Skip to content
Magic Transit
Visit Magic Transit on GitHub
Set theme to dark (⇧+D)

Specify tunnel endpoints

Anycast edge IP addresses

Cloudflare will assign two Anycast IP addresses shortly after your onboarding kickoff call. Use these Anycast edge addresses as the GRE tunnel destinations on your data center routers/endpoints.

Generic Routing Encapsulation (GRE)

Cloudflare recommends two GRE tunnels for each ISP and data center router combination, one per Anycast IP.

To configure the GRE tunnel(s) between Cloudflare and your data centers, you must provide the following data for each tunnel:

  • Customer edge IP address—A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection like Cloudflare Network Interconnect, you do not need to provide edge addresses because Cloudflare will provide them.
  • Private subnet—A 31-bit subnet (/31 in CIDR notation) supporting 2 hosts, one for each side of the tunnel. Select the subnet from the following private IP space:
    • 10.0.0.0–10.255.255.255
    • 172.16.0.0–172.31.255.255
    • 192.168.0.0–192.168.255.255
  • Private IP addresses—The private IP address assigned to the Cloudflare and customer sides of the tunnel
Edge routing configuration example
GRE tunnelCustomer edge IPAnycast IPPrivate subnetCustomer private IPCloudflare private IP
GRE_1_IAD104.18.112.75Anycast IP 110.10.10.100/3110.10.10.10010.10.10.101
GRE_2_IAD104.18.112.75Anycast IP 210.10.10.102/3110.10.10.10210.10.10.103
GRE_3_ATL104.40.112.125Anycast IP 110.10.10.104/3110.10.10.10410.10.10.105
GRE_4_ATL104.40.112.125Anycast IP 210.10.10.106/3110.10.10.10610.10.10.107