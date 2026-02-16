Refer to this page for details about how Cloudflare orchestrates VPN connectivity to your cloud networks.

Cloud on-ramps

AWS

When using Cloudflare One Multi-Cloud Networking (formerly Magic Cloud Networking) (beta) to automatically create on-ramps to your AWS account, you should be aware of the following configuration changes Cloudflare will make on your behalf:

Cloudflare will create a new customer-managed prefix list named Cloudflare WAN and Cloudflare Edge populated with your Cloudflare WAN Address Space prefixes and the IPv4 address ranges for Cloudflare's global network servers (the latter prefixes are necessary if you use any Cloudflare L7 processing features). You must create rules in your Network Security Groups (NSGs) allowing traffic to/from this prefix list in order to have connectivity with Cloudflare WAN (formerly Magic WAN). (The prefix list will contain around 15 to 25 entries, which each count against the rules-per-security-group quota for NSGs in your AWS account.)

Cloudflare will create a Virtual Private Gateway and attach it to your Virtual Private Cloud (VPC). If an existing Virtual Private Gateway is already attached to the VPC, on-ramp creation will fail.

Cloudflare will enable route propagation from the Virtual Private Gateway into all route tables in your VPC. This will result in a route for each prefix in your Cloudflare WAN Address Space targeting the gateway.

Cloudflare will add a route in Cloudflare WAN for each IPv4 CIDR (Classless Inter-Domain Routing) block in your VPC.

Azure

When using Multi-Cloud Networking (beta) to automatically create on-ramps to your Azure account, you should be aware of the following configuration changes Cloudflare will make on your behalf:

Cloudflare will create a Virtual Network Gateway in your Virtual Network (VNet). Virtual Network Gateways in Azure require a subnet named GatewaySubnet . Cloudflare will create a GatewaySubnet if one does not already exist in your VNet. If there is not enough unused address space left in your VNet to create a /27 subnet for the GatewaySubnet , or if a GatewaySubnet exists but does not have enough address space left for a Virtual Network Gateway, on-ramp creation will fail.

. Cloudflare will create a if one does not already exist in your VNet. If there is not enough unused address space left in your VNet to create a subnet for the , or if a exists but does not have enough address space left for a Virtual Network Gateway, on-ramp creation will fail. Cloudflare will enable gateway route propagation on all route tables in your VNet. This will result in a route for each prefix in your Cloudflare WAN Address Space pointing to the gateway. If your VNet has other Virtual Network Gateways, their routes will also propagate to your route tables. If you delete the on-ramp, route propagation will not be disabled.

By default, Network Security Groups in Azure contain Allow rules for outbound/inbound traffic to/from the VirtualNetwork service tag, which includes Virtual Network Gateway address space (and therefore your Cloudflare WAN Address Space). If you do not want all resources in your VNet to be accessible from Cloudflare WAN, add the appropriate Deny rules to your Network Security Groups (NSGs).

service tag, which includes Virtual Network Gateway address space (and therefore your Cloudflare WAN Address Space). If you do not want all resources in your VNet to be accessible from Cloudflare WAN, add the appropriate Deny rules to your Network Security Groups (NSGs). Cloudflare will add a route in Cloudflare WAN for each IPv4 address range in your VNet.

GCP

When using Multi-Cloud Networking (beta) to automatically create on-ramps to your Google Cloud Platform (GCP) account, you should be aware of the following configuration changes Cloudflare will make on your behalf:

Cloudflare will reserve a public Internet routable IP address from GCP.

Cloudflare will create a VPN Gateway and two VPN Tunnels in the region you specify.

Cloudflare will create routes for each prefix in your Cloudflare WAN Address Space within your VPC pointing to the VPN Tunnels.

Cloudflare will add routes in Cloudflare WAN for all subnet CIDR prefixes in your VPC. This includes all regions within the VPC. Traffic bound for a region other than the VPN Gateway's region will be subject to GCP's Inter-region Pricing ↗ .

. Traffic sent to and from your VM instances through the VPN Tunnels is still subject to VPC firewall rules, and may require further configuration ↗ .

Supported resources

Multi-Cloud Networking (beta) discovers the following resource types in your cloud environments. These resources are used to build a comprehensive view of your cloud network topology and connectivity.

AWS

AWS Customer Gateway

AWS EC2 Managed Prefix List

AWS EC2 Transit Gateway

AWS EC2 Transit Gateway Prefix List

AWS EC2 Transit Gateway VPC Attachment

AWS Egress Only Internet Gateway

AWS Internet Gateway

AWS Instance

AWS Network Interface

AWS Route Table

AWS Route Table Association

AWS Security Group

AWS Subnet

AWS VPC

AWS VPC IPv4 CIDR Block Association

AWS VPC Security Group Egress Rule

AWS VPC Security Group Ingress Rule

AWS VPN Connection

AWS VPN Connection Route

AWS VPN Gateway

Azure

Azure Application Security Group

Azure Load Balancer

Azure Load Balancer Backend Address Pool

Azure Load Balancer NAT Pool

Azure Load Balancer NAT Rule

Azure Load Balancer Rule

Azure Local Network Gateway

Azure Network Interface

Azure Network Interface Application Security Group Association

Azure Network Interface Backend Address Pool Association

Azure Network Interface Security Group Association

Azure Network Security Group

Azure Public IP

Azure Route

Azure Route Table

Azure Subnet

Azure Subnet Route Table Association

Azure Virtual Machine

Azure Virtual Machine Gateway Connection

Azure Virtual Network

Azure Virtual Network Gateway

Azure Virtual Network Gateway Connection

GCP