Configure routes
Magic Networking uses a routing table to steer your traffic via next-hop from Cloudflare's global network to your connected networks. Entries can be added to the Magic routing table via static route configuration or via routes learned through BGP peering (only available over Direct CNI).
Refer to Traffic Steering for more information about all the technical aspects related to:
- Routes' priorities and weights
- Regional scoping of traffic to reduce latency
- BGP peering
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic WAN > Configuration.
- From the Routes tab, select Create to add a new route.
- Enter a descriptive name for your route in Description.
- In Prefix, enter your range of IP addresses. For example,
10.10.10.100/24. - In Tunnel/Next hop select which tunnel you want your route to go through. Choose from the tunnels you have created in Configure tunnel endpoints.
- Choose the Priority for your route. Lower numbers have higher priorities.
- (Optional) Choose a Weight for your route. Refer to Set priority and weights for static routes for examples.
- (Optional) If you need to scope your route to a specific region, you can do it in Region code.
- (Optional) We highly recommend testing your route before adding it by selecting Test routes.
- Select Add routes when you are done.
Create a POST request using the API to create one or more static routes.
Example:
Required API token permissions
At least one of the following token permissions
is required:
Magic WAN WriteMagic Transit Write
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/magic/routes \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "nexthop": "<IP_NEXT_HOP>", "prefix": "<YOUR_IP_PREFIX>", "priority": 0, "id": "023e105f4ecef8ad9ca31a8372d0c353", "description": "<ROUTE_DESCRIPTION>", "scope": { "colo_names": [ "den01" ], "colo_regions": [ "APAC" ] }, "weight": 0 }'{ "errors": [ { "code": 1000, "message": "message" } ], "messages": [ { "code": 1000, "message": "message" } ], "result": { "routes": [ { "nexthop": "203.0.113.1", "prefix": "192.0.2.0/24", "priority": 0, "id": "023e105f4ecef8ad9ca31a8372d0c353", "description": "New route for new prefix 203.0.113.1", "scope": { "colo_names": [ "den01" ], "colo_regions": [ "APAC" ] }, "weight": 0 } ] }, "success": true}- In Routes, select Edit next to the route you want to modify.
- Enter the updated route information.
- (Optional) We highly recommend testing your route before adding it by selecting Test routes.
- Select Edit routes to save the new information when you are done.
Create a PUT request using the API to update one or more static routes.
Example:
Required API token permissions
At least one of the following token permissions
is required:
Magic WAN WriteMagic Transit Write
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/magic/routes/$ROUTE_ID \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "nexthop": "<IP_NEXT_HOP>", "prefix": "<YOUR_IP_PREFIX>", "priority": 0, "id": "023e105f4ecef8ad9ca31a8372d0c353", "description": "<ROUTE_DESCRIPTION>", "scope": { "colo_names": [ "den01" ], "colo_regions": [ "APAC" ] }, "weight": 0 }'{ "errors": [ { "code": 1000, "message": "message" } ], "messages": [ { "code": 1000, "message": "message" } ], "result": { "modified": true, "modified_route": { "nexthop": "203.0.113.1", "prefix": "192.0.2.0/24", "priority": 0, "id": "023e105f4ecef8ad9ca31a8372d0c353", "description": "New route for new prefix 203.0.113.1", "scope": { "colo_names": [ "den01" ], "colo_regions": [ "APAC" ] }, "weight": 0 } }, "success": true}- In Routes, locate the static route you want to modify and select Delete.
- Confirm the action by selecting the checkbox and select Delete.
Create a DELETE request using the API to delete a static route.
Example:
Required API token permissions
At least one of the following token permissions
is required:
Magic WAN WriteMagic Transit Write
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/magic/routes/$ROUTE_ID \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"{ "errors": [ { "code": 1000, "message": "message" } ], "messages": [ { "code": 1000, "message": "message" } ], "result": { "deleted": true, "deleted_route": { "nexthop": "203.0.113.1", "prefix": "192.0.2.0/24", "priority": 0, "id": "023e105f4ecef8ad9ca31a8372d0c353", "description": "New route for new prefix 203.0.113.1", "scope": { "colo_names": [ "den01" ], "colo_regions": [ "APAC" ] }, "weight": 0 } }, "success": true}BGP peering is available when using a Direct CNI as an on-ramp.
The Magic routing table is managed by the customer, who can select both the Cloudflare-side ASN and the ASN for their customer device. The customer device ASN can be 2-byte or 4-byte.
By default, each BGP peering session will use the same Cloudflare-side ASN to represent peering with the Magic WAN routing table. This ASN is called the CF Account ASN and is set to 13335. This can be configured to a private 2-byte ASN (for example, any values between 64512 and 65534). To set this ASN:
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic WAN > Configuration > BGP.
- In CF Account ASN, enter Cloudflare's ASN.
- Select Update.
Magic WAN customers should also be aware of the following:
- The Cloudflare side ASN will be included in the
AS_PATHof announced routes to any BGP enabled interconnect. - The customer chooses their device ASN, which should be different to the Cloudflare-side ASN.
You need to configure two ASNs:
- The Cloudflare account-scoped ASN named CF Account ASN.
- One ASN for each interconnect you want to configure with BGP.
If you already have set up your Cloudflare account ASN, you can skip steps two and three below.
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic WAN > Configuration > BGP.
- In CF Account ASN, enter Cloudflare's ASN.
- Go to Interconnects.
- Find the Direct CNI interconnect you want to configure with BGP > select the three dots next to it > Configure BGP.
- In Customer device ASN, enter the ASN for your network.
- In MD5 key, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism.
- (Optional) In Advertised prefix list, input the additional prefixes automatically assigned by Cloudflare during the creation of the CNI interconnect, to advertise alongside your existing routes. Leave blank if you do not want to advertise extra routes.
Typical prefixes to configure here include:- A route to
0.0.0.0/0, the default route — to attract all Internet-bound traffic if using Magic WAN with Gateway. - A route to
100.96.0.0/12, the portion of CGNAT space used by default with WARP clients.
- A route to
- Select Enable BGP.
Now that you have configured your tunnels and routes, the next step is to create a site.
Sites represent the local network of a data center, office, or other physical location, and combine all on-ramps available there. Sites also allow you to check, at a glance, the state of your on-ramps and set up health alert settings so that you get notified when there are issues with the site's on-ramps.
Refer to Set up a site for more information.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark