantage of failure detection and session recovery features.

With this functionality, you can:

Establish an eBGP session between your devices and the Cloudflare WAN service when connected through CNI, GRE or IPsec tunnels.

Secure the session by MD5 authentication to prevent misconfigurations.

Exchange routes dynamically between your devices and your Cloudflare Virtual Network routing table.

Release status

The following table outlines the current availability and recommended use cases for BGP across different connectivity methods.

Feature Release stage Recommended use Prerequisites BGP over CNI Open Beta Production Cloudflare Network Interconnect (CNI) v2 BGP over Anycast IPsec/GRE Closed Beta Lab / Testing only Unified Routing (beta) - contact your account team to enroll

BGP architecture

Global routing and anycast edge

Magic Networking makes a one-pass, per-packet routing decision at the Cloudflare data center that first processes the packet (the ingress node). This ensures that even when a packet traverses multiple nodes within the Cloudflare backbone, its path is determined at the point of entry for maximum efficiency.

Your BGP session over IPsec, GRE, or CNI is established with the Cloudflare data center closest to your BGP peer device. Routes learned here must propagate to Cloudflare's global edge to govern how traffic is routed across the entire network.

Convergence time : Global route convergence typically completes within 20 seconds.

: Global route convergence typically completes within 20 seconds. Visibility: You can monitor learned routes and their propagation status through the Cloudflare dashboard or API.

Centralized route propagation

Magic Networking uses a centralized control plane for route propagation, functioning similarly to a BGP Route Reflector. This architecture decouples the physical BGP session from global route distribution:

Session termination : BGP peering sessions are terminated at the Cloudflare edge location closest to your router.

: BGP peering sessions are terminated at the Cloudflare edge location closest to your router. SDN conversion : Ingress BGP updates are converted into Software-Defined Networking (SDN) state and transmitted to a centralized relay function.

: Ingress BGP updates are converted into Software-Defined Networking (SDN) state and transmitted to a centralized relay function. Global dissemination: The relay propagates these instructions to every Cloudflare data center globally, updating the local Forwarding Information Base (FIB) at each site.

Edge Resiliency Mode (Non-Stop Forwarding)

Cloudflare's data plane is designed for high availability. If the edge location loses communication with the centralized relay, the system enters Edge Resiliency Mode, mimicking Non-Stop Forwarding (NSF) behavior:

Forwarding continuity : Edge locations continue to route traffic using the last-known-good forwarding table (FIB). Data plane traffic remains uninterrupted.

: Edge locations continue to route traffic using the last-known-good forwarding table (FIB). Data plane traffic remains uninterrupted. Stale path retention : Because the FIB is frozen during this mode, forwarding decisions remain active even if the underlying BGP session with your router flaps or resets.

: Because the FIB is frozen during this mode, forwarding decisions remain active even if the underlying BGP session with your router flaps or resets. Continuous health monitoring : While BGP updates are frozen, tunnel health checks remain active. These are sent from all Cloudflare data centers, allowing the edge at any ingress node to detect if a physical connection to your router has failed. If a health check fails, the ingress node at the edge will deprioritize that specific path, preventing traffic from being sent into a black hole despite the frozen routing state.

: While BGP updates are frozen, tunnel health checks remain active. These are sent from all Cloudflare data centers, allowing the edge at any ingress node to detect if a physical connection to your router has failed. If a health check fails, the ingress node at the edge will deprioritize that specific path, preventing traffic from being sent into a black hole despite the frozen routing state. Update freeze: During this state, the global control plane is frozen. New BGP updates received from your router will be held locally at the edge and will not propagate globally until connectivity to the centralized relay is restored.

Traffic persistence during BGP resets In Edge Resiliency Mode, Cloudflare prioritizes forwarding continuity. If your on-premises router resets or the BGP session flaps, the edge will continue to forward traffic toward your peer device based on the last known valid routing state — provided that the underlying tunnel health checks remain successful. If the BGP session resets and the tunnel health checks fail (for example, your router is completely offline), the edge will typically take alternate paths until connectivity is restored.

System recovery and re-synchronization

Once connectivity between the Cloudflare edge and the centralized relay is restored, the system automatically exits Edge Resiliency Mode and performs a stateful re-synchronization:

RIB-to-relay sync: The edge pushes all currently held BGP updates (the current RIB state) to the relay. Global update: The relay reconciles these updates and propagates any changes to the rest of the Cloudflare global network. FIB unfreeze: The local forwarding tables at the edge are unfrozen and updated with the latest validated routing instructions.

BGP peering with the Cloudflare Virtual Network routing table

Cloudflare WAN BGP peering is with the Cloudflare Virtual Network routing table (as opposed to peering with the Cloudflare Internet global network). BGP peers configured by following this guide will receive advertisements for all prefixes in the Cloudflare Virtual Network routing table plus any additional prefixes configured in the on-ramp Advertised prefix list.

If instead you are seeking to do public peering with the Cloudflare ASN 13335 at one of the Cloudflare data centers, refer to PNI and peering setup. It is not currently possible to share Cloudflare Virtual Network BGP peering and PNI on the same physical interconnect port.

BGP route distribution and convergence

Cloudflare redistributes routes received from your device into the Cloudflare Virtual Network routing table, which both Cloudflare WAN and Magic Transit use.

All routes in the Cloudflare Virtual Network routing table are advertised to BGP peers. Each BGP peer receives each prefix route along with the full AS_PATH , with the selected Cloudflare side ASN ↗ prepended. This is so that the peer can accurately perform loop prevention ↗.

BGP peering sessions can advertise reachable prefixes to a peer and withdraw previously advertised prefixes. This propagation takes no more than a few minutes.

BGP timers and settings

Cloudflare uses the following timers, which are not configurable:

Setting Description Hold timer 240 seconds for CNI and 90 seconds for GRE and IPsec tunnels

(To establish a session, Cloudflare compares its hold timer and the peer's hold timer, and uses the smaller of the two values to establish the BGP session.) Keepalive timer One third of the hold timer. Graceful restart 120 seconds (currently, only supported on CNI)

Hold timer : Specifies the maximum amount of time that a BGP peer waits to receive a keepalive, update, or notification message before declaring the BGP session down. Cloudflare uses the smaller of this default hold timer and that received from the peer in the open message.

: Specifies the maximum amount of time that a BGP peer waits to receive a keepalive, update, or notification message before declaring the BGP session down. Cloudflare uses the smaller of this default hold timer and that received from the peer in the open message. Keepalive timer : BGP systems exchange keepalive messages to determine whether the peer router is reachable. If keepalive messages are not received within the hold timer, the session is assumed to be down, indicating that the peer is no longer reachable at the BGP protocol level.

: BGP systems exchange keepalive messages to determine whether the peer router is reachable. If keepalive messages are not received within the hold timer, the session is assumed to be down, indicating that the peer is no longer reachable at the BGP protocol level. Graceful restart timer: Tracks how long a router waits for a peer to re-establish a BGP session after the peer initiates a graceful restart. If the peer does not reconnect within this time, the router declares the session down and removes stale routes.

BGP capabilities and limitations

BGP multipath is supported. If BGP learns the same prefix on two different interconnects, Cloudflare distributes traffic destined for that prefix across each interconnect according to the usual ECMP behavior.

BGP Graceful Restart is supported in a passive (helper/aware) mode. Cloudflare maintains forwarding state for a restarting neighbor.

BGP support currently has the following limitations:

The Cloudflare account ASN and your device ASN must be different. Only eBGP is supported.

Cloudflare always injects routes with a priority of 100 .

. Bidirectional Forwarding Detection (BFD) is not supported.

If you are using BGP with IPsec/CNI (beta), you must set the ASN on the Cloudflare side to 13335 . Private ASNs are not yet supported.

Tunnel health checks

You need to enable legacy health checks alongside BGP. This is essential to determine if a specific Cloudflare data center is reachable from your device. Tunnel health checks modify the route priorities for dynamically learned BGP routes.

Application-aware policies

By default, Cloudflare balances and steers traffic based on network-layer characteristics (IP, port etc). If you are using the Cloudflare WAN Connector, you can also steer traffic based on well-known applications. Application-aware policies provide easier management and more granularity over traffic flows. For more information, refer to Applications and app types.