Get started
Before you can begin using Magic Transit, be sure to complete the onboarding steps below. Cloudflare can significantly accelerate this timeline during active-attack scenarios.
The onboarding process begins with an initial kickoff call where Cloudflare engages with your organization to confirm the scope and timeline for setting up Magic Transit.
After your call with Cloudflare, complete the prerequisites step.
Before you can begin using Magic Transit, verify that you meet Cloudflare's onboarding requirements.
Magic Transit relies on anycast tunnels to transmit packets from Cloudflare's global network to your origin network.
The routers at your tunnel endpoints must meet the following requirements to ensure compatibility with Magic Transit.
- Support anycast tunneling.
- Allow configuration of at least one tunnel per Internet service provider (ISP).
- Support maximum segment size (MSS) clamping.
Draft a Letter of Agency (LOA) - sometimes referred to as a Letter of Authorization - that identifies the prefixes you want to advertise and gives Cloudflare permission to announce them. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on your behalf. See this LOA template for an example.
If you are an Internet service provider (ISP) and advertising prefixes on behalf of a customer, an LOA is required for the ISP and for the customer.
If you are using a Cloudflare IP address, you do not need to submit an LOA.
Verify that your Internet Routing Registry (IRR) entries match your corresponding origin autonomous system numbers (ASNs) to ensure Magic Transit routes traffic to the correct autonomous systems (AS). For guidance, refer to Verify IRR entries.
If you are using a Cloudflare IP, you do not need to verify your IRR entries.
You can also use the Resource Public Key Infrastructure (RPKI) as an additional option to validate your prefixes. RPKI is a security framework method ↗ that associates a route with an autonomous system. It uses cryptography to validate the information before being passed onto the routers.
To check your prefixes, you can use Cloudflare's RPKI Portal ↗.
Cloudflare Magic Transit uses tunnels to deliver packets from our global network to your data centers. Cloudflare encapsulates these packets adding new headers. You must account for the space consumed by these headers when configuring the maximum transmission unit (MTU) and maximum segment size (MSS) values for your network.
The MSS value depends on how your network is set up.
-
Magic Transit ingress-only traffic (DSR):
- On your edge router transit ports: Apply a TCP MSS clamp with a maximum of 1,436 bytes.
- On any IPsec/GRE tunnels with third parties on your Magic Transit prefix: Apply the MSS clamp on the internal tunnel interface (most likely on a separate firewall behind the GRE-terminating router) to reduce the current value by 24 bytes.
-
For Magic Transit ingress + egress traffic:
- On the Magic Transit GRE tunnel internal interface: Meaning where the Magit Transit egress traffic will traverse. This may be done automatically once the tunnel is configured but it depends on your devices. The TCP MSS clamp should be 1,436 bytes maximum.
- On any IPsec/GRE tunnels with third parties on your Magic Transit prefix: On the internal tunnel interface (most likely on a separate firewall behind the GRE-terminating router) to reduce its current value by 24 bytes.
For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those.
-
Magic Transit ingress-only traffic (DSR):
- On your edge router transit ports: TCP MSS clamp should be 1,360 bytes maximum.
- On any IPsec/GRE tunnels with third parties on your Magic Transit prefix: on the internal tunnel interface (most likely on a separate firewall behind the GRE-terminating router) to reduce its current value by 140 bytes.
-
Magic Transit ingress + egress traffic:
- On your edge router: Apply this on your Magic Transit IPsec tunnel internal interface (that is, where the Magic Transit egress traffic will traverse). This may be done automatically once the tunnel is configured but it depends on your devices. TCP MSS clamp should be 1,360 bytes maximum.
- On any IPsec/GRE tunnels with third parties on your Magic Transit prefix: on the internal tunnel interface (most likely on a separate firewall behind the IPsec-terminating device in your premises) to reduce its current value by 140 bytes.
Refer to Maximum transmission unit and maximum segment size for more details.
If you are unable to set the MSS on your physical interfaces to a value lower than 1500 bytes, you can choose to clear the do not fragment
bit in the IP header. When this option is enabled, Cloudflare fragments packets greater than 1500 bytes, and the packets are reassembled on your infrastructure after decapsulation. In most environments, enabling this option does not have significant impact on traffic throughput.
To enable this option for your network, contact your account team.
Refer to Maximum transmission unit and maximum segment size for more details.
Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.
The following table lists several commonly used router vendors with links to MSS clamping instructions:
Router device | URL |
---|---|
Cisco | TCP IP Adjust MSS ↗ |
Juniper | TCP MSS - Edit System ↗ |
Configure the tunnels on both the Cloudflare side and your router side to connect to your origin infrastructure.
Configure static routes to route traffic from Cloudflare's global network to your locations.
After setting up your tunnels and static routes, Cloudflare validates tunnel connectivity, tunnel and endpoint health checks, Letter of Agency (LOA), Internet Routing Registry (IRR), and maximum segment size (MSS) configurations. Configurations for Cloudflare global network are applied and take around one day to rollout.
Once pre-flight checks are completed, Cloudflare will unlock your prefixes for you to advertise via the dashboard, API or BGP at a time of your choosing. Refer to Dynamic advertisement best practices to learn more about advertising prefixes.
If you are using a Cloudflare IP, you do not need to advertise your prefixes.