Glossary: Key Terms & Definitions

Understanding the technical concepts in Magic Transit

🔐 GRE (Generic Routing Encapsulation)

A tunneling protocol that encapsulates one network protocol within another. GRE creates a virtual point-to-point link between two network endpoints, allowing traffic to travel through an intermediate network (like the internet) as if it were on a direct connection. GRE adds 24 bytes of overhead (20 bytes IP + 4 bytes GRE header).

In Magic Transit: Used to tunnel customer traffic from Cloudflare's edge to the customer's network infrastructure.

🔒 IPsec (Internet Protocol Security)

A secure network protocol suite that authenticates and encrypts IP packets. IPsec operates at Layer 3 (Network Layer) and can operate in two modes:

  • Transport Mode: Only payload is encrypted
  • Tunnel Mode: Entire packet is encrypted and encapsulated

In Magic Transit: Alternative to GRE for customers requiring encrypted tunnels (GRE over IPsec).

↔️ Asymmetric Routing

A network routing scenario where traffic takes different paths in each direction. In Magic Transit:

  • Ingress (Internet → Customer): Flows through Cloudflare's GRE tunnel
  • Egress (Customer → Internet): Goes directly from customer to internet (Direct Server Return)

Benefit: Reduces latency and avoids unnecessary hops for outbound traffic.

Contrast with Symmetric Routing where both directions use the same path through Cloudflare.

🔄 Symmetric Routing

Traffic flows through the same path in both directions. In Magic Transit context, this would mean:

  • Ingress: Internet → Cloudflare → Customer
  • Egress: Customer → Cloudflare → Internet

Also called Edge Server Return (ESR). Useful when customers need Cloudflare services (like Magic Firewall) to apply to outbound traffic.

🌐 IP Prefix / Subnet

A range of IP addresses defined by a network address and a prefix length (CIDR notation). Examples:

  • 198.51.100.0/24 = 256 IP addresses (198.51.100.0 - 198.51.100.255)
  • 203.0.113.0/24 = TEST-NET-3 (documentation/examples)
  • /31 = 2 IPs (point-to-point links)
  • /30 = 4 IPs

Magic Transit minimum: /24 (256 addresses) for BYOIP

🏢 ASN (Autonomous System Number)

A unique identifier assigned to a network operator (ISP, enterprise, cloud provider) that controls a set of IP prefixes. Used in BGP routing to identify network boundaries.

  • Cloudflare ASN: AS13335
  • Public ASN range: 1-64511
  • Private ASN range: 64512-65535

In Magic Transit: Customer's ASN must match their IP prefix registrations in IRR databases.

📄 LOA (Letter of Authorization)

A formal document authorizing Cloudflare to announce a customer's IP prefixes on their behalf. Requirements:

  • Must be on company letterhead
  • Wet signature required (or digitally signed)
  • Authorizes AS13335 (Cloudflare) to announce prefixes
  • PDF format only
  • Sent to upstream transit providers

Purpose: Proves to the internet community that Cloudflare is authorized to route the customer's IPs.

📊 IRR (Internet Routing Registry)

A public database system used by network operators to publish their routing policies and authoritative route information. Major registries:

  • RADB (North America)
  • RIPE (Europe)
  • APNIC (Asia-Pacific)
  • ARIN (North America)
  • AFRINIC (Africa)
  • LACNIC (Latin America)

Validation: Check at irrexplorer.nlnog.net

Purpose: Ensures the customer legitimately owns their IP space and authorizes their ASN to announce it.

🔏 RPKI (Resource Public Key Infrastructure)

A security framework that uses cryptographic signatures to verify the legitimacy of IP prefix announcements. Components:

  • ROA (Route Origin Authorization): Digitally signed record specifying which ASN can announce which IP prefix
  • ROV (Route Origin Validation): The process of validating BGP announcements against ROAs

Status: Optional but recommended - prevents route hijacking

Validation: Check at rpki.cloudflare.com

📡 Anycast

A network addressing and routing method where the same IP address is assigned to multiple servers/locations. Traffic is routed to the nearest (best path) location.

  • Cloudflare Anycast ranges: 162.159.64.0/20, 172.64.240.0/20
  • Benefit: Global DDoS absorption, low latency worldwide

In Magic Transit: GRE tunnel destinations use Anycast IPs that route to nearest Cloudflare PoP.

🎯 DSR (Direct Server Return) / Direct Egress

A traffic pattern where response traffic bypasses Cloudflare and goes directly from the origin server to the client. Also called Asymmetric Routing.

  • Pros: Lower latency, reduced bandwidth through Cloudflare
  • Cons: Outbound traffic doesn't benefit from Cloudflare's security/filtering

🌐 PoP (Point of Presence)

A physical data center location where Cloudflare has deployed its infrastructure. Cloudflare has 300+ PoPs globally. Traffic is routed to the nearest PoP using Anycast.

← Previous
Jump to:
Next →