Cloudflare Magic Transit — On-Ramp & DDoS Protection for Network Infrastructure
In this tutorial, you'll learn about Cloudflare Magic Transit. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloudflare Magic Transit protects on-premise network infrastructure by routing traffic through Cloudflare's global Anycast network, filtering DDoS attacks at the edge before they reach your data center. This tutorial explains Magic Transit architecture, configuration steps, and best practices for on-ramping your IP space.
Why Magic Transit Matters
Traditional DDoS protection requires dedicated hardware appliances that sit in your data center and cost millions of dollars. Cloudflare Magic Transit moves DDoS scrubbing to the cloud, absorbing attacks at edge data centers that have multi-terabit capacity. Your origin infrastructure sees only clean traffic.
Real-world use: Durga Antivirus Pro uses Magic Transit to protect its update servers and API infrastructure. A 1.2 Tbps DDoS attack targeting the API Gateway was absorbed entirely at Cloudflare's edge, and the origin servers received zero attack traffic.
Magic Transit Architecture
flowchart TD ATT[Attacker DDoS] --> CLOUD[Cloudflare Edge] LEG[Legitimate User] --> CLOUD CLOUD --> FILT[Traffic Filtering] FILT -->|Clean| TUN["GRE/IPIP Tunnel"] FILT -->|Attack| DROP[Discarded at Edge] TUN --> RTR[Customer Router] RTR --> ORIG[Origin Infrastructure] style ATT fill:#c00,color:#fff style LEG fill:#09c,color:#fff style CLOUD fill:#f90,color:#fff style DROP fill:#c00,color:#fff style ORIG fill:#090,color:#fff
How Magic Transit Works
Magic Transit advertises your IP prefixes through Cloudflare's network using BGP. Cloudflare announces your prefixes, attracts traffic, scrubs it, and forwards clean traffic through a tunnel to your infrastructure.
# Step 1: Onboard your IP prefixes
# Cloudflare must verify you own the IP space (ARIN/RIPE/RIR validation)
# Submit via dashboard: Magic Transit > Static Configuration
# Provide your prefix: 203.0.113.0/24
# Step 2: Configure a GRE tunnel from Cloudflare to your edge router
# On your router (Cisco IOS example):
interface Tunnel0
description GRE tunnel to Cloudflare
ip address 10.0.0.1 255.255.255.252
tunnel source 203.0.113.1
tunnel destination 173.245.48.1
tunnel mode gre ip
ip mtu 1400
ip tcp adjust-mss 1360
# This tunnel carries clean traffic from Cloudflare to your data center
# Step 3: Configure BGP with Cloudflare
# Advertise your prefix to Cloudflare and accept their routes
router bgp 65001
neighbor 10.0.0.2 remote-as 13335
neighbor 10.0.0.2 description Cloudflare Magic Transit
address-family ipv4 unicast
neighbor 10.0.0.2 activate
network 203.0.113.0 mask 255.255.255.0
exit-address-family
# Cloudflare ASN is 13335
# Your ASN can be private (shown here) or public depending on your setup
DDoS Protection Layers
Magic Transit applies multiple layers of filtering to incoming traffic.
| Layer | Protection | Description |
|---|---|---|
| L3 | Network | Volumetric attacks, packet floods |
| L4 | Transport | SYN floods, UDP floods, amplification |
| L7 | Application | HTTP floods, bot mitigation |
| BGP | Routing | Route hijack detection, BGP flow spec |
# Configure packet filtering rules
# Magic Transit > Firewall > Packet rules
# Example: Block all inbound UDP except DNS
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/firewall/access_rules \
-H "Authorization: Bearer {api_token}" \
-H "Content-Type: application/json" \
-d '{
"mode": "block",
"configuration": {
"target": "protocol",
"value": "udp"
},
"notes": "Block all UDP traffic except on port 53"
}'
# Add an exception for DNS traffic on UDP port 53
# View attack analytics
curl -s https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/analytics/attack_events \
-H "Authorization: Bearer {api_token}" | jq '.result[] | {timestamp, attack_type, bits_rate, packets_rate}'
# Shows recent attack events with type, volume in bps, and pps
Tunnel Health Monitoring
Monitor tunnel status to ensure connectivity is healthy.
# Check GRE tunnel health
curl -s https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/tunnels \
-H "Authorization: Bearer {api_token}" | jq '.result[] | {name, interface_address, health_check}'
# Health check shows "pass" or "fail" for each tunnel endpoint
# Configure health check for GRE tunnel
# Magic Transit automatically pings tunnel endpoints every 10 seconds
# Configure your router to respond to ICMP echo on the tunnel interface
# Router ACL should permit ICMP from Cloudflare tunnel source IPs
FAQ
Practice Questions
- How does Magic Transit differ from traditional on-premise DDoS mitigation appliances?
- What is the role of GRE tunnels in the Magic Transit architecture?
- How does BGP advertising enable Cloudflare to attract and filter traffic for your IP prefixes?
Summary
Cloudflare Magic Transit protects on-premise network infrastructure by advertising your IP prefixes via BGP, attracting all traffic to Cloudflare's network, filtering DDoS attacks at the edge, and forwarding clean traffic through GRE or IPIP tunnels to your data center. It replaces expensive hardware appliances with cloud-based multi-terabit capacity.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro