Skip to content

Get started

To get started with Magic Cloud Networking you need to give Cloudflare permission to interact with cloud providers on your behalf. You might have multiple provider accounts for the same cloud provider - for example, you might want Cloudflare to manage virtual private clouds (VPCs) belonging to two different AWS accounts.

Once Cloudflare has the credentials required to access your cloud environments, Magic Cloud Networking will automatically begin discovering your cloud resources - like routing tables and virtual private networks. Discovered resources appear in your Cloud resource catalog.

1. Set up cloud credentials

Before you can connect Magic Cloud Networking to your cloud provider, you first need to create credentials with the correct permissions in your cloud provider.

Amazon AWS

  1. Create a custom access policy in your AWS account, and take note of the name you entered. Then, paste the following JSON code in the JSON tab:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AcceptTransitGatewayPeeringAttachment",
"ec2:CreateTransitGatewayPeeringAttachment",
"ec2:DeleteTransitGatewayPeeringAttachment",
"ec2:DescribeRegions",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:RejectTransitGatewayPeeringAttachment",
"ec2:GetManagedPrefixListEntries",
"ec2:CreateManagedPrefixList",
"ec2:ModifyManagedPrefixList",
"ec2:DeleteManagedPrefixList"
],
"Resource": "*"
}
]
}
  1. Follow the instructions on AWS to create an IAM user up until step 4 - do not check the Provide users access to the AWS Management Console option.

  2. In Give users permissions to manage their own security credentials (step 7 of the AWS instructions) select Attach policies directly, and add the following policies:

    • AmazonEC2ReadOnlyAccess
    • IAMReadOnlyAccess
    • NetworkAdministrator
    • <THE_NAME_OF_YOUR_CUSTOM_POLICY> (from step 1).
  3. Add an Access Key to the new user. Take note of the access key as you cannot retrieve this information later. Cloudflare will ask for this value when you make an AWS Cloud Integration.

Microsoft Azure

  1. Register an application and skip the optional Redirect URL step.
  2. Add a client secret to the app registration. Take note of the secret value as you cannot retrieve this information later. Cloudflare will ask for this value when you make an Azure Cloud Integration.
  3. Add a role assignment. The purpose of this step is to give the app that you registered in step 1 permission to access your Azure Subscription.
    1. In step 3 of the linked document, select the Contributor role from the Privileged administrator roles tab.
    2. In step 4 of the linked document, search for the app registration from step 1 when selecting members.

Google Cloud Platform

  1. Enable the Compute Engine API.
  2. Create a service account.
  3. Grant the new service account the Compute Network Admin role.
  4. Create a service account key. Use the JSON key type.

2. Set up Cloud Integrations

  1. Log in to the Cloudflare dashboard, and select your account.
  2. Select Manage Account > Cloud integrations.
  3. Go to Cloud integrations and select Add.
  4. Select your cloud provider to start the cloud integration wizard.
  5. Enter a descriptive name, and optionally a description, for your cloud integration.
  6. Select Continue.
  7. Enter the credentials that you have created in Set up cloud credentials. These allow Magic Cloud Networking to access the resources in your cloud provider.
  8. Select Authorize.

You have successfully connected your cloud provider to Magic Cloud Networking. Cloud resources found by Magic Cloud Networking are available in the Cloud resource catalog.

Next steps