Cloudflare Docs
Magic Transit
Edit this page on GitHub
Set theme to dark (⇧+D)

Configure static routes

Magic Transit uses a static configuration to route your traffic through Anycast tunnels from Cloudflare’s global network to your locations.

You must assign a route priority to each tunnel–subnet pair in your configuration, as follows:

  • Lower values have greater priority.
  • When the priority values for prefix entries match, Cloudflare uses equal-cost multi-path (ECMP) packet forwarding to route traffic. For more on how Cloudflare uses ECMP packet forwarding, refer to Traffic steering.

You can also create and edit static routes using the Magic Transit Static Routes API.

​​ Edge routing configuration example

PrefixNextHopPriority
10.10.10.100/24TUNNEL_1_IAD100
10.10.10.100/24TUNNEL_2_IAD100
10.10.10.100/24TUNNEL_3_ATL100
10.10.10.100/24TUNNEL_4_ATL100
10.10.10.100/24TUNNEL_1_IAD200
10.10.10.100/24TUNNEL_2_IAD200
10.10.10.100/24TUNNEL_3_ATL100
10.10.10.100/24TUNNEL_4_ATL100

Optionally, weights can also be added to better distribute traffic amongst multiple tunnels. In the below example, TUNNEL_2_IAD is likely to receive twice as much traffic as TUNNEL_1_IAD.

PrefixNextHopPriorityWeight
10.10.10.100/24TUNNEL_1_IAD100100
10.10.10.100/24TUNNEL_2_IAD100200
10.10.10.100/24TUNNEL_3_ATL100300
10.10.10.100/24TUNNEL_4_ATL100400

​​ ​​Map route prefixes smaller than /24

You must provide your prefixes and the tunnels that should be mapped to for Cloudflare to route your traffic from our global network to your data centers via Anycast tunnels. Use the table below as reference.

PrefixNextHop
103.21.244.0/29TUNNEL_1_IAD
103.21.244.8/29TUNNEL_2_ATL

The minimum advertising prefix is /24, but because Cloudflare uses Anycast tunnels as an outer wrapper for your traffic, we can route prefixes within that /24 to different tunnel endpoints. For example, you can send x.x.x.0/29 to Data Center 1 and x.x.x.8/29 to Data Center 2. This is helpful when you operate in an environment with constrained IP resources.

​​ Scoped routes for Anycast GRE or IPsec tunnels

To reduce latency for your Anycast GRE or IPsec tunnel configurations, especially if you operate your own Anycast network, Cloudflare can steer your traffic by scoping it to specific Cloudflare data center regions. Equal cost routes maintain an equal cost on a global scale so long as the routes are not scoped to specific regions. For example, if you use region-scoped routes, traffic from end users in New York will always land at their Ashburn network unless that tunnel is unhealthy.

When you scope static routes to specific regions, the routes will only exist in the specified regions, and traffic that lands outside the specified regions will not have anywhere to go.

To configure scoping for your traffic, you must provide static routes to Cloudflare with Anycast GRE or IPsec tunnel data such that all Cloudflare regions have a route for your prefixes.

​​ Scoping configuration data example

PrefixNextHopPriorityRegion code
10.10.10.100/24TUNNEL_1_IAD100AFR
10.10.10.100/24TUNNEL_2_IAD100EEUR
10.10.10.100/24TUNNEL_3_ATL100ENAM
10.10.10.100/24TUNNEL_4_ATL100ME

Region codes and associated regions

Cloudflare has nine geographic regions across the world which are listed below.

Region codeRegion
AFRAfrica
APACAsia Pacific
EEUREastern Europe
ENAMEastern North America
MEMiddle East
OCOceania
SAMSouth America
WEURWestern Europe
WNAMWestern North America

Configure scoping for your traffic in the Region code section when adding or editing a static route. Refer to Create a static route and Edit a static route more information.

​​ Allowed IP ranges

By default, you can only add static routes with RFC 1918 IP prefixes like:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

If your use case requires IP prefixes outside RFC 1918, contact your Cloudflare customer service manager.

​​ ​​Create a static route

  1. Log in to the Cloudflare dashboard, and select your account.
  2. Go to Magic Transit > Configuration.
  3. From the Static Routes tab, select Create to add a new route.
  4. Enter a descriptive name for your route in Description.
  5. In Prefix, enter your range of IP addresses. For example, 10.10.10.100/24.
  6. In Tunnel/Next hop select which tunnel you want your route to go through. Choose from the tunnels you have created in Configure tunnel endpoints.
  7. Choose the Priority for your route. Lower numbers have higher priorities.
  8. (Optional) Choose a Weight for your route. Refer to Edge routing configuration example for examples.
  9. (Optional) If you need to scope your route to a specific region, you can do it in Region code.
  10. (Optional) We highly recommend testing your route before adding it by selecting Test routes.
  11. Select Add routes when you are done.

​​ ​​Edit a static route

  1. In Static routes, select Edit next to the route you want to modify.
  2. Enter the updated route information.
  3. (Optional) We highly recommend testing your route before adding it by selecting Test routes.
  4. Select Edit routes to save the new information when you are done.

​​ ​​Delete static route

  1. In Static routes, locate the static route you want to modify and select Delete.
  2. Confirm the action by selecting the checkbox and select Delete.