Cloudflare Docs
Learning Paths
Secure your Internet traffic and SaaS apps (Learning Path)
Edit this page on GitHub
Set theme to dark (⇧+D)

Choose an on-ramp

  3 min read

Similar to the network onboarding practices in the Replace your VPN implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. In our recommended approach to security, you will source traffic from devices that would otherwise go to the Internet through a default route. Relevant targets for this may be branch offices, network subnets that need a secure path to the Internet, or anywhere that you control the Internet paths for groups of devices.

​​ Available on-ramps

The primary ways to source multi-device or network traffic to the Cloudflare network are via the WARP Connector as an all-ports traffic proxy, or via upstream DNS for a whole network using DNS filtering locations. Alternatively, Enterprise users can add Magic WAN to their plan and configure Magic WAN Connector or a dedicated third-party device.

​​ WARP Connector


WARP Connector, a software agent similar to our device client, functions as a virtual device to establish a connection between your network and the Cloudflare global network. You can install WARP Connector on a dedicated Linux server or virtual machine.

WARP Connector supports both ingressing and egressing traffic to and from your private network. This means it can proxy traffic initiated from a user running WARP into a private network (like cloudflared), or allow traffic initiated from a network to be on-ramped to Cloudflare for either public or private destinations. You can use WARP Connector to establish a secure egress path for servers or users on a network which may not each be able to run the WARP client and still apply Gateway network and HTTP inspection policies. This connection is most analogous to site-to-site VPN or proxy server connectivity.

For more information on setting up Cloudflare Tunnel via WARP Connector, refer to Set up WARP Connector.

​​ DNS filtering locations

DNS locations are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes, or data centers.

The fastest way to start filtering DNS queries from a location is by changing the DNS resolvers at the router. Alternatively, you can on-ramp devices or specific applications via DNS over HTTPS or DNS over TLS.

For more information on setting up DNS locations, refer to Add locations.

​​ Magic WAN

Magic WAN is Cloudflare’s offering most analogous to a traditional SD-WAN. Magic WAN is typically deployed via an IPSec or GRE tunnel terminating on customer devices (such as firewalls or routers), or via our Magic WAN Connector hardware device. You can also be deploy Magic WAN using Cloudflare Network Interconnect (CNI) at private peering locations or some public cloud instances (where compatible).

Magic WAN on-ramps and off-ramps traffic via your connections after transiting the Cloudflare global network. Gateway can also apply network and HTTP policies to this traffic for secure egress.

For more information on how Magic WAN integrates with Zero Trust, refer to Zero Trust integration.