You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,18 +25,18 @@ But these firewalls and security appliances are often expensive, complex to conf
25
25
-[Magic Transit](https://www.cloudflare.com/network-services/products/magic-transit/) provides instant detection and mitigation against network-layer DDoS attacks on your public, Internet-facing networks.
26
26
-[Magic WAN](https://www.cloudflare.com/network-services/products/magic-wan/) provides any-to-any, hybrid/multi-cloud secure connectivity between your private, enterprise networks.
27
27
-[Magic Firewall](/magic-firewall/) is a cloud-native network firewall service that can be used to filter traffic that is routed to and from your networks that are protected by Magic Transit. It also supports functionalities such as [Intrusion Detection](/magic-firewall/about/ids/) (IDS) and [packet capture](/magic-firewall/packet-captures/).
28
-
-[Gateway](https://www.cloudflare.com/zero-trust/products/gateway/) is a secure web gateway (SWG) service that allows you to inspect and control both Internetbound traffic that is originated from your networks, as well as private network-to-private network traffic (that is, east-west), by proxying such traffic through Cloudflare's global network while applying DNS, network and HTTP based [policies](/cloudflare-one/policies/gateway/).
28
+
-[Gateway](https://www.cloudflare.com/zero-trust/products/gateway/) is a secure web gateway (SWG) service that allows you to inspect and control both Internet-bound traffic that is originated from your networks, as well as private network-to-private network traffic (that is, east-west), by proxying such traffic through Cloudflare's global network while applying DNS, network and HTTP based [policies](/cloudflare-one/policies/gateway/).
29
29
30
30
This document focuses specifically on the reference architectures of using Cloudflare Magic Transit, Magic WAN, Magic Firewall and Cloudflare Gateway services to protect both external and internal communications to your data center networks. For details of how Magic Transit, Magic WAN, Magic Firewall and Cloudflare Gateway works and how it can be architected for various use cases, see the linked resources at the end of the document.
31
31
32
32
To illustrate the architecture and how it works, the following diagrams visualize an example corporation with a set of data center networks that are either public-facing, connecting to users on the Internet or private, internal facing, used for communication within the enterprise. These networks are deployed at two on-premises locations. The prefixes of the public-facing networks are to be protected by Cloudflare Magic Transit.
The edge router(s) at each data center is connected to Cloudflare network via two Direct [Cloudflare Network Interconnect](/network-interconnect/) (CNI) connections, which are direct, private connections between your network and Cloudflare network, one for carrying public-facing network traffic, one for carrying private network traffic. Optionally, you can choose to carry both public and private network traffic over a single CNI connection but many organizations do desire to transport external and internal network traffic over separate connections in their security practice.
39
+
The edge router(s) at each data center is connected to Cloudflare network via two Direct [Cloudflare Network Interconnect](/network-interconnect/) (CNI) connections, which are direct, private connections between your network and Cloudflare network. One of the Direct CNI connections is for carrying public-facing network traffic, while the other is for carrying private network traffic. Optionally, you can choose to carry both public and private network traffic over a single CNI connection but many organizations do desire to transport external and internal network traffic over separate connections in their security practice.
40
40
41
41
- For data center 1, CNI connection 1 is used to transport public-facing network traffic and connection 2 is used to transport private network traffic.
42
42
- For data center 2, CNI connection 3 is used to transport public-facing network traffic and connection 4 is used to transport private network traffic.
@@ -74,10 +74,11 @@ The reference architecture diagram below illustrates how Cloudflare services - M
74
74
75
75
## Protect site-to-site, inter-data center, private network traffic
76
76
77
-
The reference architecture diagrams below illustrate how Cloudflare services \- Magic WAN, Magic Firewall and Cloudflare Gateway, can be used to protect site-to-site, inter-data center traffic between your private networks.
77
+
The reference architecture diagrams below illustrate how Cloudflare services — Magic WAN, Magic Firewall and Cloudflare Gateway — can be used to protect site-to-site, inter-data center traffic between your private networks.
78
78
79
79
**Site to Site Private Network Traffic Connectivity**
80
-
First, let us look at the use case where you do not intend to subject site-to-site private network traffic to Cloudflare Gateway proxy firewall service and simply route it using Magic WAN service.
80
+
81
+
First, let us examine the use case where you do not intend to subject site-to-site private network traffic to Cloudflare Gateway proxy firewall service and simply route it using Magic WAN service.
81
82
82
83
![Figure 3.1. Protect inter-data center non-gateway-proxied traffic between private networks.](~/assets/images/reference-architecture/protect-data-center-networks/figure3.1.svg"Figure 3.1. Protect inter-data center non-gateway-proxied traffic between private networks.")
83
84
@@ -87,6 +88,7 @@ First, let us look at the use case where you do not intend to subject site-to-si
87
88
4. Traffic that clears the Magic Firewall rules and is not intended to be further proxied by Cloudflare Gateway service, is routed back to the destination network via the corresponding CNI.
88
89
89
90
**Site to Site Private Network Traffic with Application Level Security Controls**
91
+
90
92
For the use case where you do want to apply application level policy for fine-grain control and security on certain private network traffic, you can route and proxy such traffic through Magic WAN and Cloudflare Gateway service. The following diagram illustrates the architecture and packet flow of such use cases.
91
93
92
94
![Figure 3.2: Figure 3.2. Protect inter-data center gateway-proxied traffic between private networks.](~/assets/images/reference-architecture/protect-data-center-networks/figure3.2.svg"Figure 3.2. Protect inter-data center gateway-proxied traffic between private networks.")
@@ -100,7 +102,7 @@ For the use case where you do want to apply application level policy for fine-gr
100
102
101
103
## Protect outbound Internet traffic from private networks
102
104
103
-
The reference architecture diagram below illustrates how Cloudflare services \- Magic WAN, Magic Firewall and Cloudflare Gateway, can be used to protect outbound Internet traffic originating from the data centers' private networks. The use cases and the protection provided to the servers on the private networks are very similar to those described in the previous section about protecting Internet access from public-facing networks. The differences are that the servers have private IP addresses and that Magic WAN service is used in this section, as opposed to the previous section where servers are assigned with public IP addresses and Magic Transit server is used.
105
+
The reference architecture diagram below illustrates how Cloudflare services — Magic WAN, Magic Firewall and Cloudflare Gateway — can be used to protect outbound Internet traffic originating from the data centers' private networks. The use cases and the protection provided to the servers on the private networks are very similar to those described in the previous section about protecting Internet access from public-facing networks. The differences are that the servers have private IP addresses and that Magic WAN service is used in this section, as opposed to the previous section where servers are assigned with public IP addresses and Magic Transit server is used.
104
106
105
107
![Figure 4. Protect outbound traffic from private networks.](~/assets/images/reference-architecture/protect-data-center-networks/figure4.svg"Figure 4. Protect outbound traffic from private networks.")
0 commit comments