Skip to content
Cloudflare Docs

Advertise prefixes

Onboard prefixes

You can bring your own public IPs to Cloudflare to use with Magic Transit. This process requires two steps:

  1. Add IP prefixes for each IP address block that you bring to Cloudflare. The IP prefix includes the permission (Letter of Agency or LOA) that allows Cloudflare to announce the network or its subnets. The IP prefix is also where you define your optional Autonomous System Number (ASN) to be included in Cloudflare's advertised AS path.
  2. Define additional BGP prefixes, which control the announcement of the prefix from Cloudflare. By default there is always one BGP prefix that is identical to the IP prefix. You can optionally configure additional, more-specific BGP prefixes (subnets of the IP prefix), up to a maximum prefix length of /24.

IP prefixes

Cloudflare measures the Magic Transit prefix count based on the number of BGP prefixes a customer defines. Each prefix is billed separately, even if they overlap. For example, both a /16 and any /24 within it are counted individually. Onboarding a larger aggregate prefix does not automatically include its smaller subnets for announcement or billing purposes.

While there is no billing limit on the accepted prefix sizes, technically only prefixes up to /24 are accepted for onboarding, as longer ones (like /25, /26) are not globally routable.

Provide all IP prefixes you plan to onboard, along with the ASNs from which they will be advertised. When specifying prefixes, observe these guidelines:

  • Prefixes must support at least 256 hosts (/24 in classless inter-domain routing CIDR notation). Refer to Use a Cloudflare IP if you do not meet the /24 prefix length requirement.
  • Internet Routing Registry entries and Letters of Agency (LOA) must match the prefixes and originating prefixes you submit to Cloudflare.
  • When using contiguous prefixes, specify aggregate prefixes where possible.
  • When using Route Origin Authorizations (ROAs) to sign routes for resource public key infrastructure (RPKI), the prefix and originating ASN must match the onboarding submission.
  • If you do not own an ASN, you can use the Cloudflare Customer ASN (AS13335).

Choose between Cloudflare’s ASN and your ASN

As a part of your IP prefix onboarding process, you need to decide the ASN Cloudflare will use to announce your prefixes. If you supply your own ASN, Cloudflare prepends the main Cloudflare ASN (AS13335) to the BGP AS_PATH. For example, if your ASN is AS64496, anyone directly peering with Cloudflare sees the path as 13335 64496.

If you do not have an ASN or do not want to bring your ASN to Cloudflare, you can use the Cloudflare Customer ASN (AS13335).

BGP prefixes

BGP prefixes represent the prefix that will be announced through anycast from Cloudflare's global network. By default, there is always at least one BGP prefix that is identical to the onboarded IP prefix.

For example, if a customer onboards a /20 IP prefix to Magic Transit, it can only be announced as a /20 because there is only the default /20 BGP prefix. Smaller sub-prefixes (such as /24s) within that /20 cannot be announced individually unless they are configured as separate BGP prefixes.

Note that for billing purposes, Cloudflare measures the Magic Transit prefix count based on the number of BGP prefixes a customer defines.

BGP prefix advertisement control methods

Cloudflare offers multiple mechanisms for customers to control the announcement and withdrawal of on-demand prefixes. Customers can choose to manage advertisements through one of the following methods:

  • The Addressing API.
  • BGP peering with Cloudflare's route reflectors: Either over the Internet or over a Classic CNI connection. Contact your Cloudflare account team if you need this option.
  • Magic Network Monitoring: Dynamically announces prefixes based on user-defined traffic thresholds observed in your network.

Manage BGP prefixes

Add a BGP prefix

Create a POST request to add a BGP prefix. For example:

Create BGP Prefix
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/addressing/prefixes/$PREFIX_ID/bgp/prefixes" \
--request POST \
--header "X-Auth-Email: $CLOUDFLARE_EMAIL" \
--header "X-Auth-Key: $CLOUDFLARE_API_KEY" \
--json '{
"cidr": "192.0.2.0/24"
}'
  1. Log in to the Cloudflare dashboard, and select your account.
  2. Go to Magic Transit > Configuration.
  3. From the IP Prefixes tab, select the prefix you want to modify > Edit.
  4. From the dropdown menu Status, choose whether the status of your IP is Advertised or Withdrawn.
  5. (Optional) Edit the description for your prefix.
  6. Select Edit IP Prefix to save your changes.

Delete an IP prefix

You can only delete a prefix with an Unapproved status. To delete prefixes with a different status, contact your administrator or account manager.

  1. From the IP Prefixes tab, locate the prefix you want to modify and select Delete.
  2. Confirm your choice from the modal by selecting Delete.

Use the API to set AS prepends on a BGP prefix

Use the Addressing API to control the number of times Cloudflare prepends its Autonomous System Number (ASN) to a prefix. You can prepend AS13335 up to three times in the AS_PATH of BGP updates for your prefixes. For example:

Required API token permissions

At least one of the following token permissions is required:
  • Magic Transit Write
  • IP Prefixes: Write
  • IP Prefixes: BGP On Demand Write
Update BGP Prefix
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/addressing/prefixes/$PREFIX_ID/bgp/prefixes/$BGP_PREFIX_ID" \
--request PATCH \
--header "X-Auth-Email: $CLOUDFLARE_EMAIL" \
--header "X-Auth-Key: $CLOUDFLARE_API_KEY" \
--json '{
"asn_prepend_count": 3
}'

AS prepending helps you gracefully transition traffic between network providers. By adding prepends to Cloudflare's advertisement, you make the route through Cloudflare less preferred for some Internet network providers. This allows you to simultaneously advertise the same prefix from an alternate provider with a shorter, more desirable AS_PATH. Advertising from both providers at once can provide a smoother traffic migration and minimize packet loss during a change of provider.

The "asn_prepend_count" parameter accepts values from 0 to 3. A higher value makes the route less preferred.

When you use AS prepending to migrate traffic away from Magic Transit, the typical sequence of events is as follows:

  • Initial state: Cloudflare advertises your prefix with the default priority ("asn_prepend_count": 0). All traffic is routed to your network through the Cloudflare global network.
  • Deprioritize Cloudflare: You update the prefix via the API to set an AS prepend count (for example, "asn_prepend_count": 3). Cloudflare now advertises your prefix with a longer AS_PATH. External networks will update their BGP tables to recognize the Cloudflare path has the new, longer AS_PATH.
  • Introduce new provider: You begin advertising the same prefix from your alternate provider with a standard (shorter) AS_PATH.
  • Final state: External networks now receive two advertisements: the prepended route through Cloudflare and the non-prepended route through your new provider. The external network will select a path based on its BGP policy rules.

BGP control with Cloudflare Route Reflectors

Optionally, you can use BGP to control the advertisement status of your prefix — advertised or withdrawn — from Cloudflare's global network for on-demand deployment scenarios. BGP Control works by establishing BGP sessions to Cloudflare's globally distributed Route Reflectors, which will initiate propagation of your prefix advertisement across Cloudflare's global network. You can peer with Cloudflare's Route Reflectors via Internet or CNI. CNI peering is available through your account team.

Prefixes can be advertised from Cloudflare's network in a supported on-demand method such as BGP Control, or dynamically via the UI, API, or Magic Network Monitoring. During the onboarding of your on-demand prefixes, please specify whether you want BGP-controlled advertisement or dynamic advertisement (via dashboard/API/Magic Network Monitoring).

To begin using BGP control, contact your account team with the following information:

  • BGP endpoint IP addresses
  • Prefixes you want to use with BGP control
  • Your ASN for the BGP session

After receiving your information, Cloudflare will update firewall filters to establish the BGP session and provide you with the BGP endpoints to control your prefixes.

Regional settings

Magic Transit requires static routing to steer traffic from Cloudflare's network over one of your configured tunnel off-ramps (for GRE and IPsec tunnels). For CNI, both static routing and BGP options are available. Currently, advertisement of routes for traffic engineering purposes is not supported. As a best practice to reduce last-hop latency, you should consider scoping your routes regionally.

Cloudflare has nine geographic regions across the world which are listed below.

Region codeRegion
AFRAfrica
APACAsia Pacific
EEUREastern Europe
ENAMEastern North America
MEMiddle East
OCOceania
SAMSouth America
WEURWestern Europe
WNAMWestern North America

The default setting for static route regions is All Regions. Configure scoping for your traffic in the Region code section when adding or editing a static route.

Refer to Scoping routes to specific regions for more information.

Example router configurations

Below you can find example peering configurations for Cisco IOS and Juniper Junos OS for on-demand deployments leveraging BGP Control. The IP addresses used are from Cloudflare's route reflectors and should be left as is.

Cisco IOS

ip route {{ <YOUR-MAGIC-TRANSIT-PREFIX> }} Null0
ip prefix-list magic-transit-prefix seq 5 permit {{ <YOUR-MAGIC-TRANSIT-PREFIX> }}
route-map cloudflare-magic-transit-out permit 1
match ip address prefix-list magic-transit-prefix
!
route-map cloudflare-magic-transit-out deny 99
route-map reject-all deny 99
router bgp {{ <YOUR-ASN> }}
neighbor 141.101.67.22 remote-as 13335
neighbor 141.101.67.22 ebgp-multihop 64
neighbor 141.101.67.22 timers 60 900
neighbor 162.158.160.22 remote-as 13335
neighbor 162.158.160.22 ebgp-multihop 64
neighbor 162.158.160.22 timers 60 900
neighbor 173.245.63.66 remote-as 13335
neighbor 173.245.63.66 ebgp-multihop 64
neighbor 173.245.63.66 timers 60 900
!
address-family ipv4 unicast
redistribute static
neighbor 141.101.67.22 route-map cloudflare-magic-transit-out out
neighbor 141.101.67.22 route-map reject-all in
neighbor 162.158.160.22 route-map cloudflare-magic-transit-out out
neighbor 162.158.160.22 route-map reject-all in
neighbor 173.245.63.66 route-map cloudflare-magic-transit-out out
neighbor 173.245.63.66 route-map reject-all in
exit-address-family

Juniper MX (Junos OS set commands)

set protocols bgp group CF_ROUTE_REFLECTORS neighbor 162.158.160.22 description "CF RR#1 SIN"
set protocols bgp group CF_ROUTE_REFLECTORS neighbor 173.245.63.66 description "CF RR#2 IAD"
set protocols bgp group CF_ROUTE_REFLECTORS neighbor 141.101.67.22 description "CF RR#3 CDG"
set protocols bgp group CF_ROUTE_REFLECTORS peer-as 13335
set protocols bgp group CF_ROUTE_REFLECTORS import REJECT-ALL
set protocols bgp group CF_ROUTE_REFLECTORS export BGP-CONTROL-OUT
set policy-options policy-statement REJECT-ALL then reject
set policy-options policy-statement BGP-CONTROL-OUT term <TERM-NAME> from route-filter 104.245.62.0/24 exact
set policy-options policy-statement BGP-CONTROL-OUT term <TERM-NAME> from protocol static
set policy-options policy-statement BGP-CONTROL-OUT term <TERM-NAME> from route-type internal
set policy-options policy-statement BGP-CONTROL-OUT term <TERM-NAME> then accept
set policy-options policy-statement BGP-CONTROL-OUT then reject

Juniper MX (Junos OS XML format)

@rtr01> show configuration routing-instances STAGE protocols bgp group CF_ROUTE_REFLECTORS
type external;
multihop {
ttl 64;
}
local-address {{customer router IP}}
import NONE;
export NONE;
peer-as 13335;
local-as {{customer AS}} loops 2;
neighbor 162.158.160.22 {
description "CF RR#1 SIN";
}
neighbor 173.245.63.66 {
description "CF RR#2 IAD";
}
neighbor 141.101.67.22 {
description "CF RR#3 CDG";
}