Explore the architecture of Cloudflare One as a SASE platform, including how Cloudflare WAN handles connectivity, routing, and security.
Cloudflare WAN
Connect and secure your entire corporate network through Cloudflare, replacing MPLS circuits and hub-and-spoke routing with cloud-native networking.
Enterprise-only
Cloudflare WAN (formerly Magic WAN) connects your data centers, offices, and cloud resources through Cloudflare's global network. Instead of backhauling traffic through a central data center or maintaining dedicated MPLS circuits at every site, your traffic routes through the nearest Cloudflare data center where security policies apply inline.
Cloudflare WAN provides secure, performant routing ↗ for your entire corporate network. Cloudflare Network Firewall integrates with Cloudflare WAN, enabling you to enforce network firewall policies at Cloudflare's global network, across traffic from any entity within your network.
You connect your sites to Cloudflare through on-ramps — tunnels or direct connections from your network to Cloudflare. Cloudflare WAN supports any device that uses anycast GRE or IPsec tunnels. To make it easier to onboard your cloud resources, you can use Multi-Cloud Networking, which automates creating on-ramps from your cloud networks. Refer to On-ramps for a full list of supported on-ramps.
Refer to WAN transformation to compare approaches and plan your migration, or go straight to get started.
Cloudflare WAN is a standalone WAN-as-a-Service (WANaaS) product. It provides site-to-site connectivity over Cloudflare's global network, with packet-level security through Cloudflare Network Firewall. Cloudflare WAN supports IPsec tunnels, GRE tunnels, Cloudflare Network Interconnect, and the Cloudflare One Appliance for connecting your sites.
Cloudflare One is the full SASE (Secure Access Service Edge) platform. It extends Cloudflare WAN with identity-aware security services:
- Cloudflare One Client (WARP) — deploys on user devices to route traffic through Cloudflare with identity context.
- Cloudflare Tunnel — creates outbound-only connections from your infrastructure to Cloudflare, with no inbound ports required.
- Cloudflare Gateway — applies secure web gateway (SWG) policies to filter and inspect Internet-bound traffic.
- Cloudflare Access — enforces Zero Trust Network Access (ZTNA) policies based on user identity, device posture, and context.
If your requirements are limited to site-to-site connectivity and network-layer security, Cloudflare WAN provides what you need. When you need user-level security policies, identity-based access controls, or secure Internet egress, you can add Cloudflare One capabilities to your existing deployment.
Cloudflare One builds on the same network infrastructure as Cloudflare WAN, so there is no migration required.
For more information about Cloudflare One, refer to the Cloudflare One documentation.
Connect your network automatically
Use Cloudflare One Appliance to automatically connect, steer, and shape any IP traffic.
Connect your network manually
Set up Cloudflare WAN with your existing routers and firewalls. If you do not have Cloudflare One Appliance, start here to configure IPsec or GRE tunnels from a third-party device.
Automatic cloud on-ramps
Automate resource discovery, and reduce management burden when connecting to your public cloud.
Zero Trust integration
Learn how you can use Cloudflare WAN with other Cloudflare Zero Trust products.
BGP peering (beta)
Use Border Gateway Protocol (BGP) peering between your networks and Cloudflare to automatically announce and withdraw routes as your network changes, rather than managing static routes manually.
WAN transformation
Replace MPLS circuits and hub-and-spoke routing with cloud-native networking. Compare WAN approaches and plan an incremental migration.
Cloudflare One Cloudflare One is the full SASE platform. It extends Cloudflare WAN with identity-based access controls, secure web gateway policies, and user-level security for remote and hybrid workers.
Cloudflare Network Firewall
Cloudflare Network Firewall is a firewall-as-a-service (FWaaS) that filters traffic at layers 3 and 4 across Cloudflare's global network. Included with Cloudflare WAN.
Multi-Cloud Networking Simplify and automate cloud resource discovery, and reduce your management burden when connecting to your public cloud.
Cloudflare Network Interconnect
Cloudflare Network Interconnect (CNI) provides a private, dedicated connection between your network and Cloudflare instead of routing over the public Internet. Use CNI when you need lower latency or more consistent performance than tunnel-based connectivity.
Load Balancing
Cloudflare Load Balancing distributes traffic across your endpoints, which reduces endpoint strain and latency and improves the experience for end users.