Configure BGP peering
Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.
Using BGP peering with a CNI allows customers to:
- Automate the process of adding or removing networks and subnets.
- Take advantage of failure detection and session recovery features.
With this functionality, customers can:
- Establish an eBGP session between their devices and the Magic Transit service when connected via CNI.
- Secure the session by MD5 authentication to prevent misconfigurations.
- Exchange routes dynamically between their devices and their Magic routing table.
Routes received from the customer device will be redistributed into the Magic routing table, which is used by both Magic WAN and Magic Transit.
All routes in the Magic routing table are advertised to BGP peers. Each BGP peer will receive each prefix route along with the full AS_PATH
, with the selected Cloudflare side ASN ↗ prepended. This is so that the peer can accurately perform loop prevention ↗.
BGP peering sessions can advertise reachable prefixes to a peer and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate.
BGP multipath is supported. If the same prefix is learned on two different interconnects then traffic destined for that prefix will be distributed across each interconnect according to the usual ECMP behavior.
BGP support currently has the following limitations:
- The Cloudflare account ASN and the customer device ASN must be different. Only eBGP is supported.
- Routes are always injected with a priority of
100
. - Bidirectional Forwarding Detection (BFD) is not supported.
- 4-byte ASNs are not supported.
Magic Transit customers need to enable legacy health checks alongside BGP. This is essential to determine if a specific Cloudflare data center is reachable from a customer device or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes.
The Magic routing table is managed by the customer, who can select both the Cloudflare-side ASN and the ASN for their customer device.
By default, each BGP peering session will use the same Cloudflare-side ASN to represent peering with the Magic Transit routing table. This default ASN is called the CF Account ASN and should be configured to a private 2-byte ASN (for example, any values between 64512
and 65534
). To set this ASN:
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic Transit > Configuration > BGP.
- In CF Account ASN, enter Cloudflare's ASN.
- Select Update.
Magic Transit customers should also be aware of the following:
- The Cloudflare side ASN will never be exposed in
AS_PATH
of anycast announcements from the Cloudflare edge. In those announcements, Cloudflare will always use the Cloudflare ASN of13335
optionally prepended with a bring-your-own ASN as described in Cloudflare ASN vs. your own ASN - The customer device ASN can be a private ASN or the ASN they are using for Magic Transit anycast announcements at the edge: this has no impact on the ASN for the anycast announced prefix at the edge of the Cloudflare global network.
You need to configure two ASNs:
- The Cloudflare account-scoped ASN named CF Account ASN.
- One ASN for each interconnect you want to configure with BGP.
If you already have set up your Cloudflare account ASN, you can skip steps two and three below.
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic Transit > Configuration > BGP.
- In CF Account ASN, enter Cloudflare's ASN.
- Go to Interconnects.
- Find the Direct CNI interconnect you want to configure with BGP > select the three dots next to it > Configure BGP.
- In Customer device ASN, enter the ASN for your network.
- In MD5 key, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism.
- (Optional) In Advertised prefix list, input the additional static prefixes automatically assigned by Cloudflare during the creation of the CNI interconnect, to advertise alongside your existing routes. Leave blank if you do not want to advertise extra routes.
- Select Enable BGP.