Anycast IP Addresses

Cloudflare Magic Transit provides globally-routed Anycast IP addresses that are advertised from all Cloudflare edge locations worldwide.

Overview

Anycast IP addresses allow traffic to be routed to the nearest Cloudflare edge location automatically, providing optimal performance and built-in redundancy. All protected services are assigned Anycast IPs that Cloudflare advertises on your behalf.

How Anycast Works

Traditional Unicast Routing:

  • Single IP → Single physical location

  • No automatic failover

  • Performance depends on distance to origin

Anycast Routing:

  • Single IP → Multiple global locations (Cloudflare edge)

  • Automatic routing to nearest edge

  • Built-in redundancy and failover

  • DDoS traffic absorbed at the edge

Benefits

Performance:

  • Traffic routes to nearest Cloudflare location

  • Reduced latency for global users

  • Optimal edge location selection

Reliability:

  • No single point of failure

  • Automatic failover between edges

  • 99.99%+ uptime SLA

Security:

  • DDoS attacks absorbed at the edge

  • Attack traffic never reaches origin

  • Distributed mitigation across global network

Scalability:

  • Handle massive traffic spikes

  • Cloudflare’s capacity vs. origin capacity

  • No need to overprovision origin infrastructure

Protected IP Ranges

The following Anycast IP ranges are allocated to this Magic Transit deployment:

IPv6 Prefix:

  • Range: 2001:db8::/41 (reserved documentation prefix matching the /41 size)

  • Total Addresses: 2^87 (~154 sextillion) IPv6 addresses

  • Purpose: All IPv6 services and infrastructure

  • Provider: Cloudflare Magic Transit

IPv4 Prefix:

  • Range: 198.51.100.164/31 (example)

  • Usable IPs: 198.51.100.164 - 198.51.100.165 (example)

  • Purpose: Primary public-facing services

  • Provider: Cloudflare Magic Transit

These prefixes are announced globally from all Cloudflare edge locations, providing DDoS protection and optimal routing for all traffic.

IP Allocation Process:

  1. Cloudflare assigns dedicated /24 or larger subnet

  2. IPs are announced from all Cloudflare edge locations

  3. Traffic is routed through Magic Transit tunnels

  4. Clean traffic forwarded to origin via GRE

Configuration

Cloudflare Dashboard Configuration:

  1. Navigate to Magic Transit settings

  2. Configure IP prefixes to advertise

  3. Set up traffic steering policies

  4. Define health check parameters

pfSense Configuration:

  • Static routes for Anycast prefixes

  • NAT policies for inbound traffic

  • Firewall rules for protected services

  • Load balancing across multiple origins (if applicable)

Traffic Steering

Cloudflare intelligently steers traffic based on:

  • Geographic Proximity: Route to nearest edge

  • Network Performance: Fastest path selection

  • Health Checks: Avoid unhealthy routes

  • Custom Policies: Business-defined routing rules

Use Cases

Public-Facing Services:

  • Web servers and applications

  • API endpoints

  • Game servers

  • Streaming services

Site-to-Site Connectivity:

  • Branch office VPNs

  • Multi-site WAN

  • Disaster recovery sites

  • Cloud interconnects

Hybrid Cloud:

  • On-premises to cloud connectivity

  • Multi-cloud networking

  • Edge computing integration

Monitoring

Anycast Performance Metrics:

  • Traffic volume by edge location

  • Latency by geographic region

  • Attack traffic statistics

  • Origin health status

Cloudflare Analytics:

  • Real-time traffic graphs

  • Geographic distribution

  • Attack mitigation reports

  • Origin connection health

Best Practices

IP Management:

  • Document all allocated Anycast ranges

  • Maintain IP assignment records

  • Coordinate changes with Cloudflare support

  • Plan for future IP needs

Security:

  • Only advertise actively used IPs

  • Implement least-privilege firewall rules

  • Monitor for unauthorized access attempts

  • Regular security audits

Performance:

  • Monitor latency from key locations

  • Optimize origin infrastructure

  • Load test protected services

  • Plan capacity for traffic growth

Integration with Magic Transit

Anycast IPs are the foundation of Magic Transit service:

  1. Announcement: Cloudflare advertises Anycast IPs globally

  2. Attraction: Traffic routes to nearest Cloudflare edge

  3. Inspection: Security filters and DDoS mitigation applied

  4. Forwarding: Clean traffic sent via GRE tunnel to origin

  5. Response: Return traffic flows back through Cloudflare

This architecture ensures all traffic benefits from Cloudflare’s protection and performance, while the origin infrastructure remains secure behind the GRE tunnels.