Skip to content
Magic Transit
Visit Magic Transit on GitHub
Set theme to dark (⇧+D)

Requirements

You must meet the following onboarding requirements before using Magic Transit.

Use compatible tunnel endpoint routers

Magic Transit relies on Generic Routing Encapsulation (GRE) tunnels to transmit packets from Cloudflare’s edge to your origin network.

The routers at your GRE tunnel endpoints must meet the following requirements to ensure compatibility with Magic Transit.

  • Support GRE tunneling.
  • Allow configuration of at least one tunnel per Internet service provider (ISP).
  • Support maximum segment size (MSS) clamping.

Draft Letter of Authorization

Draft a Letter of Authorization (LOA) that identifies the prefixes you want to advertise and gives Cloudflare permission to announce them. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on your behalf. See this LOA template for an example.

Verify Internet Routing Registry entries

Verify your Internet Routing Registry (IRR) entries match corresponding origin autonomous system numbers (ASNs) to ensure Magic Transit routes traffic to the correct autonomous systems (AS). For guidance, refer to Verify IRR entries.

Set maximum segment size

Packet flow diagram

The SYN-ACK packet sent to the client during TCP handshake encodes the value for maximum segment size (MSS). Egress packets are routed via your ISP interface, and each packet must comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.

Cloudflare uses GRE tunnels to deliver packets from our edge to your data centers, while Cloudflare Magic Transit encapsulates these packets, adding a new IP header and GRE protocol header.

You must set the MSS value to 1436 bytes at your physical egress interfaces — not the GRE tunnel interfaces — to accommodate the additional header data. If you are using IPsec inside GRE, you will need to lower your MSS value to 1360 bytes or lower at your physical egress interfaces.

Standard Internet routable MTU1500 bytes
-Original IP header20 bytes
-Original protocol header (TCP)20 bytes
-New IP header20 bytes
-New protocol header (GRE)4 bytes
=Maximum segment size (MSS)1436 bytes

Unless you apply these MSS settings at the origin, client machines do not know that they must use an MSS of 1436 bytes when sending packets to your origin.

Follow router vendor guidelines

Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.

The following table lists several commonly used router vendors with links to MSS clamping instructions:

Router deviceURL
CiscoTC IP Adjust MSS
JuniperTCP MSS – Edit System

Verify MSS settings at your origin

Run the following command on the servers egressing the prefixes you want to add to Magic Transit to verify that your routers have the correct MSS setting (1436 bytes) at your origin.

$ curl 167.71.125.57:8080

You should see the following result:

Local: 167.71.125.57:8080
Remote: 172.68.141.62:44108
Local MSS: 1436
Remote MSS: 1436