To get started with Cloudflare One Multi-Cloud Networking (formerly Magic Cloud Networking) (beta) you need to give Cloudflare permission to interact with cloud providers on your behalf. You might have multiple provider accounts for the same cloud provider — for example, you might want Cloudflare to manage virtual private clouds (VPCs) belonging to two different AWS accounts.

Once Cloudflare has the credentials required to access your cloud environments, Multi-Cloud Networking will automatically begin discovering your cloud resources — like routing tables and virtual private networks. Discovered resources appear in your Cloud resource catalog.

Set up Amazon AWS

1. Create integration

Go to the Cloud integrations (beta) page. Go to Cloud integrations Select Add > AWS integration. Give a descriptive name to your integration. Optionally, you can also add a description for it. Select Create integration. Select Authorize access to start the process of connecting your Cloudflare account to Amazon AWS.

2. Create IAM policy

Create a custom IAM policy ↗ in your AWS account, and take note of the name you entered. Then, paste the following JSON code ↗ in the JSON tab:

{ " Version " : "2012-10-17" , " Statement " : [ { " Effect " : "Allow" , " Action " : [ "ec2:AcceptTransitGatewayPeeringAttachment" , "ec2:CreateTransitGatewayPeeringAttachment" , "ec2:DeleteTransitGatewayPeeringAttachment" , "ec2:DescribeRegions" , "ec2:DescribeTransitGatewayPeeringAttachments" , "ec2:RejectTransitGatewayPeeringAttachment" , "ec2:GetManagedPrefixListEntries" , "ec2:CreateManagedPrefixList" , "ec2:ModifyManagedPrefixList" , "ec2:DeleteManagedPrefixList" , "ec2:CreateTransitGatewayPrefixListReference" , "ec2:DeleteTransitGatewayPrefixListReference" , "ec2:GetTransitGatewayPrefixListReferences" , "ec2:ModifyTransitGatewayPrefixListReference" ], " Resource " : "*" } ] }

3. Authorize access to your AWS account

Create an AWS role ↗ with the following settings: Trusted entity type : Select Custom trust policy , and paste the custom trust policy returned by the Cloudflare dashboard.

: Select , and paste the custom trust policy returned by the Cloudflare dashboard. Permissions : Add the IAM policy you created in the previous step, along with these AWS-managed policies: NetworkAdministrator AmazonEC2ReadOnlyAccess AmazonVPCReadOnlyAccess IAMReadOnlyAccess

: Add the IAM policy you created in the previous step, along with these AWS-managed policies: ARN: Copy the ARN for your newly created user. Note The trust policy may take several minutes to propagate to all regions. It usually takes less than four minutes, but can sometimes take longer. You may have to retry the Authorize button while the propagation takes effect. Select I authorize Cloudflare to access my AWS account. Select Authorize.

Note The first discovery of resources may not succeed in all regions while the IAM policy is propagating. If you do not see all resources after creating your cloud integration, try re-discovering.

Set up Microsoft Azure

1. Create integration

In the Cloudflare dashboard, go to Cloud integrations (beta). Go to Cloud integrations Select Add > Azure integration. Give a descriptive name to your integration. Optionally, you can also add a description for it. Select Create integration. Select Authorize access to start the process of connecting your Cloudflare account to Microsoft Azure.

2. Authorize access to your Azure account

Warning Multi-Cloud Networking does not support personal Microsoft accounts. Sign in using a work or school account that is part of an Azure Entra Tenant.

Select Create service principal. You will be redirected to Microsoft's login page. Enter your Azure credentials. If your account does not have administrator privileges, you may need to pass this link to an account that has administrator privileges. The next screen lists Cloudflare required permissions to access your account. Select Accept. Add a role assignment ↗. The purpose of this step is to give the app that you registered in step 1 permission to access your Azure Subscription. In step 3 of the linked document, select the Contributor role from the Privileged administrator roles tab.

role from the tab. In step 4 of the linked document, search for mcn-provider-integrations-bot-prod when selecting members. In Provide account information, enter your Tenant ID and Subscription ID. In Verify account ownership, add the tags displayed in the Cloudflare dashboard ↗. Note The tags may take several minutes to propagate and become readable to Cloudflare. It usually takes less than four minutes, but can sometimes take longer. You may have to retry the Authorize button while the propagation takes effect. Select I authorize Cloudflare to access my Azure account. If your account does not have administrator privileges, you may need to pass this link to an account that has administrator privileges. Select Authorize.

Note The first discovery of resources may not succeed in all regions while the IAM policy is propagating. If you do not see all resources after creating your cloud integration, try re-discovering.

Set up Google Cloud

1. Create integration

In the Cloudflare dashboard, go to Cloud integrations (beta). Go to Cloud integrations Select Add > Google integration. Give a descriptive name to your integration. Optionally, you can also add a description for it. Select Create integration. Select Authorize access to start the process of connecting your Cloudflare account to Google Cloud.

2. Authorize access to your Google account

Create a new GCP service account ↗ in your Google account > GCP Console > IAM & Admin > Service Accounts. Grant the new service account these roles: Compute Network Admin

Compute Viewer Under IAM & Admin > Service Accounts, select the service account you just created, and navigate to the Permissions tab. Grant the Service Account Token Creator role to our bot account to allow it to impersonate this service account. Learn how to grant a specific role in Google's documentation ↗ : mcn-integrations-bot-prod@mcn-gcp-01.iam.gserviceaccount.com In the service account email field, enter the email account that you used to create the GCP service account. In the Project ID field, enter the project ID ↗ associated with your project. Add the label ↗ displayed in the dashboard of your project. Select I authorize Cloudflare to access my GCP account. If your account does not have administrator privileges, you may need to pass this link to an account that has administrator privileges. Select Authorize.

You have successfully connected your cloud provider to Multi-Cloud Networking. Cloud resources found by Multi-Cloud Networking are available in the Cloud resource catalog.

Note The first discovery of resources may not succeed in all regions while the IAM policy is propagating. If you do not see all resources after creating your cloud integration, try re-discovering.