[Learning paths] Magic Transit learning path for (#22330)

* added mt lp and concepts

* added what is mt

* refined content type

* added benefits of mt

* refined text

* added mt lp json

* added mt lp icon

* refined text

* moved get started to partial

* get started scope config

* moved cf ips to partial

* refined text

* refined text

* added JSX to cf ips partial

* added render to gstarted cf ips

* corrected cf ips params

* added lp param get started

* added router get started partial

* corrected loa text

* moved byoip loa to partial

* added loa partial

* refined headers

* refined mss partial text

* corrected ipsec mss value

* corrected get started headers

* added mt jsx for get started

* added Lpath jsx to get started

* corrected content type

* added get started to lPath

* added config tunnels folder and overview

* removed unnecessary import

* corrected title

* added config tunnels to lPath

* config routes lPath

* added ddos page

* moved ddos override partial file

* added import

* removed details from import

* added ddos partial

* move mt-advanced-ddos to advanced folder

* corrected links mt-advanced-ddos

* added tcp

* created tcp intro and setup partials

* corrected links

* adv dns protection intro partial

* replaced intro with partial

* created adv dns setup partial

* replaced setup with partial

* added adv dns partials

* added mfirewall

* added notifications

* added more details notifications

* added preflight checks

* refined preflight

* created adv prefixes partial

* added render

* added troubleshooting content

* replaced check with potential solutions

* corrected titles

* fine tuning page

* removed fine tuning from troubleshooting

* updated links for lPath

* added publicstats component

* refined language

* moved intro to jsx

* changed content type

* refined text

* added bgp link

* Apply suggestions from code review

Co-authored-by: Maddy <[email protected]>

---------

Co-authored-by: Maddy <[email protected]>

Author: 2 people

src/content/docs/byoip/concepts/loa.mdx

@@ -9,6 +9,8 @@ head:
 
 ---
 
+import { Render } from "~/components"
+
 A Letter of Agency (LOA) - sometimes referred to as a Letter of Authorization - is a document that authorizes Cloudflare to announce a prefix(es) on behalf of another entity. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on behalf of another entity.
 
 The letter must contain both the prefixes you are authorizing Cloudflare to announce and which ASN they will be announced under. Cloudflare can announce a prefix under your ASN or you can use Cloudflare's ASN, which is AS13335.
@@ -25,37 +27,4 @@ An LOA is a formal document which should be on company letterhead and contain a
 
 You can use the below template when creating an LOA document.
 
-```txt title="Letter of Agency template"
-[COMPANY LETTERHEAD]
-
-LETTER OF AGENCY ("LOA")
-
-[DATE]
-
-
-To whom it may concern:
-
-[COMPANY NAME] (the "Company") authorizes Cloudflare, Inc. with AS13335 to advertise the following IP address blocks / originating ASNs:
-
-- - - - - - - - - - - - - - - - - - -
-[Subnet & Originating ASN]
-[Subnet & Originating ASN]
-[Subnet & Originating ASN]
-- - - - - - - - - - - - - - - - - - -
-
-As a representative of the Company that is the owner of the aforementioned IP address blocks / originating ASNs, I hereby declare that I am authorized to sign this LOA on the Company’s behalf.
-
-Should you have any questions please email me at [E-MAIL ADDRESS], or call: [TELEPHONE NUMBER]
-
-Regards,
-
-
-[SIGNATURE]
-
-
-[NAME TYPED]
-[TITLE]
-[COMPANY NAME]
-[COMPANY ADDRESS]
-[COMPANY STAMP]
-```
+<Render file="loa" />

src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection.mdx

@@ -11,9 +11,9 @@ head:
 
 import { Render } from "~/components"
 
-Cloudflare's Advanced DNS Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as [random prefix attacks](/dns/dns-firewall/random-prefix-attacks/about/).
+<Render file="advanced-ddos/dns-protection-intro" />
 
-<Render file="mt-advanced-ddos-systems-onboarding" />
+<Render file="advanced-ddos/mt-advanced-ddos-systems-onboarding" />
 
 ## How it works
 
@@ -27,7 +27,7 @@ The [Network Analytics dashboard](/analytics/network-analytics/) will display sy
 
 ## Setup
 
-[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/#create-an-advanced-dns-protection-rule) to enable Advanced DNS Protection.
+<Render file="advanced-ddos/dns-setup" />
 
 
 ---

src/content/docs/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection.mdx

@@ -11,9 +11,9 @@ head:
 
 import { Render } from "~/components"
 
-Cloudflare's Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods.
+<Render file="advanced-ddos/tcp-protection-intro" />
 
-<Render file="mt-advanced-ddos-systems-onboarding" />
+<Render file="advanced-ddos/mt-advanced-ddos-systems-onboarding" />
 
 ## How it works
 
@@ -51,4 +51,4 @@ For more information on the configuration settings of out-of-state TCP rules, re
 
 ## Setup
 
-[Create a global configuration](/ddos-protection/advanced-ddos-systems/overview/#rules) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection.
+<Render file="advanced-ddos/tcp-setup" />

src/content/docs/ddos-protection/managed-rulesets/network/configure-dashboard.mdx

@@ -9,7 +9,7 @@ head:
 
 ---
 
-import { Details, Render } from "~/components"
+import { Render } from "~/components"
 
 Configure the Network-layer DDoS Attack Protection managed ruleset by defining [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) in the Cloudflare dashboard. DDoS overrides allow you to customize the **action** and **sensitivity** of one or more rules in the managed ruleset.
 
@@ -19,35 +19,6 @@ For more information on the available parameters and allowed values, refer to [R
 
 ## Create a DDoS override
 
-1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
-2. Go to Account Home > **L3/4 DDoS** > **Network-layer DDoS Protection**.
-3. Select **Deploy a DDoS override**.
-4. In **Set scope**, specify if you wish to apply the override to all incoming packets or to a subset of the packets.
-5. If you are creating an override for a subset of the incoming packets, define the [custom expression](/ddos-protection/managed-rulesets/network/override-expressions/) that matches the incoming packets you wish to target in the override, using either the Rule Builder or the Expression Editor.
-6. Select **Next**.
-7. Depending on what you wish to override, refer to the following sections (you can perform both configurations on the same override):
-  <Details header="Configure all the rules in the ruleset (ruleset override)">
-  8. Select **Next**.
-  9. Enter a name for your override in **Execution name**.
-  10. To always apply a given action for all the rules in the ruleset, select an action in **Ruleset action**.
-  11. To set the sensitivity level for all the rules in the ruleset, select a value in **Ruleset sensitivity**.
-  </Details>
-
-  <Details header="Configure one or more rules">
-  12. Search for the rules you wish to override using the available filters. You can search for tags.
-  13. To override a single rule, select the desired value for a field in the displayed dropdowns next to the rule.
-
-      To configure more than one rule, select the rules using the row checkboxes and update the fields for the selected rules using the dropdowns displayed before the table. You can also configure all the rules with a given tag. For more information, refer to [Configure rules in bulk in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-rules-in-bulk-in-a-managed-ruleset).
-  14. Select **Next**.
-  15. Enter a name for your override in **Execution name**.
-  </Details>
-
-  :::note[Notes]
-
-  - Tag and rule overrides have priority over ruleset overrides.
-  - <Render file="managed-rulesets/read-only-rules-note" />
-  :::
-
-8. To save and deploy the override, select **Deploy**. If you are not ready to deploy your override, select **Save as Draft**.
+<Render file="managed-rulesets/create-override" />
 
 <Render file="managed-rulesets/delete-override" params={{ one: "select your account", two: "Account Home > L3/4 DDoS > Network-layer DDoS Protection" }} />

src/content/docs/learning-paths/data-center-protection/advertise-prefixes.mdx

@@ -0,0 +1,10 @@
+---
+title: Advertise prefixes
+pcx_content_type: learning-unit
+sidebar:
+  order: 8
+---
+
+import { Render } from "~/components";
+
+<Render file="magic-transit/advertise-prefixes"	product="networking-services" />

src/content/docs/learning-paths/data-center-protection/concepts/benefits-magic-transit.mdx

@@ -0,0 +1,21 @@
+---
+title: Benefits of using Magic Transit
+pcx_content_type: learning-unit
+sidebar:
+  order: 3
+---
+
+import { PublicStats } from "~/components";
+
+Magic Transit leverages Cloudflare's global anycast network. As of writing this guide, Cloudflare's global network spans <PublicStats id="data_center_cities" />, and has <PublicStats id="total_bandwidth" />. This bandwidth allows it to absorb all manners of attack that otherwise would overwhelm a typical data center or on-premise hardware Distributed Denial-of-Service (DDoS) appliances.
+
+The number of DDoS attacks has been steadily increasing in recent years. In the first quarter of 2025, Cloudflared [mitigated 16.8 million network-layer DDoS attacks](https://blog.cloudflare.com/ddos-threat-report-for-2025-q1/#ddos-attacks-in-numbers). This represents a 397% increase quarter over quarter and a 509% increase year over year.
+
+Other advantages of choosing Magic Transit:
+
+- **Scalability**: As Cloudflare's global network expands, so does Magic Transit ability to absorb ever bigger DDoS attacks.
+- **Ease of management**: Magic Transit offers centralized, cloud-based management tools that simplify configuration and monitoring of your network security.
+- **Improvement of network performance**: Magic Transit steers traffic along tunnel routes based on priorities you define and uses equal-cost multi-path routing to provide load-balancing across tunnels with the same prefix and priority.
+- **Integration with zero-trust services**: Magic Transit integrates with other Cloudflare products, including Cloudflare One's SASE offerings, Magic Firewall, and more.
+- **Integration with CNI**: Directly connect your infrastructure to Cloudflare with CNI and bypass the Internet. Beyond a more reliable and secure experience, using CNI is an alternative to anycast GRE tunnels for getting traffic delivered to your infrastructure with a 1500-byte maximum transmission unit (MTU) handoff.
+- **Real-time traffic visibility and alerting**: Monitor and analyze traffic patterns, threat activity, and mitigation actions in real time through Cloudflare's analytics and logging tools. Set up customized alerts to notify you of potential threats, enabling faster incident response and better-informed network decisions.

src/content/docs/learning-paths/data-center-protection/concepts/index.mdx

@@ -0,0 +1,15 @@
+---
+title: Concepts
+pcx_content_type: overview
+sidebar:
+  order: 1
+---
+
+Learn core concepts about Magic Transit and its functionality, in order to protect your data centers from distributed denial-of-service (DDoS) attacks.
+
+## Objectives
+
+By the end of this module you will be able to:
+- Understand what Magic Transit is
+- Why you should use it to protect your IP network
+

src/content/docs/learning-paths/data-center-protection/concepts/what-is-magic-transit.mdx

@@ -0,0 +1,18 @@
+---
+title: What is Magic Transit?
+pcx_content_type: learning-unit
+sidebar:
+  order: 2
+---
+
+Magic Transit is a network security and performance solution that offers Distributed Denial-of-Service (DDoS) protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks.
+
+Magic Transit works at Layer 3 of the [OSI model](https://www.cloudflare.com/en-gb/learning/ddos/glossary/open-systems-interconnection-model-osi/), protecting entire IP networks from DDoS attacks. Instead of relying on local infrastructure that can be overwhelmed by large DDoS attacks, Magic Transit uses the [global Cloudflare Network](https://www.cloudflare.com/network/) to ingest and mitigate attacks close to their source.
+
+Magic Transit delivers its connectivity, security, and performance benefits by serving as the front door to your IP network. This means it accepts IP packets destined for your network, processes them, and then forwards them to your origin infrastructure.
+
+The Cloudflare network uses Border Gateway Protocol (BGP) to announce your company's IP address space, extending your network presence globally, and [anycast](/magic-transit/reference/tunnels/#anycast) to absorb and distribute attack traffic.
+
+Once packets hit Cloudflare's network, traffic is inspected for attacks, filtered, steered, accelerated, and sent onward to your origin. Magic Transit users have two options for their implementation: ingress traffic or ingress and egress traffic. Users with an egress implementation will need to set up policy-based routing (PBR) or ensure default routing on their end forwards traffic to Cloudflare via tunnels.
+
+For an in-depth explanation of Magic Transit, refer to [Magic Transit Reference Architecture](/reference-architecture/architectures/magic-transit/).

src/content/docs/learning-paths/data-center-protection/configure-ddos.mdx

@@ -0,0 +1,39 @@
+---
+title: Configure DDoS protection
+pcx_content_type: learning-unit
+sidebar:
+  order: 4
+---
+
+import { Render } from "~/components"
+
+Cloudflare DDoS protection automatically detects and mitigates Distributed Denial of Service (DDoS) attacks using its Autonomous Edge. Magic Transit customers have access to additional features, such as:
+
+- [Advanced TCP protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) (disabled by default)
+- [Advanced DNS protection (beta)](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/)
+
+## Create a DDoS override
+
+<Render file="managed-rulesets/create-override" product="ddos-protection" />
+
+## DDoS advanced protection
+
+### Advanced TCP Protection
+
+<Render file="advanced-ddos/tcp-protection-intro" product="ddos-protection" />
+
+<Render file="advanced-ddos/mt-advanced-ddos-systems-onboarding" product="ddos-protection" />
+
+#### Setup
+
+<Render file="advanced-ddos/tcp-setup" product="ddos-protection" />
+
+### Advanced DNS Protection
+
+<Render file="advanced-ddos/dns-protection-intro" product="ddos-protection" />
+
+<Render file="advanced-ddos/mt-advanced-ddos-systems-onboarding" product="ddos-protection" />
+
+#### Setup
+
+<Render file="advanced-ddos/dns-setup" product="ddos-protection" />

src/content/docs/learning-paths/data-center-protection/configure-tunnels-routes/configure-routes.mdx

@@ -0,0 +1,22 @@
+---
+title: Configure routes
+pcx_content_type: learning-unit
+sidebar:
+  order: 2
+---
+
+import { Render } from "~/components"
+
+<Render
+	file="routing/configure-routes"
+	product="networking-services"
+	params={{
+		magicWord: "Magic Transit",
+		trafficSteeringPage: "/magic-transit/reference/traffic-steering/",
+		productName: "Magic Transit",
+		tunnelEndpoints: "/magic-transit/how-to/configure-tunnels/",
+		chooseWeights: "/magic-transit/reference/traffic-steering/#set-priority-and-weights-for-static-routes",
+		publicAsnMT: "[Public ASNs used for Magic Transit](/magic-transit/how-to/advertise-prefixes/#cloudflare-asn-vs-your-own-asn) are verified during the onboarding process.",
+		productGatewayOrEgress: "Magic Transit with Egress"
+	}}
+/>