Use BYOIP with Magic Transit and CDN
Magic Transit customers using BYOIP can also benefit from the performance, reliability, and security that Cloudflare offers for HTTP-based applications.
This configuration will use the IP address management service bindings to enable Cloudflare CDN services (Cache) on top of Magic Transit, on individual IP addresses or on a subnet.
Before you begin
Consider the service bindings scope and limitations.
Plan for what IP addresses you want to configure. If you want to add CDN to multiple contiguous IP addresses, specifying a CIDR block that incorporates all IPs is more efficient.
Example
Magic Transit protected prefix:
203.0.113.100/24IPs to upgrade to the CDN:
203.0.113.16203.0.113.17203.0.113.18203.0.113.19203.0.113.20203.0.113.21203.0.113.22203.0.113.23Best practice: Add one discrete CDN Service Binding for
203.0.113.16with a/29netmask.Note that a transitional state will take place for four to six hours after you create the service binding. During this time, traffic destined to your origins will slowly transition from the Magic Transit pipeline to the CDN pipeline.
1. Get account information
- Log in to your Cloudflare account and get your account ID and API token. The token permissions should include
Account-IP Prefixes-Edit. - Make a
GETrequest to the List Services endpoint and take note of theidassociated with the CDN service. - Use the List Prefixes endpoint and take note of the
idassociated with the prefix (cidr) you will configure.
At this point, continuing the example mentioned above, you should have a mapping similar to the following:
| Variables | Description |
|---|---|
{service_id} | The ID of the CDN service within Cloudflare. Example: 969xxxxxxxx000xxx0000000x00001bf |
{prefix_id} | The ID of the Magic Transit protected prefix (203.0.113.100/24) you want to configureExample: 6b25xxxxxxx000xxx0000000x0000cfc |
- To confirm you currently only have a Magic Transit service binding and that it spans across your entire prefix, make a
GETrequest to the List Service Bindings endpoint. Replace the{prefix_id}in the URI path by the actual prefix ID you got from the previous step.
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/addressing/prefixes/{prefix_id}/bindings \
--header "Authorization: Bearer <API_TOKEN>"
2. Create service binding
- Make a
POSTrequest to the Create Service Binding endpoint, indicating the IP address you want to bind to the CDN. Don’t forget to specify the corresponding network mask.
Continuing the example, 203.0.113.100/32 designates an IP address that is within the Magic Transit protected prefix 203.0.113.0/24.
Replace the {prefix_id} in the URI with your prefix ID from previous steps. Within the request body, the cidr value should correspond to the IP address or subnet that you are configuring for use with CDN.
# Replace the cidr value by the IP address you are configuring.
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/addressing/prefixes/{prefix_id}/bindings \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{ "cidr": "203.0.113.100/32", "service_id": <SERVICE_ID>}'
In the response body, the initial provisioning state should be provisioning.
{ "errors": [], "messages": [], "success": true, "result": { "cidr": "203.0.113.100/32", "id": <CDN_SERVICE_BINDING_ID>, "provisioning": { "state": "provisioning" }, "service_id": <SERVICE_ID>, "service_name": "CDN" }
}
2.(Optional) Through the four to six hours that your change will take to propagate, you can use the List Service Bindings endpoint to programmatically check for the active provisioning state.
3. Create address maps
Once you have configured your IPs to have CDN service, you can use address maps to specify which IPs should be used by Cloudflare in DNS responses when a record is proxied.
You can choose between two different scopes:
Account-level: uses the address map for all proxied DNS records across all of the zones within an account.
Zone-level: uses the address map for all proxied DNS records within a zone.
- Log in to the Cloudflare dashboard and select your account.
- Go to IP Addresses > Address Maps.
- Select Create an address map.
- Choose the scope of the address map.
- Add the zones and IP addresses that you want to map.
- Name your address map.
- Review the information and select Save and Deploy.
Use the Create Address Map endpoint.
Make sure you have the correct Key/Token and permissions.
4. Create DNS records
To create a DNS record in the dashboard:
- Log in to the Cloudflare dashboard and select an account and domain.
- Go to DNS > Records.
- Select Add record.
- Choose an address (
A/AAAA) record Type. - Complete the required fields, indicating an IP address that has CDN service binding and setting the proxy status to proxied.
- Select Save.
While the DNS record proxy status and address map will determine how Cloudflare’s authoritative DNS responds to requests for your hostnames, the IP addresses specified in At this point, if an address map for a zone Cloudflare responds to DNS requests with Cloudflare proxies requests through the CDN and then routes the requests via GRE or CNI to the origin server Depending on whether Magic Transit is implemented with direct server return model or with Magic Transit egress, the origin server responds back to Cloudflare either: As the HTTP response egresses the Cloudflare network back to the client side, the source IP address of the response becomes A/AAAA records will determine how Cloudflare reaches the configured origin.Example
Type Name IP address Proxy status TTL Awww203.0.113.150ProxiedAutoexample.com specifies that Cloudflare should use 203.0.113.100 for proxied records and the above record exists in the same zone, you can expect the following:203.0.113.100.203.0.113.150 (Magic Transit protected prefix).203.0.113.100 (the IP address that the HTTP request originally landed on).
5.(Optional) Add layer 7 functionality
Leverage other features according to your needs: