Skip to content
Magic Transit
Visit Magic Transit on GitHub
Set theme to dark (⇧+D)

Tunnels & encapsulation

Magic Transit uses Generic Routing Encapsulation (GRE) tunnels to transmit packets from Cloudflare’s edge to your origin network. Cloudflare sets up GRE tunnel endpoints on edge servers (inside your network namespace), and you set up tunnel endpoints on routers at your data center.

This diagram illustrates the flow of traffic with Magic Transit:

GRE tunnel flow


Magic Transit encapsulates IP packets destined for your network and transmits them across the GRE tunnels to your tunnel endpoint router, which decapsulates the packets and sends them to your internal network.

This diagram illustrates how Magic Transit encapsulates packets at the Cloudflare edge and transmits them to a customer’s tunnel endpoint router (Acme in this example):

Encapsulation diagram

Anycast GRE

Magic Transit uses Anycast IP addresses for Cloudflare’s GRE tunnel endpoints, meaning that any server in any data center is capable of encapsulating and decapsulating packets for the same GRE tunnel.

This works because the GRE protocol is stateless—each packet is processed independently and does not require any negotiation or coordination between tunnel endpoints. While the tunnel endpoint is technically bound to an IP address, it need not be bound to a specific device. Any device that can strip off the outer headers and then route the inner packet can handle any GRE packet sent over the tunnel.

The result is that Cloudflare’s Anycast GRE architecture provides a conduit to your GRE tunnel for every server in every data center on Cloudflare’s global edge network, as illustrated in this diagram:

Cloudflare Anycast GRE