Magic Transit | Extending Cloudflare to On-Prem Networks

Network Transit with :DDoS protection,IP firewall,Traffic acceleration:

Cloudflare protects and accelerates over 20 million Internet properties. Extend the same benefits and more to your on-premise and data center networks.

Introducing Cloudflare Magic Transit.

Magic Transit is a software-defined networking product that offers IP transit with DDoS protection, next-gen firewall, traffic acceleration and more for your on-premise and data center networks from a single, easy-to-use interface.

icon cf cloud solid white

Move your network perimeter hardware to the cloud

Provision virtual network functions on the fly: DDoS protection with over 30 Tbps of network capacity and near-instant mitigation, next-gen firewall, traffic acceleration, and much more.

icon global white

Connect to the Cloudflare global network

Our security, performance, and reliability functions are delivered from a physical presence in over 194 cities across 90 countries. This means threats are mitigated close to where they originate, not in your data center.

icon cost white

Drive down your Total Cost of Ownership (TCO)

Get operational agility with reduced capital expenditure. Replace on-premise hardware with network functions delivered and billed as a service.

Thomson Reuters operates on-premise and cloud networks around the world. I’m excited about Cloudflare Magic Transit — the potential to unify our IP transit, DDoS mitigation, and traffic steering solutions into something we can manage with a single pane of glass will be game-changing. Cloudflare continues to impress me with its network’s scale, in terms of geography, capacity, and product breadth.
Jesse Haraldson
Principal Software Architect
How it Works Diagram 3x 5

The next step in infrastructure architecture

Cloudflare Magic Transit protects entire IP subnets from DDoS attacks, while also accelerating network traffic. It uses Cloudflare’s global network to mitigate attacks, employing two fundamental networking protocols, BGP and GRE, for routing and encapsulation.

All your network assets, whether on-premise or in private or public hosted cloud environments are safeguarded.

icon routing blue


Using Border Gateway Protocol (BGP) route announcements to the Internet, and Cloudflare’s anycast network, customer traffic is ingested at a Cloudflare data center closest to the source.

icon ddos blue

Protect and Process

All customer traffic is inspected for attacks. Advanced and automated mitigation techniques can be applied immediately upon detecting an attack. Additional functions such as, load balancing, next-gen firewall, content caching and serverless compute are also delivered as a service.

icon rocket loader blue


Clean traffic is routed over Cloudflare’s network for optimal latency and throughput and can be handed-off over GRE tunnels, private network interconnects (PNI) or other forms or peering to the origin network.

illustration network map animation

The Cloudflare global network

Cloudflare delivers DDoS mitigation using our entire network. This network has a capacity of over 30 Tbps and spans more than 194 cities in 90 countries. Our network allows us to be within 100ms of 93% of the Internet-connected population globally. This is especially important for latency-sensitive applications such as Voice over IP (VoIP) and custom gaming protocols.

10 sec Illustration 3x

Ultra-low Time to Mitigate (TTM)

With a heritage in DDoS mitigation and a vast library of known attacks, malicious traffic is identified at a Cloudflare data center closest to the source within seconds. Automatic mitigation techniques are applied immediately and most malicious traffic is blocked in less than 10 seconds.

IP Firewall Illustration 3x

Pick your network function

Cloudflare Magic Transit comes integrated with our best-in-class network firewall, allowing you to configure granular allow/deny rules for IP ranges and propagate changes in seconds. Want application level firewalling? Configure optional TLS termination and start inspecting payloads. Want a load balancer? You got it. Want to write a serverless Cloudflare Worker to modify traffic on the fly? You can do that, too.

Magic Transit comes natively integrated with all of Cloudflare’s L4 and L7 products.

MRK 9376 CF Magic Transit Speedometer v02 FINAL

Traffic acceleration

More than 1 billion unique IP addresses pass through Cloudflare’s network every day. With every bit we move, our network gets smarter and faster.

When integrated with Argo Smart Routing, Cloudflare Magic Transit will deliver clean traffic back to your network using the fastest, most reliable links in real-time.

Key Features

Over 30 Tbps of network capacity

Over 30 Tbps of network capacity

Mitigate most attacks in under 10 seconds

Mitigate most attacks in under 10 seconds

Sub-second threat detection

Sub-second threat detection

Integrate via BGP routing and GRE encapsulation

Integrate via BGP routing and GRE encapsulation

Native integration with L7 services (CDN, WAF, Bot Management, etc.)

Native integration with L7 services (CDN, WAF, Bot Management, etc.)

Always-on and on-demand options

Always-on and on-demand options

24x7 SOC

24x7 SOC

Support for all IP services (TCP, UDP, IPSec, VoIP, custom protocols)

Support for all IP services (TCP, UDP, IPSec, VoIP, custom protocols)

Advanced analytics

Advanced analytics

As the lines between corporate infrastructure and cloud services continue to converge, Cloudflare's modern approach to protecting infrastructure is a much-needed solution for the industry. The ability for Magic Transit to leverage the power and scale of cloud services to protect infrastructure, while maintaining per IP configuration and optionality, all while routing traffic performantly across Cloudflare's global network, makes it a no-brainer.
Aaron Edwards
Field CTO

Trusted By

Over 20,000,000 Internet properties

trustedby crunchbase black
trustedby ao com black
trustedby zendesk black
trustedby mapbox black
trustedby log me in black
trustedby digital ocean black
trustedby okcupid black
trustedby montecito black
trustedby discord black
trustedby library of congress black
trustedby udacity black
trustedby marketo black