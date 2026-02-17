Network Flow (formerly Magic Network Monitoring) includes an onboarding workflow that guides you step-by-step through the product configuration process. If you are unable to complete the configuration in one session, you can exit the workflow and resume it at any time.

To begin using Network Flow for network and/or cloud traffic visibility, complete the list of tasks below.

If you are an Enterprise customer, Cloudflare can significantly accelerate the onboarding timeline during active-attack scenarios.

Enterprise customers that would like to use Network Flow and Magic Transit On Demand together can begin by configuring Magic Transit.

NetFlow and sFlow guide

1. Verify NetFlow or sFlow capabilities

Verify your routers are capable of exporting NetFlow or sFlow to an IP address on Cloudflare's network. Network Flow supports NetFlow v5, NetFlow v9, IPFIX, and sFlow.

Refer to Supported routers to view a list of supported routers. The list is not exhaustive.

2. Register your router with Cloudflare

When you register your router with Cloudflare, your router links your NetFlow or sFlow data to your Cloudflare account.

Go to the Network flow page.

In Network flow, select Configure Network flow. Select the Configure routers tab. (Optional) Under IP Address, enter your router's public IP address. Under Default router sampling rate, enter a value for the sampling rate. The value should match the sampling rate of your NetFlow or sFlow configuration. Select Next.

3. Configure your router

Next, configure your router to send NetFlow or sFlow data to Cloudflare. For this step, you will also need to have your router's configuration menu open to input the values shown in the Cloudflare dashboard.

Refer to the NetFlow and IPFIX configuration guide or the sFlow configuration guide for more information.

From Configure routers in the dashboard, select either NetFlow Configuration or sFlow configuration. Follow the configuration steps for the selected configuration type. Enter the values shown in your router's configuration. Select Next.

4. Check your router configuration

After setting up your router, confirm the configuration was successfully set up.

From the Check routers page on the dashboard, you can view the status of your routers. Router data typically takes five to ten minutes to appear in the Cloudflare dashboard.

Refer to Router status description to confirm whether data is successfully being sent.

When you are done with router configuration, select Finish onboarding.

Note This will only be visible during the onboarding process. When you are finished onboarding, this page will no longer be visible.

5. Create rules

Create rules to analyze data for a specific set of destinations or to implement thresholds. Refer to Rules for more information.

VPC flow log guide Beta

1. Verify cloud flow log capabilities

Verify that your Amazon Web Services (AWS) account is capable of exporting AWS Virtual Private Cloud (VPC) flow logs through AWS Firehose. Currently, Network Flow only supports VPC flow log ingestion for AWS.

2. Set up AWS Firehose to export VPC flow logs to Cloudflare

Note AWS VPC flow logs can only be configured through the Cloudflare API for Network Flow. There are no inputs in the dashboard for configuring AWS VPC flow logs.

Create an authorization token using Cloudflare's API for Network Flow. This authorization token allows Cloudflare to identify and verify the account sending VPC flow logs to our endpoint. Required API token permissions At least one of the following token permissions is required: Magic Network Monitoring Admin Generate authentication token for VPC flow logs export. curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /mnm/vpc-flows/token" \ --request POST \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL " \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY " In your AWS Firehose stream configuration, set the HTTP Headers - X-Amz-Firehose-Access-Key to the authorization token generated in the previous step. Send your AWS Firehose VPC flow log stream towards https://aws-flow-logs.cloudflare.com/ . Select all of the AWS VPC flow log data fields that you want to send to Cloudflare. You should select the highest number AWS VPC flow log version that supports all the fields you want to export to Cloudflare (refer to AWS flow log documentation ↗ for more information). For example, if you need a version 8 field like reject-reason , you must export all fields from versions 1 through 8. Cloudflare supports all seven templates for AWS VPC Flow logs.

3. Verify your cloud traffic via analytics

After setting up AWS Firehose to send VPC flow logs to Network Flow, you can confirm that Cloudflare is receiving the logs as expected by searching for your cloud traffic data in the analytics page of the Network Flow dashboard.

Go to the Network flow page.