Skip to content

Regionalized IP Bindings

Regionalized IP Bindings let you regionalize traffic at the IP layer for prefixes you bring to Cloudflare through Bring Your Own IP (BYOIP). You bind a CIDR from one of your prefixes to a region, and Cloudflare processes traffic destined for those IP addresses only within the data centers in that region.

This complements the other ways to use Regional Services: where Regional Hostnames regionalize traffic by hostname, Regionalized IP Bindings regionalize traffic by IP prefix — ideal for address-map deployments and any service you address by IP rather than hostname. Because bindings are managed entirely through the API, you can regionalize broad configurations yourself once your entitlements are enabled, without per-zone setup from your account team.

How it works

A prefix binding maps a CIDR (within a BYOIP prefix you own) to a region key (for example, us or eu). After Cloudflare provisions the binding, traffic to addresses in that CIDR terminates TLS and is processed only inside the configured region, following the same in-region processing model described in Regional Services.

Bindings are managed through the Data Localization Suite API under /accounts/{account_id}/dls/.

Prerequisites

Before you create a binding, make sure that:

Required API token permissions

These endpoints are authorized at the account level. The permissions you need depend on the operation:

OperationRequired token permissions
List regions, get a region, list or get bindingsDLS: Read
Create, update, or delete a prefix bindingDLS: Write and IP Prefixes: Write

Write operations require IP Prefixes: Write in addition to DLS: Write because the binding is created against a BYOIP prefix that you own in Addressing — Cloudflare verifies that you have permission to modify that prefix. A token with only DLS: Write can read regions and bindings but will be rejected when it tries to create or change a binding.

The Super Administrator and Administrator roles include all of these permissions. A custom role works as long as it includes the permission groups above.

List available regions

Each binding references a region by its region_key (for example, us or eu). List the regions available to your account to find a valid key.

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/%7Baccount_id%7D/dls/regions" \
--request GET \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
Response
{
"success": true,
"errors": [],
"messages": [],
"result": [
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"name": "Europe",
"region_key": "eu",
"created_on": "2026-01-13T23:59:45.276558Z",
"modified_on": "2026-01-13T23:59:45.276558Z",
"version": 1,
"version_created_on": "2026-01-13T23:59:45.276558Z"
}
],
"result_info": {
"count": 1,
"per_page": 25,
"cursor": ""
}
}

Use the type query parameter (managed or custom) to filter the results by region type. Results are paginated — pass the cursor value from a response to fetch the next page.

Get a single region

Retrieve a region by its region_key or ID.

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/%7Baccount_id%7D/dls/regions/eu" \
--request GET \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Create a prefix binding

Bind a CIDR from one of your BYOIP prefixes to a region. The cidr must fall within the prefix identified by prefix_id.

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/%7Baccount_id%7D/dls/regional_services/prefix_bindings" \
--request POST \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--json '{
"prefix_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"cidr": "203.0.113.0/24",
"region_key": "eu"
}'
Response
{
"success": true,
"errors": [],
"messages": [],
"result": {
"id": "f0e1d2c3-b4a5-6789-0abc-def123456789",
"prefix_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"cidr": "203.0.113.0/24",
"region_key": "eu"
}
}

List prefix bindings

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/%7Baccount_id%7D/dls/regional_services/prefix_bindings" \
--request GET \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
Response
{
"success": true,
"errors": [],
"messages": [],
"result": [
{
"id": "f0e1d2c3-b4a5-6789-0abc-def123456789",
"prefix_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"cidr": "203.0.113.0/24",
"region_key": "eu"
}
],
"result_info": {
"count": 1,
"per_page": 25,
"cursor": ""
}
}

Get a single binding

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/%7Baccount_id%7D/dls/regional_services/prefix_bindings/%7Bbinding_id%7D" \
--request GET \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Update the region for a binding

Change the region a binding points to. Only the region_key can be updated. To change the CIDR, delete the binding and create a new one.

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/%7Baccount_id%7D/dls/regional_services/prefix_bindings/%7Bbinding_id%7D" \
--request PATCH \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--json '{
"region_key": "us"
}'
Response
{
"success": true,
"errors": [],
"messages": [],
"result": {
"id": "f0e1d2c3-b4a5-6789-0abc-def123456789",
"prefix_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"cidr": "203.0.113.0/24",
"region_key": "us"
}
}

Delete a binding

Remove a binding to stop regionalizing traffic for its CIDR.

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/%7Baccount_id%7D/dls/regional_services/prefix_bindings/%7Bbinding_id%7D" \
--request DELETE \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
Response
{
"success": true,
"errors": [],
"messages": [],
"result": null
}