👤 Owner: Customer (with IM guidance)
Phase 4: GRE Tunnel Setup
Generic Routing Encapsulation - creates a virtual point-to-point link over the internet
🔍 Understanding Asymmetric Routing
Magic Transit uses asymmetric routing by default. This means traffic takes different paths in each direction:
| Direction | Path | Why |
|---|---|---|
| Ingress Internet → Customer |
Internet → Cloudflare PoP → GRE Tunnel → Customer | DDoS protection applied at edge |
| Egress Customer → Internet |
Customer → Internet (Direct Server Return) | Faster path, no backhaul to Cloudflare |
See the Glossary for detailed definitions of GRE, IPsec, DSR, and routing concepts.
Customer Configuration Requirements:
- Create 2 GRE tunnels (for redundancy)
- Use Cloudflare Anycast IPs as destinations
- Use customer's public IPs as sources
- Apply private /31 IPs inside tunnel (point-to-point subnet)
Alternative: Customers can also use IPsec tunnels (GRE over IPsec) for encrypted transport. Requires additional configuration.