Get started
Before you can begin using Magic Transit, be sure to complete the onboarding steps below. Cloudflare can significantly accelerate this timeline during active-attack scenarios.
The onboarding process begins with an initial kickoff call where Cloudflare engages with your organization to confirm the scope and timeline for setting up Magic Transit.
After your call with Cloudflare, complete the prerequisites step.
Before you can begin using Magic Transit, verify that you meet Cloudflare’s onboarding requirements.
Magic Transit relies on anycast tunnels to transmit packets from Cloudflare’s global network to your origin network.
The routers at your tunnel endpoints must meet the following requirements to ensure compatibility with Magic Transit.
- Support anycast tunneling.
- Allow configuration of at least one tunnel per Internet service provider (ISP).
- Support maximum segment size (MSS) clamping.
Draft a Letter of Agency (LOA) - sometimes referred to as a Letter of Authorization - that identifies the prefixes you want to advertise and gives Cloudflare permission to announce them. The LOA is required by Cloudflare’s transit providers so they can accept the routes Cloudflare advertises on your behalf. See this LOA template for an example.
If you are an Internet service provider (ISP) and advertising prefixes on behalf of a customer, an LOA is required for the ISP and for the customer.
If you are using a Cloudflare IP address, you do not need to submit an LOA.
Verify your Internet Routing Registry (IRR) entries match corresponding origin autonomous system numbers (ASNs) to ensure Magic Transit routes traffic to the correct autonomous systems (AS). For guidance, refer to Verify IRR entries.
If you are using a Cloudflare IP, you do not need to verify your IRR entries.
You can also use the Resource Public Key Infrastructure (RPKI) as an additional option to validate your prefixes. RPKI is a security framework method that associates a route with an autonomous system. It uses cryptography to validate the information before being passed onto the routers.
To check your prefixes, you can use Cloudflare’s RPKI Portal.
sequenceDiagram accTitle: Magic WAN accDescr: Maximum segment size participant A as Client machine participant B as Cloudflare Magic WAN/Transit participant C as Origin router A->>B: MSS = 1460 bytes <br> Protocol (20 bytes) <br> IP header (20 bytes) Note left of A: SYN B->>C: MSS = 1436 bytes <br> Protocol (20 bytes) <br> IP header (20 bytes) <br> GRE header (4 bytes) <br> IP header (20 bytes) C->>A: MSS = 1436 bytes <br> IP <br> Protocol Note right of C: SYN-ACK A->>B: MSS = 1436 bytes <br> Protocol <br> IP Note left of A: ACK B->>C: Protocol <br> IP <br> GRE <br> IP
The SYN-ACK packet sent to the client during TCP handshake encodes the value for maximum segment size (MSS). Egress packets are routed via your ISP interface, and each packet must comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.
Cloudflare Magic Transit uses tunnels to deliver packets from our global network to your data centers. Cloudflare encapsulates these packets adding new headers.
To accommodate the additional header data, you must set the MSS value to 1436 bytes at your physical egress interfaces — not the tunnel interfaces. For Magic Transit egress traffic, the MSS should be set via the tunnel’s interface for egress traffic.Standard Internet Routable MTU | 1500 bytes |
---|---|
- Original IP header | 20 bytes |
- Original protocol header (TCP) | 20 bytes |
- New IP header | 20 bytes |
- New protocol header (GRE) | 4 bytes |
= Maximum segment size (MSS) | 1436 bytes |
Unless you apply these MSS settings at the origin, client machines do not know that they must use an MSS of 1436 bytes when sending packets to your origin.
If you are unable to set the MSS on your physical interfaces to a value lower than 1500 bytes, you can choose to clear the don't-fragment
bit in the IP header. When this option is enabled, Cloudflare fragments packets greater than 1500 bytes, and the packets are reassembled on your infrastructure after decapsulation. In most environments, enabling this option does not have significant impact on traffic throughput.
To enable this option for your network, contact your account team.
Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.
The following table lists several commonly used router vendors with links to MSS clamping instructions:
Router device | URL |
---|---|
Cisco | TCP IP Adjust MSS |
Juniper | TCP MSS – Edit System |
Configure the tunnels on both the Cloudflare side and your router side to connect to your origin infrastructure.
Configure static routes to route traffic from Cloudflare’s global network to your locations.
After setting up your tunnels and static routes, Cloudflare validates tunnel connectivity, tunnel and endpoint health checks, Letter of Agency (LOA), Internet Routing Registry (IRR), and maximum segment size (MSS) configurations. Configurations for Cloudflare global network are applied and take around one day to rollout.
Once pre-flight checks are completed, Cloudflare will unlock your prefixes for you to advertise via the dashboard, API or BGP at a time of your choosing. Refer to Dynamic advertisement best practices to learn more about advertising prefixes.
If you are using a Cloudflare IP, you do not need to advertise your prefixes.