You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ updated: 2024-12-19
16
16
17
17
## Introduction
18
18
19
-
Network security teams have traditionally used various network firewalls or security appliances at the perimeter to protect their data center networks against both external and internal threats, e.g. DDoS attacks, malware, ransomware, phishing, leaking of sensitive information, etc. In addition, the same or additional firewall or security appliances are deployed at the [DMZ](<https://en.wikipedia.org/wiki/DMZ_(computing)>) or core layer of the data center networks to control and secure internal private network traffic routed between multiple data center sites across their wide-area network (WAN).
19
+
Network security teams have traditionally used various network firewalls or security appliances at the perimeter to protect their data center networks against both external and internal threats, for example, DDoS attacks, malware, ransomware, phishing, leaking of sensitive information, etc. In addition, the same or additional firewall or security appliances are deployed at the [DMZ](<https://en.wikipedia.org/wiki/DMZ_(computing)>) or core layer of the data center networks to control and secure internal private network traffic routed between multiple data center sites across their wide-area network (WAN).
20
20
21
21
But these firewalls and security appliances are often expensive, complex to configure and manage, difficult to scale to handle large attacks, and require upgrades and patches to defend against newly discovered threats and vulnerabilities.
22
22
@@ -25,7 +25,7 @@ But these firewalls and security appliances are often expensive, complex to conf
25
25
-[Magic Transit](https://www.cloudflare.com/network-services/products/magic-transit/) provides instant detection and mitigation against network-layer DDoS attacks on your public, Internet-facing networks.
26
26
-[Magic WAN](https://www.cloudflare.com/network-services/products/magic-wan/) provides any-to-any, hybrid/multi-cloud secure connectivity between your private, enterprise networks.
27
27
-[Magic Firewall](/magic-firewall/) is a cloud-native network firewall service that can be used to filter traffic that is routed to and from your networks that are protected by Magic Transit. It also supports functionalities such as [Intrusion Detection](/magic-firewall/about/ids/) (IDS) and [packet capture](/magic-firewall/packet-captures/).
28
-
-[Gateway](https://www.cloudflare.com/zero-trust/products/gateway/) is a secure web gateway (SWG) service that allows you to inspect and control both Internet bound traffic that is originated from your networks, as well as private network-to-private network traffic (i.e. east-west), by proxying such traffic through Cloudflare's global network while applying DNS, network and HTTP based [policies](/cloudflare-one/policies/gateway/).
28
+
-[Gateway](https://www.cloudflare.com/zero-trust/products/gateway/) is a secure web gateway (SWG) service that allows you to inspect and control both Internet bound traffic that is originated from your networks, as well as private network-to-private network traffic (that is, east-west), by proxying such traffic through Cloudflare's global network while applying DNS, network and HTTP based [policies](/cloudflare-one/policies/gateway/).
29
29
30
30
This document focuses specifically on the reference architectures of using Cloudflare Magic Transit, Magic WAN, Magic Firewall and Cloudflare Gateway services to protect both external and internal communications to your data center networks. For details of how Magic Transit, Magic WAN, Magic Firewall and Cloudflare Gateway works and how it can be architected for various use cases, see the linked resources at the end of the document.
31
31
@@ -47,7 +47,7 @@ The reference architecture diagram below illustrates how Cloudflare Magic Transi
47
47
48
48
![Figure 1. Protect Public-facing Networks from Inbound Traffic.](~/assets/images/reference-architecture/protect-data-center-networks/figure1.svg"Figure 1. Protect Public-facing Networks from Inbound Traffic.")
49
49
50
-
1. Using Border Gateway Protocol ([BGP](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/)) and [IP anycast](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/), Cloudflare advertises the customer’s protected IP prefixes to the Internet from all of [Cloudflare's global data centers](https://www.cloudflare.com/network/). At the same time, on-premises network(s) would stop advertising the same exact prefixes from their respective on-premises border routers. This ensures that all traffic passes through Cloudflare for Magic Transit DDoS protection and policy enforcement before being delivered to the customer's data center. Internet traffic destined to these protected IP prefixes will always be routed to the Cloudflare data center that is closest to the source of the traffic.
50
+
1. Using Border Gateway Protocol ([BGP](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/)) and [IP anycast](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/), Cloudflare advertises the customer's protected IP prefixes to the Internet from all of [Cloudflare's global data centers](https://www.cloudflare.com/network/). At the same time, on-premises network(s) would stop advertising the same exact prefixes from their respective on-premises border routers. This ensures that all traffic passes through Cloudflare for Magic Transit DDoS protection and policy enforcement before being delivered to the customer's data center. Internet traffic destined to these protected IP prefixes will always be routed to the Cloudflare data center that is closest to the source of the traffic.
51
51
Optionally, you could advertise less-specific IP prefixes from the border routers to the Internet. This way, in the unlikely event of a Magic Transit service failure, traffic can be quickly re-routed directly to network locations from the Internet.
52
52
2. Traffic originating from the Internet and destined to the protected IP prefixes is ingested into the global Cloudflare network.
53
53
3. All DDoS attack traffic is mitigated in-line, close to the sources, at every Cloudflare data center using advanced and automated [DDoS mitigation](/ddos-protection/) technologies.
@@ -59,15 +59,15 @@ The reference architecture diagram below illustrates how Cloudflare Magic Transi
59
59
60
60
## Protect Internet access from public-facing networks
61
61
62
-
The reference architecture diagram below illustrates how Cloudflare services \- Magic Transit (Egress), Magic Firewall and Cloudflare Gateway, can be used to protect outbound Internet traffic originating from the data centers' public-facing networks (i.e. servers with public IP addresses).
62
+
The reference architecture diagram below illustrates how Cloudflare services - Magic Transit (Egress), Magic Firewall, and Cloudflare Gateway can be used to protect outbound Internet traffic originating from the data centers' public-facing networks (that is, servers with public IP addresses).
63
63
64
64
![Figure 2. Protect outbound traffic from public-facing networks.](~/assets/images/reference-architecture/protect-data-center-networks/figure2.svg"Figure 2. Protect outbound traffic from public-facing networks.")
65
65
66
66
1. Each site network routes outbound Internet traffic originating from the public-facing networks to Cloudflare, via the same CNIs that inbound traffic traverses. This can be done at your site through routing techniques of your choice, such as policy based routing (PBR).
67
67
2. Upon entering the Cloudflare network, outbound Internet traffic is first routed through Magic Firewall where it is subject to any configured network firewall policies.
68
68
3. Outbound Internet traffic is subsequently sent to [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our secure web gateway service where various [policies](/cloudflare-one/policies/gateway/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks. For example, Gateway DNS and HTTP policies can both be configured to prevent your servers from connecting to questionable Internet sites and from downloading malware or other malicious content.
69
69
4. Once traffic clears inspection, Gateway proxies the outbound traffic to their destinations on the Internet. The source IP addresses of the outbound traffic are the Cloudflare owned IP addresses associated with the Gateway service, which if you want you can purchase and set your [own egress IP](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/)
70
-
5. Return traffic from the internet, destined to Cloudflare's IP addresses linked to the Gateway service, is routed into Cloudflare's global network.
70
+
5. Return traffic from the Internet, destined to Cloudflare's IP addresses linked to the Gateway service, is routed into Cloudflare's global network.
71
71
6. Traffic is inspected against Gateway policies.
72
72
7. Return traffic that passes Gateway inspection is routed to Magic Firewall for further packet filtering.
73
73
8. Return traffic that passes Magic Firewall filtering is routed from Cloudflare to your network locations via CNIs that transport public-facing network traffic.
@@ -108,7 +108,7 @@ The reference architecture diagram below illustrates how Cloudflare services \-
108
108
2. Upon entering the Cloudflare network, outbound Internet traffic is first routed through Magic Firewall where it is subject to any configured network firewall policies.
109
109
3. Traffic that clears Magic Firewall is subsequently sent to [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our secure web gateway service where any configured L3-7 [policies](/cloudflare-one/policies/gateway/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks.
110
110
4. Once traffic clears inspection, Gateway proxies the outbound traffic to their destinations on the Internet. The source IP addresses of the outbound traffic are the Cloudflare owned IP addresses associated with the Gateway service.
111
-
5. Return traffic from the internet, destined to Cloudflare's IP addresses linked to the Gateway service, is routed into Cloudflare's global network.
111
+
5. Return traffic from the Internet, destined to Cloudflare's IP addresses linked to the Gateway service, is routed into Cloudflare's global network.
112
112
6. Traffic is inspected against Gateway policies.
113
113
7. Return traffic that passes Gateway inspection is routed to Magic Firewall for further packet filtering.
114
114
8. Return traffic that passes Magic Firewall filtering is routed from Cloudflare to your network locations via CNIs that transport private network traffic.
![hyperlint-ai[bot]](https://avatars.githubusercontent.com/in/718456?v=4&size=40){kind=avatar}
0 commit comments