Magic Transit

Extending Cloudflare to all your networks

When organizations need to protect their networks, IT departments typically turn to legacy hardware boxes or cloud ‘scrubbing’ providers. But traditional solutions just aren’t designed to fulfill the Internet’s basic needs: security, performance, and reliability.

Magic Transit is a network security solution that offers DDoS protection, traffic acceleration, and much more from every Cloudflare data center— for on-premise, cloud-hosted, and hybrid networks.

magic transit hero illustration
left right
Move your network perimeter hardware to the cloud

Move your network perimeter hardware to the cloud

Provision virtual network services on the fly: DDoS protection with over 100 Tbps of network capacity and near-instant mitigation, next-gen firewall, traffic acceleration, and much more.

Connect to the Cloudflare global network

Connect to the Cloudflare global network

Our security, performance, and reliability functions are delivered from a physical presence in 250 cities across over 100 countries. This means threats are mitigated close to where they originate, not in your data center.

Drive down your Total Cost of Ownership (TCO)

Drive down your Total Cost of Ownership (TCO)

Get operational agility with reduced capital expenditure. Replace on-premise hardware with network functions delivered and billed as a service.

Magic Transit How it works

The next step in infrastructure architecture

Cloudflare Magic Transit protects entire IP subnets from DDoS attacks, while also accelerating network traffic. It uses Cloudflare’s global network to mitigate attacks, employing standards-based networking protocols, like BGP, GRE, and IPsec, for routing and encapsulation.

All your network assets, whether on-premise or in private or public hosted cloud environments are safeguarded.

Connect

Connect

Using Border Gateway Protocol (BGP) route announcements to the Internet, and Cloudflare’s anycast network, customer traffic is ingested at a Cloudflare data center closest to the source.

Protect and Process

Protect and Process

All customer traffic is inspected for attacks. Advanced and automated mitigation techniques can be applied immediately upon detecting an attack. Additional functions such as, load balancing, next-gen firewall, content caching and serverless compute are also delivered as a service.

Accelerate

Accelerate

Clean traffic is routed over Cloudflare’s network for optimal latency and throughput and can be handed-off over GRE tunnels, private network interconnects (PNI) or other forms of peering to the customer network.

network map spot hero 3x 8

The Cloudflare global network

Cloudflare delivers DDoS mitigation using our entire network. This network has a capacity of over 100 Tbps and spans more than 250 cities in 100 countries. Our network allows us to be within 50ms of 95% of the Internet-connected population globally. This is especially important for latency-sensitive applications such as Voice over IP (VoIP) and custom gaming protocols.

Instant mitigation

Ultra-low Time to Mitigate (TTM)

With a heritage in DDoS mitigation and a vast library of known attacks, malicious traffic is identified at a Cloudflare data center closest to the source within seconds. Automatic mitigation techniques are applied immediately and most malicious traffic is blocked in less than 3 seconds.

IP Firewall Illustration 3x

Pick your network function

Cloudflare Magic Transit comes integrated with our best-in-class network firewall, allowing you to configure granular allow/deny rules for IP ranges and propagate changes in seconds. Want application level firewalling? Configure optional TLS termination and start inspecting payloads. Want a load balancer? You got it. Want to write a serverless Cloudflare Worker to modify traffic on the fly? You can do that, too.

Magic Transit comes natively integrated with all of Cloudflare’s L4 and L7 products.

performance acceleration spot illustration

Traffic acceleration

Cloudflare's network serves 25 million HTTP requests per second on average. With every bit we move, the network gets smarter and faster.

When integrated with Argo Smart Routing, Cloudflare Magic Transit will deliver clean traffic back to your network using the fastest, most reliable links in real-time.

Key Features

Over 100 Tbps of network capacity

Over 100 Tbps of network capacity

Mitigate most attacks in under 3 seconds

Mitigate most attacks in under 3 seconds

Sub-second threat detection

Sub-second threat detection

Integrate via BGP routing and GRE encapsulation

Integrate via BGP routing and GRE encapsulation

Native integration with L7 services (CDN, WAF, Bot Management, etc.)

Native integration with L7 services (CDN, WAF, Bot Management, etc.)

Always-on and on-demand options

Always-on and on-demand options

Support for all IP services (TCP, UDP, IPSec, VoIP, custom protocols)

Support for all IP services (TCP, UDP, IPSec, VoIP, custom protocols)

Advanced analytics

Advanced analytics

BDES 1487 Magic WAN Hero Illustration 325x269

Cloudflare network services

Magic Transit is just one part of the Cloudflare network security and solutions family. Cloudflare offers built-in services — like DDoS mitigation, branch connectivity, software-defined Zero-Trust functionality, and network firewalling — on a single global network that replaces patchwork appliances. Connect, secure, and accelerate your corporate network with Cloudflare.

Trusted by millions of Internet properties

logo mars gray 32px wrapper
logo loreal gray 32px wrapper
logo doordash gray 32px wrapper
logo garmin gray 32px wrapper
logo ibm gray 32px wrapper
logo 23andme color 32px wrapper
logo shopify color 32px wrapper
logo lending tree color 32px wrapper
logo labcorp color 32px wrapper
logo ncr gray 32px wrapper
logo thomson reuters gray 32px wrapper
logo zendesk gray 32px wrapper