With Magic Transit On Demand, you can use Network Flow to analyze your network traffic and detect Distributed Denial of Service (DDoS) attacks while Magic Transit is disabled. If an attack is detected, you can automatically or manually enable Magic Transit to mitigate attacks.

You can create Network Flow rules which monitor specific Internet Protocol (IP) prefixes for DDoS attacks. When a DDoS attack is detected, Cloudflare notifies you by email, webhook, or PagerDuty with information about the attack. Then, you can automatically activate IP advertisement and enable Magic Transit to protect the targeted IP prefixes from DDoS attacks. This feature is referred to as auto-advertisement, and you can enable it for individual Network Flow rules through the dashboard or API.

After Magic Transit is activated and your traffic is flowing through Cloudflare, Cloudflare blocks malicious DDoS traffic, and your origin servers receive only clean network traffic through IPsec or Generic Routing Encapsulation (GRE) tunnels.

The following diagrams illustrate this process:

Activate IP auto-advertisement

Enable IP auto-advertisement to use Network Flow rules. You can activate IP auto-advertisement through the dashboard or the API.

Dashboard

To activate IP advertisement through the Cloudflare dashboard, refer to Configure dynamic advertisement.

API

To activate IP advertisement through the API, refer to the IP Address Management Dynamic Advertisement API.

Network Flow rules

To create Network Flow rules with auto-advertisement, refer to Rule Auto-Advertisement.