Anycast IP Addresses ==================== Cloudflare Magic Transit provides globally-routed Anycast IP addresses that are advertised from all Cloudflare edge locations worldwide. Overview -------- Anycast IP addresses allow traffic to be routed to the nearest Cloudflare edge location automatically, providing optimal performance and built-in redundancy. All protected services are assigned Anycast IPs that Cloudflare advertises on your behalf. How Anycast Works ----------------- **Traditional Unicast Routing**: - Single IP → Single physical location - No automatic failover - Performance depends on distance to origin **Anycast Routing**: - Single IP → Multiple global locations (Cloudflare edge) - Automatic routing to nearest edge - Built-in redundancy and failover - DDoS traffic absorbed at the edge Benefits -------- **Performance**: - Traffic routes to nearest Cloudflare location - Reduced latency for global users - Optimal edge location selection **Reliability**: - No single point of failure - Automatic failover between edges - 99.99%+ uptime SLA **Security**: - DDoS attacks absorbed at the edge - Attack traffic never reaches origin - Distributed mitigation across global network **Scalability**: - Handle massive traffic spikes - Cloudflare's capacity vs. origin capacity - No need to overprovision origin infrastructure Protected IP Ranges ------------------- The following Anycast IP ranges are allocated to this Magic Transit deployment: **IPv6 Prefix**: - **Range**: ``2001:db8::/41`` (reserved documentation prefix matching the /41 size) - **Total Addresses**: 2^87 (~154 sextillion) IPv6 addresses - **Purpose**: All IPv6 services and infrastructure - **Provider**: Cloudflare Magic Transit **IPv4 Prefix**: - **Range**: ``198.51.100.164/31`` (example) - **Usable IPs**: 198.51.100.164 - 198.51.100.165 (example) - **Purpose**: Primary public-facing services - **Provider**: Cloudflare Magic Transit These prefixes are announced globally from all Cloudflare edge locations, providing DDoS protection and optimal routing for all traffic. **IP Allocation Process**: 1. Cloudflare assigns dedicated /24 or larger subnet 2. IPs are announced from all Cloudflare edge locations 3. Traffic is routed through Magic Transit tunnels 4. Clean traffic forwarded to origin via GRE Configuration ------------- **Cloudflare Dashboard Configuration**: 1. Navigate to Magic Transit settings 2. Configure IP prefixes to advertise 3. Set up traffic steering policies 4. Define health check parameters **pfSense Configuration**: - Static routes for Anycast prefixes - NAT policies for inbound traffic - Firewall rules for protected services - Load balancing across multiple origins (if applicable) Traffic Steering ---------------- Cloudflare intelligently steers traffic based on: - **Geographic Proximity**: Route to nearest edge - **Network Performance**: Fastest path selection - **Health Checks**: Avoid unhealthy routes - **Custom Policies**: Business-defined routing rules Use Cases --------- **Public-Facing Services**: - Web servers and applications - API endpoints - Game servers - Streaming services **Site-to-Site Connectivity**: - Branch office VPNs - Multi-site WAN - Disaster recovery sites - Cloud interconnects **Hybrid Cloud**: - On-premises to cloud connectivity - Multi-cloud networking - Edge computing integration Monitoring ---------- **Anycast Performance Metrics**: - Traffic volume by edge location - Latency by geographic region - Attack traffic statistics - Origin health status **Cloudflare Analytics**: - Real-time traffic graphs - Geographic distribution - Attack mitigation reports - Origin connection health Best Practices -------------- **IP Management**: - Document all allocated Anycast ranges - Maintain IP assignment records - Coordinate changes with Cloudflare support - Plan for future IP needs **Security**: - Only advertise actively used IPs - Implement least-privilege firewall rules - Monitor for unauthorized access attempts - Regular security audits **Performance**: - Monitor latency from key locations - Optimize origin infrastructure - Load test protected services - Plan capacity for traffic growth Integration with Magic Transit ------------------------------- Anycast IPs are the foundation of Magic Transit service: 1. **Announcement**: Cloudflare advertises Anycast IPs globally 2. **Attraction**: Traffic routes to nearest Cloudflare edge 3. **Inspection**: Security filters and DDoS mitigation applied 4. **Forwarding**: Clean traffic sent via GRE tunnel to origin 5. **Response**: Return traffic flows back through Cloudflare This architecture ensures all traffic benefits from Cloudflare's protection and performance, while the origin infrastructure remains secure behind the GRE tunnels.