Skip to content

Cloudflare Magic Transit — On-Ramp & DDoS Protection for Network Infrastructure

DodaTech Updated 2026-06-23 4 min read

In this tutorial, you'll learn about Cloudflare Magic Transit. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare Magic Transit protects on-premise network infrastructure by routing traffic through Cloudflare's global Anycast network, filtering DDoS attacks at the edge before they reach your data center. This tutorial explains Magic Transit architecture, configuration steps, and best practices for on-ramping your IP space.

Why Magic Transit Matters

Traditional DDoS protection requires dedicated hardware appliances that sit in your data center and cost millions of dollars. Cloudflare Magic Transit moves DDoS scrubbing to the cloud, absorbing attacks at edge data centers that have multi-terabit capacity. Your origin infrastructure sees only clean traffic.

Real-world use: Durga Antivirus Pro uses Magic Transit to protect its update servers and API infrastructure. A 1.2 Tbps DDoS attack targeting the API Gateway was absorbed entirely at Cloudflare's edge, and the origin servers received zero attack traffic.

Magic Transit Architecture

flowchart TD
  ATT[Attacker DDoS] --> CLOUD[Cloudflare Edge]
  LEG[Legitimate User] --> CLOUD
  CLOUD --> FILT[Traffic Filtering]
  FILT -->|Clean| TUN["GRE/IPIP Tunnel"]
  FILT -->|Attack| DROP[Discarded at Edge]
  TUN --> RTR[Customer Router]
  RTR --> ORIG[Origin Infrastructure]
  style ATT fill:#c00,color:#fff
  style LEG fill:#09c,color:#fff
  style CLOUD fill:#f90,color:#fff
  style DROP fill:#c00,color:#fff
  style ORIG fill:#090,color:#fff

How Magic Transit Works

Magic Transit advertises your IP prefixes through Cloudflare's network using BGP. Cloudflare announces your prefixes, attracts traffic, scrubs it, and forwards clean traffic through a tunnel to your infrastructure.

# Step 1: Onboard your IP prefixes
# Cloudflare must verify you own the IP space (ARIN/RIPE/RIR validation)
# Submit via dashboard: Magic Transit > Static Configuration
# Provide your prefix: 203.0.113.0/24
# Step 2: Configure a GRE tunnel from Cloudflare to your edge router
# On your router (Cisco IOS example):
interface Tunnel0
  description GRE tunnel to Cloudflare
  ip address 10.0.0.1 255.255.255.252
  tunnel source 203.0.113.1
  tunnel destination 173.245.48.1
  tunnel mode gre ip
  ip mtu 1400
  ip tcp adjust-mss 1360

# This tunnel carries clean traffic from Cloudflare to your data center
# Step 3: Configure BGP with Cloudflare
# Advertise your prefix to Cloudflare and accept their routes
router bgp 65001
  neighbor 10.0.0.2 remote-as 13335
  neighbor 10.0.0.2 description Cloudflare Magic Transit
  address-family ipv4 unicast
    neighbor 10.0.0.2 activate
    network 203.0.113.0 mask 255.255.255.0
  exit-address-family

# Cloudflare ASN is 13335
# Your ASN can be private (shown here) or public depending on your setup

DDoS Protection Layers

Magic Transit applies multiple layers of filtering to incoming traffic.

Layer Protection Description
L3 Network Volumetric attacks, packet floods
L4 Transport SYN floods, UDP floods, amplification
L7 Application HTTP floods, bot mitigation
BGP Routing Route hijack detection, BGP flow spec
# Configure packet filtering rules
# Magic Transit > Firewall > Packet rules
# Example: Block all inbound UDP except DNS
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/firewall/access_rules \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "block",
    "configuration": {
      "target": "protocol",
      "value": "udp"
    },
    "notes": "Block all UDP traffic except on port 53"
  }'

# Add an exception for DNS traffic on UDP port 53
# View attack analytics
curl -s https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/analytics/attack_events \
  -H "Authorization: Bearer {api_token}" | jq '.result[] | {timestamp, attack_type, bits_rate, packets_rate}'

# Shows recent attack events with type, volume in bps, and pps

Tunnel Health Monitoring

Monitor tunnel status to ensure connectivity is healthy.

# Check GRE tunnel health
curl -s https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/tunnels \
  -H "Authorization: Bearer {api_token}" | jq '.result[] | {name, interface_address, health_check}'

# Health check shows "pass" or "fail" for each tunnel endpoint
# Configure health check for GRE tunnel
# Magic Transit automatically pings tunnel endpoints every 10 seconds
# Configure your router to respond to ICMP echo on the tunnel interface
# Router ACL should permit ICMP from Cloudflare tunnel source IPs

FAQ

What is the difference between Magic Transit and Spectrum?

Magic Transit protects entire IP prefixes at network layer (BGP/GRE), forwarding all protocols through tunnels. Spectrum protects individual TCP/UDP applications by proxying traffic to specific origin IPs. Magic Transit is for full network infrastructure; Spectrum is for specific services.

Do I need my own ASN to use Magic Transit?

You need either your own public ASN and IP prefix or a private ASN with a prefix provided by a contracted LIR. Cloudflare will help validate your prefix ownership before activation.

Can I use Magic Transit with other Cloudflare services like CDN and WAF?

Yes. You can selectively enable application-layer services (CDN, WAF, Argo) for HTTP traffic while Magic Transit handles all other protocols. This hybrid approach gives you both network-layer protection and application-layer optimization.

Practice Questions

  1. How does Magic Transit differ from traditional on-premise DDoS mitigation appliances?
  2. What is the role of GRE tunnels in the Magic Transit architecture?
  3. How does BGP advertising enable Cloudflare to attract and filter traffic for your IP prefixes?

Summary

Cloudflare Magic Transit protects on-premise network infrastructure by advertising your IP prefixes via BGP, attracting all traffic to Cloudflare's network, filtering DDoS attacks at the edge, and forwarding clean traffic through GRE or IPIP tunnels to your data center. It replaces expensive hardware appliances with cloud-based multi-terabit capacity.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro