Configure BGP peering
Magic WAN customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.
Using BGP peering with a CNI allows customers to:
- Automate the process of adding or removing networks and subnets.
- Take advantage of failure detection and session recovery features.
With this functionality, customers can:
- Establish an eBGP session between their devices and the Magic WAN service when connected via CNI.
- Secure the session by MD5 authentication to prevent misconfigurations.
- Exchange routes dynamically between their devices and their Magic routing table.
For both Magic WAN and Magic Transit use cases, BGP peering is with the Magic networking routing table (as opposed to peering with the Cloudflare Internet global network).
The Magic networking routing table is a virtual network overlay, private to your account, that spans all Cloudflare data centers globally. This overlay network provides:
- Magic Transit packet delivery for DoS and Magic Firewall filtered Internet traffic, from the entry data center where the traffic ingressed, to your publicly addressed edge/border network via tunnels (GRE/IPsec) or interconnect (CNI).
- Magic WAN packet transport between Magic tunnels, interconnects, Cloudflare Load Balancer, and Zero Trust connections such as WARP Client, Remote Browser Isolation, Access, and Gateway.
The Magic routing table supports IPv4 routes to:
- RFC 1918 ↗ address space
- BYOIP public address space which you have onboarded to Cloudflare Magic Transit
BGP peers configured by following this guide will receive advertisements for all prefixes in the Magic routing table plus any additional prefixes configured in the per-interconnect Advertised prefix list.
If instead you are seeking to do public peering with the Cloudflare ASN 13335 at one of the Cloudflare data centers, refer to PNI and peering setup. Note that it is not currently possible to share Magic network BGP peering and PNI on the same physical interconnect port.
Routes received from the customer device will be redistributed into the Magic routing table, which is used by both Magic WAN and Magic Transit.
All routes in the Magic routing table are advertised to BGP peers. Each BGP peer will receive each prefix route along with the full AS_PATH, with the selected Cloudflare side ASN ↗ prepended. This is so that the peer can accurately perform loop prevention ↗.
BGP peering sessions can advertise reachable prefixes to a peer and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate.
When BGP and static routes have the same prefix and priority, Cloudflare enforces priority by preferring static routes over BGP routes. This ensures that manually configured static routes take precedence unless explicitly deprioritized.
When BGP advertises a route, it is automatically added to the Magic routing table with a default priority of 100 which applies to all regions. However, if a static route exists with the same prefix and priority, the static route will always take precedence over the BGP route. You will have to set a different priority for static routes, to be more or less than 100, depending on which you want to prioritize. Lower values have greater priority.
Additionally, when multiple BGP routes exist with the same prefix length and priority, traffic is distributed across them using equal-cost multi-path (ECMP) routing.
Cloudflare supports traffic engineering via BGP communities and AS prepending. You can use these traffic routing techniques to set route priorities and perform traffic engineering across multiple interconnects.
The default BGP route priority is 100. This base priority can be adjusted using communities. For example, when a route is tagged with the community 13335:60010 its priority is set to 10. This makes it a higher priority than the default of 100 because lower numeric priorities are preferred.
The community values supported for setting base route priority are:
- 13335:60010: Set base Magic route priority to- 10
- 13335:60050: Set base Magic route priority to- 50
- UNSET: Set base Magic route priority to- 100
- 13335:60150: Set base Magic route priority to- 150
- 13335:60200: Set base Magic route priority to- 200
- 13335:60901: Set base Magic route priority to- 501000
- 13335:60902: Set baseMagic route priority to- 1001000
It is considered a misconfiguration to set multiple base priority communities in the same prefix update message. In this situation the highest priority (lowest integer value) is preferred.
For each additional mention of the customer ASN in the received AS path an additional 10 is added to the route's base priority. By increasing the priority number, the route is less preferred.
For example, if your ASN is 65000 then the BGP UPDATE to Cloudflare will be:
# No change to base priority.AS_PATH: 65000 65200
# Add 10 to base priority for 1 prepend of 65000AS_PATH: 65000 65000 65200
# Add 20 to base priority for 2 prepend of 65000AS_PATH: 65000 65000 65000 65200Cloudflare adjusts route priority when using AS prepending with communities. For example, if a route is tagged with 13335:60150, the base priority is set to 150. If you prepend your ASN twice, Cloudflare adds 10 for each prepend, increasing the route priority to 180.
Cloudflare uses the timers as described below. These are not configurable:
| Setting | Description | 
|---|---|
| Hold timer | 240 seconds (To establish a session, Cloudflare will compare our hold timer and the peer's hold timer, and use the smaller of the two values to establish the BGP session.) | 
| Keepalive timer | One third of the hold time. | 
| Graceful restart | 120 seconds | 
- Hold timer: Specifies the maximum amount of time that a BGP peer will wait to receive a keepalive, update, or notification message before declaring the BGP session down. Cloudflare will use the smaller of this default hold time and that received from the peer in the open message.
- Keepalive timer: BGP systems exchange keepalive messages to determine whether the peer router is reachable. If keepalive messages are not received within the Hold Timer, the session is assumed to be down, indicating that the peer is no longer reachable at the BGP protocol level.
- Graceful restart timer: Tracks how long a router will wait for a peer to re-establish a BGP session after the peer initiates a graceful restart. If the peer does not reconnect within this time, the router declares the session down and removes stale routes.
BGP multipath is supported. If the same prefix is learned on two different interconnects then traffic destined for that prefix will be distributed across each interconnect according to the usual ECMP behavior.
BGP support currently has the following limitations:
- The Cloudflare account ASN and the customer device ASN must be different. Only eBGP is supported.
- Routes are always injected with a priority of 100.
- Bidirectional Forwarding Detection (BFD) is not supported.
Magic WAN customers need to enable legacy health checks alongside BGP. This is essential to determine if a specific Cloudflare data center is reachable from a customer device or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes.
The Magic routing table is managed by the customer, who can select both the Cloudflare-side ASN and the ASN for their customer device. The customer device ASN can be 2-byte or 4-byte. Public ASNs used for Magic Transit are verified during the onboarding process.
By default, each BGP peering session will use the same Cloudflare-side ASN to represent peering with the Magic WAN routing table. This ASN is called the CF Account ASN and is set to 13335. This can be configured to a private 2-byte ASN (for example, any values between 64512 and 65534). To set this ASN:
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic WAN > Configuration > BGP.
- In CF Account ASN, enter Cloudflare's ASN.
- Select Update.
Magic WAN customers should also be aware of the following:
- The Cloudflare side ASN will be included in the AS_PATHof announced routes to any BGP enabled interconnect.
- The customer chooses their device ASN, which should be different to the Cloudflare-side ASN.
You need to configure two ASNs:
- The Cloudflare account-scoped ASN named CF Account ASN.
- One ASN for each interconnect you want to configure with BGP.
If you already have set up your Cloudflare account ASN, you can skip steps two and three below.
- Log in to the Cloudflare dashboard ↗, and select your account.
- Go to Magic WAN > Configuration > BGP.
- In CF Account ASN, enter Cloudflare's ASN.
- Go to Interconnects.
- Find the Direct CNI interconnect you want to configure with BGP > select the three dots next to it > Configure BGP.
- In Customer device ASN, enter the ASN for your network.
- In MD5 key, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism.
- (Optional) In Advertised prefix list, input the additional prefixes automatically assigned by Cloudflare during the creation of the CNI interconnect, to advertise alongside your existing routes. Leave blank if you do not want to advertise extra routes. 
 Typical prefixes to configure here include:- A route to 0.0.0.0/0, the default route — to attract all Internet-bound traffic if using Magic WAN with Gateway.
- A route to 100.96.0.0/12, the portion of CGNAT space used by default with WARP clients.
 
- A route to 
- Select Enable BGP.
Now that you have configured your tunnels and BGP peering, the next step is to create a site.
Sites represent the local network of a data center, office, or other physical location, and combine all on-ramps available there. Sites also allow you to check, at a glance, the state of your on-ramps and set up health alert settings so that you get notified when there are issues with the site's on-ramps.
Refer to Set up a site for more information.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark