Cloudflare Magic Transit
Cloudflare Magic Transit provides DDoS protection and enhances network performance and security.
| Category | Network Security |
|---|---|
| Last page update | 19 days ago |
| Pricing Details | Contact Cloudflare for pricing details. |
| Target Audience | Businesses and organizations seeking enhanced network security and performance. |
Cloudflare Magic Transit manages protecting networks from DDoS attacks and enhancing overall network performance and security. Here’s a breakdown of its technical architecture and operational considerations:
Magic Transit leverages Cloudflare’s global anycast network, which spans hundreds of cities worldwide, to ingest and process traffic. It uses Border Gateway Protocol (BGP) to announce the customer's IP address space, extending their network presence globally. Traffic is routed through anycast Generic Routing Encapsulation (GRE) tunnels or IPsec tunnels, ensuring secure and reliable connectivity between Cloudflare’s network and the customer’s origin infrastructure.
The setup involves several key steps, including verifying router compatibility to support anycast tunneling, configuring maximum segment size (MSS) clamping to account for header overhead, and setting up static routes to direct traffic through Cloudflare’s network. Pre-flight checks are conducted to validate tunnel connectivity, endpoint health, and other configurations before prefixes are advertised.
Operational considerations include the option for either ingress-only or ingress and egress traffic flow. In the default configuration, only ingress traffic is processed through Cloudflare, while egress traffic is routed directly by the customer's edge router. Enabling the egress option requires policy-based routing or default routing to forward traffic through Cloudflare’s tunnels, providing symmetric traffic flow and added security.
When using Cloudflare Network Interconnect (CNI), customers can connect their network infrastructure directly to Cloudflare, bypassing the public Internet. This setup supports higher throughput and additional security measures, such as GRE tunnels over CNI, which require specific MTU and MSS configurations to accommodate header overhead.
Technical details include the need to set MSS clamping to 1,360 bytes for IPsec tunnels and 1,436 bytes for GRE tunnels over CNI. The MTU size for GRE tunnel interfaces should be set to 1,476 bytes to ensure proper packet transmission. These configurations are crucial to maintain optimal network performance and avoid packet fragmentation issues.