cloudflare · RebeccaTamachiro · Aug 2, 2024 · Aug 2, 2024 · Aug 5, 2024 · Aug 6, 2024
@@ -10,9 +10,7 @@ meta:
 
 {{<plan type="enterprise">}}
 
-With **Bringing Your Own IPs** (BYOIP), Cloudflare announces your IPs in all our locations. Use your IPs with Magic Transit, Spectrum, or CDN services.
-
-BYOIP is compatible with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), and [CDN services](/cache/).
+With **Bringing Your Own IPs** (BYOIP), Cloudflare announces your IPs in all our locations. Use your IPs with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), or [CDN services](/cache/).
 
 {{<button-group>}}
   {{<button type="primary" href="/byoip/get-started/">}}Get started{{</button>}}

@@ -16,6 +16,8 @@ BYOIP is ingress only.
 
 Cloudflare requires a service-specific configuration for your prefixes, as well as some requirements common to all BYOIP customers regardless of service type. These requirements are common to all products compatible with BYOIP, such as [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), and [CDN services](/cache/).
 
+Traditionally, BYOIP prefixes can only be bound to one of these services (Magic Transit, Spectrum, or CDN) at a time. To enable a second service on individual IP addresses or on a subnet, refer to [IP address service bindings](/byoip/service-bindings/).
+
 ## Prerequisites
 
 There are two major prerequisites before Cloudflare can begin onboarding your IP space.
@@ -29,7 +31,7 @@ After onboarding, [Border Gateway Protocol (BGP)](https://www.cloudflare.com/lea
 
 ## Cloudflare IPs
 
-If you are unable to bring your own IP to Cloudflare, you can use an IP address issued by Cloudflare. 
+If you are unable to bring your own IP to Cloudflare, you can use an IP address issued by Cloudflare.
 
 Using a Cloudflare IP may be a good option if you:
 
@@ -40,7 +42,7 @@ Using a Cloudflare IP may be a good option if you:
 - Maintain a large number of locations with a combination of connectivity methods.
 - Own an IP space with a /24 prefix length but do not advertise prefixes from every location.
 
-To protect your network using a Cloudflare IP address, contact your account manager. 
+To protect your network using a Cloudflare IP address, contact your account manager.
 
 {{<Aside type="note">}}
 When you use a Cloudflare-managed IP space, you do not need to provide a Letter of Agency (LOA) and advertise your prefixes that are associated with bringing your own IP.

@@ -1,7 +1,7 @@
 ---
 title: Route Leak Detection
 pcx_content_type: how-to
-weight: 6
+weight: 7
 ---
 
 # Route Leak Detection

@@ -0,0 +1,33 @@
+---
+title: Service bindings
+pcx_content_type: concept
+weight: 6
+---
+
+# IP address service bindings
+
+Within IP address management, service binding refers to the association of an IP (or a range of IPs) to specific Cloudflare services.
+
+## Scope
+
+Currently, if you have BYOIP configured with [Magic Transit](/magic-transit/), you can use the [service binding](/api/operations/ip-address-management-service-bindings-list-service-bindings) endpoints to add CDN or Spectrum capabilities on top of Magic Transit.
+
+### CDN (Cache)
+
+Adding the CDN service binding ensures that any HTTP requests received via designated IPs are directed into the CDN pipeline for [Layer 7 processing](/fundamentals/concepts/how-cloudflare-works/#how-cloudflare-works-as-a-reverse-proxy) as they land on the Cloudflare network.
+
+Refer to [Use BYOIP with Magic Transit and CDN](/byoip/service-bindings/magic-transit-with-cdn/) to learn how to set this up.
+
+### Spectrum
+
+Adding [Spectrum](/spectrum/) allows you benefit from Cloudflare security and performance for Layer 4 traffic.
+
+## API
+
+Service binding operations are currently only available via API. You can find all endpoints and their specifications in the [Cloudflare API documentation](/api/operations/ip-address-management-service-bindings-list-service-bindings).
+
+## Limitations
+
+* It is currently not possible to use both Spectrum and CDN together with the Magic Transit service. You must choose one or the other when upgrading your IPs.
+* You must keep Magic Transit as a common base service, spanning all addresses in your prefix.
+* Once a service binding is created, its propagation across the Cloudflare network will take four to six hours to complete.
@@ -0,0 +1,203 @@
+---
+title: Magic Transit with CDN
+pcx_content_type: how-to
+weight: 3
+---
+
+# Use BYOIP with Magic Transit and CDN
+
+[Magic Transit](/magic-transit/) customers using [BYOIP](/byoip/) can also benefit from the performance, reliability, and security that Cloudflare offers for HTTP-based applications.
+
+This configuration will use the [IP address management service bindings](/byoip/service-bindings/) to enable Cloudflare [CDN services (Cache)](/cache/) on top of Magic Transit, on individual IP addresses or on a subnet.
+
+## Before you begin
+
+* Consider the service bindings [scope and limitations](/byoip/service-bindings/).
+* Plan for what IP addresses you want to configure. If you want to add CDN to multiple contiguous IP addresses, specifying a CIDR block that incorporates all IPs is more efficient.
+    {{<details header="Example" >}}
+
+**Magic Transit protected prefix:** `203.0.113.100/24`
+
+**IPs to upgrade to the CDN:**
+
+`203.0.113.16`
+`203.0.113.17`
+`203.0.113.18`
+`203.0.113.19`
+`203.0.113.20`
+`203.0.113.21`
+`203.0.113.22`
+`203.0.113.23`
+
+**Best practice:** Add one discrete CDN Service Binding for `203.0.113.16` with a `/29` netmask.
+
+{{</details>}}
+
+* Note that a transitional state will take place for four to six hours after you create the service binding. During this time, traffic destined to your origins will slowly transition from the Magic Transit pipeline to the CDN pipeline.
+
+## 1. Get account information
+
+1. Log in to your Cloudflare account and get your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and [API token](/fundamentals/api/get-started/create-token/). The token permissions should include `Account` - `IP Prefixes` - `Edit`.
+2. Make a `GET` request to the [List Services](/api/operations/ip-address-management-service-bindings-list-services) endpoint and take note of the `id` associated with the CDN service.
+3. Use the [List Prefixes](/api/operations/ip-address-management-prefixes-list-prefixes) endpoint and take note of the `id` associated with the prefix (`cidr`) you will configure.
+
+{{<example>}}
+
+At this point, continuing the example mentioned above, you should have a mapping similar to the following:
+
+| Variables  | Description                                        |
+|-------------------------------|----------------------------------------------------|
+| `{service_id}`                  | The ID of the CDN service within Cloudflare. <br /><br /> Example: `969xxxxxxxx000xxx0000000x00001bf`           |
+| `{prefix_id}`                   | The ID of the Magic Transit protected prefix (`203.0.113.100/24`) you want to configure <br /><br /> Example: `6b25xxxxxxx000xxx0000000x0000cfc` |
+
+{{</example>}}
+
+4. To confirm you currently only have a Magic Transit service binding and that it spans across your entire prefix, make a `GET` request to the  [List Service Bindings](/api/operations/ip-address-management-service-bindings-list-service-bindings) endpoint. Replace the `{prefix_id}` in the URI path by the actual prefix ID you got from the previous step.
+
+{{<example>}}
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/addressing/prefixes/{prefix_id}/bindings \
+--header "Authorization: Bearer <API_TOKEN>"
+```
+
+{{</example>}}
+
+## 2. Create service binding
+
+{{<Aside type="warning">}}
+Once this step is completed, a four to six-hour propagation state will initiate. Only after the service binding reaches an **active** state, all traffic will be processed through the CDN pipeline.
+{{</Aside>}}
+
+1. Make a `POST` request to the [Create Service Binding](/api/operations/ip-address-management-service-bindings-create-service-binding/) endpoint, indicating the IP address you want to bind to the CDN. Don't forget to specify the **corresponding network mask**.
+
+{{<example>}}
+
+Continuing the example, `203.0.113.100/32` designates an IP address that is within the Magic Transit protected prefix `203.0.113.0/24`.
+
+Replace the `{prefix_id}` in the URI with your prefix ID from previous steps. Within the request body, the `cidr` value should correspond to the IP address or subnet that you are configuring for use with CDN.
+
+```bash
+
+# Replace the cidr value by the IP address you are configuring.
+
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/addressing/prefixes/{prefix_id}/bindings \
+--header "Authorization: Bearer <API_TOKEN>" \
+--header "Content-Type: application/json" \
+--data '{
+  "cidr": "203.0.113.100/32",
+  "service_id": <SERVICE_ID>
+}'
+```
+
+In the response body, the initial provisioning state should be `provisioning`.
+
+```json
+{
+  "errors": [],
+  "messages": [],
+  "success": true,
+  "result": {
+    "cidr": "203.0.113.100/32",
+    "id": <CDN_SERVICE_BINDING_ID>,
+    "provisioning": {
+      "state": "provisioning"
+      },
+    "service_id": <SERVICE_ID>,
+    "service_name": "CDN"
+  }
+}
+```
+{{</example>}}
+
+2.(Optional) Through the four to six hours that your change will take to propagate, you can use the [List Service Bindings](/api/operations/ip-address-management-service-bindings-list-service-bindings) endpoint to programmatically check for the `active` provisioning state.
+
+## 3. Create address maps
+
+Once you have configured your IPs to have CDN service, you can use {{<glossary-tooltip term_id="address map" link="/byoip/address-maps/">}}address maps{{</glossary-tooltip>}} to specify which IPs should be used by Cloudflare in DNS responses when a record is [proxied](/dns/manage-dns-records/reference/proxied-dns-records/#proxied-records).
+
+You can choose between two different scopes:
+
+* Account-level: uses the address map for all proxied DNS records across all of the zones within an account.
+
+* Zone-level: uses the address map for all proxied DNS records within a zone.
+
+{{<Aside type="note">}}
+If you need to map only specific subdomains to specific IP addresses - and not all proxied DNS records -, you can use a [Subdomain setup](/dns/zone-setups/subdomain-setup/).
+{{</Aside>}}
+
+{{<tabs labels="Dashboard | API">}}
+{{<tab label="dashboard" no-code="true">}}
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
+2. Go to **IP Addresses** > **Address Maps**.
+3. Select **Create an address map**.
+4. Choose the scope of the address map.
+5. Add the zones and IP addresses that you want to map.
+6. Name your address map.
+7. Review the information and select **Save and Deploy**.
+
+{{</tab>}}
+{{<tab label="api" no-code="true">}}
+
+Use the [Create Address Map](/api/operations/ip-address-management-address-maps-create-address-map) endpoint.
+
+Make sure you have the correct Key/Token and permissions.
+
+{{</tab>}}
+{{</tabs>}}
+
+## 4. Create DNS records
+
+{{<tabs labels="Dashboard | API">}}
+{{<tab label="dashboard" no-code="true">}}
+
+To create a DNS record in the dashboard:
+
+1.  Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select an account and domain.
+2.  Go to **DNS** > **Records**.
+3.  Select **Add record**.
+4.  Choose an address (`A`/`AAAA`) record [**Type**](/dns/manage-dns-records/reference/dns-record-types/).
+5.  Complete the required fields, indicating an IP address that has CDN service binding and setting the proxy status to **proxied**.
+6.  Select **Save**.
+
+{{</tab>}}
+
+{{<tab label="api" no-code="true">}}
+
+To create records with the API, use a [POST request](/api/operations/dns-records-for-a-zone-create-dns-record). For field definitions, select a record type under the request body specification.
+
+{{</tab>}}
+{{</tabs>}}
+
+{{<Aside type="note">}}
+As you create the necessary DNS records, [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) can help making sure that you have SSL/TLS certificates in place for all your hostnames.
+{{</Aside>}}
+
+While the DNS record proxy status and address map will determine how Cloudflare's authoritative DNS responds to requests for your hostnames, the IP addresses specified in `A`/`AAAA` records will determine [how Cloudflare reaches the configured origin](/fundamentals/concepts/how-cloudflare-works/#how-cloudflare-works-as-a-reverse-proxy).
+
+{{<details header="Example" >}}
+
+| Type | Name | IP address | Proxy status | TTL |
+| --- | --- | --- | --- | --- |
+| `A` | `www` | `203.0.113.150` | `Proxied` | `Auto` |
+
+At this point, if an address map for a zone `example.com` specifies that Cloudflare should use `203.0.113.100` for proxied records and the above record exists in the same zone, you can expect the following:
+
+1. Cloudflare responds to DNS requests with `203.0.113.100`.
+2. Cloudflare proxies requests through the CDN and then routes the requests via [GRE](/magic-transit/reference/tunnels/#gre-and-ipsec-tunnels) or [CNI](/magic-transit/network-interconnect/) to the origin server `203.0.113.150` (Magic Transit protected prefix).
+3. Depending on whether Magic Transit is implemented with [direct server return model or with Magic Transit egress](/magic-transit/how-to/configure-tunnels/#bidirectional-vs-unidirectional-health-checks), the origin server responds back to Cloudflare either:
+
+    * Directly over the Internet in a Magic Transit in a direct server return model
+    * Back through the Magic GRE tunnel(s) in a Magic Transit egress model
+4. As the HTTP response egresses the Cloudflare network back to the client side, the source IP address of the response becomes `203.0.113.100` (the IP address that the HTTP request originally landed on).
+
+{{</details>}}
+
+## 5.(Optional) Add layer 7 functionality
+
+Leverage other features according to your needs:
+
+* [Cache](/cache/)
+* [WAF custom rules](/waf/custom-rules/#custom-rules)
+* [Security analytics](/waf/analytics/security-analytics/#security-analytics)