Configure BGP peering
Magic WAN customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.
Using BGP peering with a CNI allows customers to:
- Automate the process of adding or removing networks and subnets.
- Take advantage of failure detection and session recovery features.
With this functionality, customers can:
- Establish an eBGP session between their devices and the Magic WAN service when connected via CNI.
- Secure the session by MD5 authentication to prevent misconfigurations.
- Exchange routes dynamically between their devices and their Magic routing table.
Routes received from the customer device will be redistributed into the Magic routing table, which is used by both Magic WAN and Magic Transit.
All routes in the Magic routing table are advertised to BGP peers. Each BGP peer will receive each prefix route along with the full AS_PATH
, with the selected Cloudflare side ASN ↗ prepended. This is so that the peer can accurately perform loop prevention ↗.
BGP peering sessions can advertise reachable prefixes to a peer and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate.
BGP multipath is supported. If the same prefix is learned on two different interconnects then traffic destined for that prefix will be distributed across each interconnect according to the usual ECMP behavior.
BGP support currently has the following limitations:
- The Cloudflare account ASN and the customer device ASN must be different. Only eBGP is supported.
- Routes are always injected with a priority of
100
. - Bidirectional Forwarding Detection (BFD) is not supported.
- 4-byte ASNs are not supported.
Magic WAN customers need to enable legacy health checks alongside BGP. This is essential to determine if a specific Cloudflare data center is reachable from a customer device or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes.
The Magic routing table is managed by the customer, who can select both the Cloudflare-side ASN and the ASN for their customer device.
By default, each BGP peering session will use the same Cloudflare-side ASN to represent peering with the Magic WAN routing table. This default ASN is called the CF Account ASN and should be configured to a private 2-byte ASN (for example, any values between 64512
and 65534
). To set this ASN:
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic WAN > Configuration > BGP.
- In CF Account ASN, enter Cloudflare's ASN.
- Select Update.
Magic WAN customers should also be aware of the following:
- The Cloudflare side ASN will be included in the
AS_PATH
of announced routes to any BGP enabled interconnect. - The customer chooses their device ASN, which should be different to the Cloudflare-side ASN.
You need to configure two ASNs:
- The Cloudflare account-scoped ASN named CF Account ASN.
- One ASN for each interconnect you want to configure with BGP.
If you already have set up your Cloudflare account ASN, you can skip steps two and three below.
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic WAN > Configuration > BGP.
- In CF Account ASN, enter Cloudflare's ASN.
- Go to Interconnects.
- Find the Direct CNI interconnect you want to configure with BGP > select the three dots next to it > Configure BGP.
- In Customer device ASN, enter the ASN for your network.
- In MD5 key, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism.
- (Optional) In Advertised prefix list, input the additional static prefixes automatically assigned by Cloudflare during the creation of the CNI interconnect, to advertise alongside your existing routes. Leave blank if you do not want to advertise extra routes.
- Select Enable BGP.