← Back to posts
Cloudflare

Cloudflare Magic Transit: BGP-Advertised DDoS Protection for Your Network

By Travis · · 3 min read
#cloudflare#magic-transit#ddos#bgp#network-security

What Is Magic Transit?

Magic Transit is Cloudflare’s network-layer DDoS protection and traffic acceleration service for IP infrastructure. Unlike products that protect web applications, Magic Transit protects entire IP prefixes — your routers, data centers, on-premise infrastructure, anything reachable via those IPs.

It works by advertising your IP prefixes via BGP from Cloudflare’s global network. Traffic destined for your IPs is routed through Cloudflare first, scrubbed of attack traffic, and then forwarded to your infrastructure over a GRE or IPsec tunnel. Your IPs stay yours — Cloudflare just sits in front of them.

What Problems It Solves

Volumetric DDoS at scale. Magic Transit can absorb multi-terabit attacks at the edge before they ever reach your network. Cloudflare’s scrubbing capacity is distributed across their global network rather than concentrated in a single scrubbing center, meaning there’s no single point of congestion.

Always-on protection. Unlike traditional DDoS mitigation that requires diverting traffic during an attack, Magic Transit is always in path. There’s no detection delay, no diversion time, and no window of exposure while mitigation kicks in.

BGP-based routing with no IP changes. Your IP addresses don’t change. Customers, partners, and internal systems all continue using the same IPs. Magic Transit handles the routing changes transparently.

Acceleration in addition to protection. Clean traffic is forwarded to your origin over Cloudflare’s optimized backbone rather than the public internet, which often results in lower latency compared to direct routing.

How It Works

Internet → Cloudflare Edge (BGP attracts traffic)

        DDoS Scrubbing + Firewall

        GRE/IPsec Tunnel → Your Router/Firewall → Infrastructure
  1. Cloudflare announces your IP prefixes via BGP (you provide a Letter of Authorization)
  2. Traffic hits Cloudflare’s edge, where volumetric attacks are dropped inline
  3. Clean traffic is forwarded through tunnels to your network
  4. Your router receives clean traffic on the tunnel interface and distributes normally

Key Capabilities

  • Volumetric DDoS mitigation — absorbs L3/L4 attacks: UDP floods, ICMP floods, SYN floods, amplification attacks
  • Magic Firewall integration — apply stateless packet filtering rules to traffic in Cloudflare’s network before it reaches your tunnels
  • Anycast tunnel termination — tunnels terminate across Cloudflare’s entire global network, not a single location
  • ECMP load balancing — distribute traffic across multiple tunnels for redundancy and throughput
  • Network Analytics — full visibility into traffic flowing through Magic Transit including attack events
  • Automatic advertisement control — withdraw or advertise prefixes on-demand via API or dashboard

Best Practices

Plan Your Prefix Advertisement Carefully

Only advertise prefixes you want protected through Magic Transit. Start with a /24 minimum (BGP won’t accept longer prefixes from most upstream providers). If you have prefixes you don’t want in Magic Transit, ensure they’re excluded from the LOA.

Deploy Redundant Tunnels

Always configure at least two GRE or IPsec tunnels to different Cloudflare anycast endpoints. If one tunnel degrades, traffic fails over automatically. A single tunnel is a single point of failure.

Primary Tunnel:   Your Router ← → Cloudflare Anycast (162.158.x.x)
Secondary Tunnel: Your Router ← → Cloudflare Anycast (172.64.x.x)

Set Tunnel Health Checks Correctly

Cloudflare sends health check probes through your tunnels. Configure your firewall to allow ICMP from Cloudflare’s health check IPs — blocking these will cause Cloudflare to mark tunnels as unhealthy and potentially stop forwarding traffic.

Use Magic Firewall for Stateless Filtering

Rather than letting all traffic hit your on-premise firewall, push stateless ACLs into Magic Firewall at the Cloudflare layer. Drop traffic that should never reach your network (bogons, unexpected protocols, known bad ASNs) before it consumes tunnel bandwidth.

Set Appropriate MSS Clamping

GRE adds overhead to packets. Configure MSS clamping on your tunnel interfaces to prevent fragmentation:

# Cisco IOS example
interface Tunnel0
 ip tcp adjust-mss 1436

For IPsec tunnels the value will differ based on your encryption overhead. Test with large packets and adjust until fragmentation stops.

Monitor Tunnel State Proactively

Set up alerts for tunnel state changes in the Cloudflare dashboard. A tunnel going down silently is how an outage starts. Cloudflare’s API can be polled for tunnel health, or use their webhook notifications to feed your NOC alerting system.

Test Failover Before You Need It

Schedule a maintenance window and deliberately take down your primary tunnel. Verify traffic fails over to the secondary cleanly and that your team’s runbook for re-establishing tunnels is accurate. Don’t find out your failover is broken during an actual attack.

Keep an Emergency Contact at Cloudflare

For Magic Transit customers, Cloudflare provides a dedicated onboarding team and emergency support. Make sure your NOC knows the emergency contact path — not just the support portal — for attack response situations.

// Found this useful? Share it or start a conversation.
Y Hacker News 𝕏 X in LinkedIn 🦋 Bluesky r/ Reddit
// Related More on similar topics.
Cloudflare May 7, 2025

Cloudflare Magic Firewall: Stateless Packet Filtering at the Network Edge

What Magic Firewall does, how it fits into your network security stack, and best practices for writing effective firewall rules at Cloudflare's edge.
Networking Apr 5, 2025

DDoS in 2025: Record Attacks, New Vectors, and What Defenders Must Know

A breakdown of the latest DDoS trends — record-breaking volumetric attacks, HTTP/2 exploits, and how AI is shifting both offense and defense.
Cloudflare May 12, 2026

Cloudflare WAF Walkthrough: Monitor First, Block Later, Skip OWASP

A practical, opinionated walkthrough for rolling out Cloudflare's Web Application Firewall on a real domain — start in monitor mode, layer in protections, set up alerting on spikes, and why OWASP Core Ruleset is usually a mistake.