Skip to content
Magic Transit
Visit Magic Transit on GitHub
Set theme to dark (⇧+D)

Specify tunnel endpoints

Anycast edge IP addresses

Cloudflare will assign 2 Anycast IP addresses shortly after your onboarding kickoff call. Use these Anycast edge addresses as the GRE tunnel destinations on your data center routers/endpoints.

Generic Routing Encapsulation (GRE)

Cloudflare recommends 2 GRE tunnels for each ISP and data center router combination, one per Anycast IP.

To configure the GRE tunnel(s) between Cloudflare and your data center(s), you must provide the following data for each tunnel:

  • Customer edge IP address—A public Internet routable IP address that is outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection (Cloudflare Network Interconnect), you do not need to provide edge addresses—Cloudflare will provide them.
  • Private subnet—A 31-bit subnet (/31 in CIDR notation) supporting 2 hosts, one for each side of the tunnel. Select the subnet from the following private IP space:
    • 10.0.0.0–10.255.255.255
    • 172.16.0.0–172.31.255.255
    • 192.168.0.0–192.168.255.255
  • Private IP addresses—The private IP address assigned to the Cloudflare and customer sides of the tunnel

For an example GRE tunnel configuration, refer to this table:

GRE tunnelCustomer edge IPAnycast IPPrivate subnetCustomer private IPCloudflare private IP
GRE_1_IAD104.18.112.75Anycast IP 110.10.10.100/3110.10.10.10010.10.10.101
GRE_2_IAD104.18.112.75Anycast IP 210.10.10.102/3110.10.10.10210.10.10.103
GRE_3_ATL104.40.112.125Anycast IP 110.10.10.104/3110.10.10.10410.10.10.105
GRE_4_ATL104.40.112.125Anycast IP 210.10.10.106/3110.10.10.10610.10.10.107

Scoped routes for GRE tunnels

To reduce latency for your GRE tunnel configurations, especially if you operate your own Anycast network, Cloudflare can steer your traffic by scoping it to specific Cloudflare data center regions.

Valid Cloudflare regions include AFR, APAC, EEUR, ENAM, ME, OC, SAM, WEUR, and WNAM.

To configure scoping for your traffic, you must provide Cloudflare with GRE tunnel data for each Cloudflare region.

For an example of scoping configuration data, see the table below. It lists GRE tunnels and their associated Cloudflare region codes:

GRE tunnelRegion code
GRE_1_IADAFR
GRE_2_IADEEUR
GRE_3_ATLENAM
GRE_4_ATLME

Cloudflare has 13 geographic regions across the world. This table lists region codes and their associated regions:

Region codeRegion
WNAMWestern North America
ENAMEastern North America
WEUWestern Europe
EEUEastern Europe
NSAMNorthern South America
SSAMSouthern South America
OCOceania
MEMiddle East
NAFNorthern Africa
SAFSouthern Africa
INIndia
SEASSoutheast Asia
NEASNortheast Asia