diff --git a/src/content/changelogs/magic-transit.yaml b/src/content/changelogs/magic-transit.yaml
index d4775557e51b555..74a48137711cfaa 100644
--- a/src/content/changelogs/magic-transit.yaml
+++ b/src/content/changelogs/magic-transit.yaml
@@ -5,6 +5,10 @@ productLink: "/magic-wan/"
productArea: Cloudflare One
productAreaLink: /cloudflare-one/changelog/
entries:
+ - publish_date: "2024-12-17"
+ title: BGP support for Cloudflare Network Interconnect (CNI)
+ description: |-
+ Magic Transit customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic Transit routing table.
- publish_date: "2024-10-01"
title: Early access testing for BGP on CNI 2.0 circuits
description: |-
diff --git a/src/content/changelogs/magic-wan.yaml b/src/content/changelogs/magic-wan.yaml
index c28580002b594ac..8e35b1784209c12 100644
--- a/src/content/changelogs/magic-wan.yaml
+++ b/src/content/changelogs/magic-wan.yaml
@@ -5,6 +5,10 @@ productLink: "/magic-wan/"
productArea: Cloudflare One
productAreaLink: /cloudflare-one/changelog/
entries:
+ - publish_date: "2024-12-17"
+ title: BGP support for Cloudflare Network Interconnect (CNI)
+ description: |-
+ Magic WAN customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic WAN table.
- publish_date: "2024-10-01"
title: Early access testing for BGP on CNI 2.0 circuits
description: |-
diff --git a/src/content/changelogs/network-interconnect.yaml b/src/content/changelogs/network-interconnect.yaml
index 7922b44f0945d4f..00c886e196f91b3 100644
--- a/src/content/changelogs/network-interconnect.yaml
+++ b/src/content/changelogs/network-interconnect.yaml
@@ -5,6 +5,10 @@ productLink: "/network-interconnect/"
productArea: Cloudflare One
productAreaLink: /cloudflare-one/changelog/
entries:
+ - publish_date: "2024-12-17"
+ title: BGP support for Cloudflare Network Interconnect (CNI)
+ description: |-
+ Magic WAN and Magic Transit customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic WAN or Magic Transit routing table.
- publish_date: "2024-10-01"
title: Early access testing for BGP on CNI 2.0 circuits
description: |-
diff --git a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx
index 663299c43dd66be..52a822580c5857b 100644
--- a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx
+++ b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx
@@ -3,7 +3,6 @@ pcx_content_type: how-to
title: Advertise prefixes
sidebar:
order: 3
-
---
import { Details, GlossaryTooltip } from "~/components"
@@ -89,6 +88,11 @@ After receiving your information, Cloudflare will update firewall filters to est
When you withdraw a prefix using BGP, you must ensure the prefix is withdrawn across all BGP sessions on all route reflectors. Otherwise, your prefix will not be withdrawn from Cloudflare's global network.
:::
+### BGP peering
+
+If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, refer to [BGP peering](/magic-transit/how-to/bgp-peering/) to learn how to configure BGP peering.
+
+
### Regional settings
Magic Transit requires static routing to steer traffic from Cloudflare's network over one of your configured tunnel off-ramps (GRE, IPsec or CNI). Currently, advertisement of routes for traffic engineering purposes is not supported. As a best practice to reduce last-hop latency, you should consider scoping your routes regionally. The default setting for static route regions is **All Regions**. Refer to [Configure static routes](/magic-transit/how-to/configure-static-routes/) for more information.
diff --git a/src/content/docs/magic-transit/how-to/bgp-peering.mdx b/src/content/docs/magic-transit/how-to/bgp-peering.mdx
new file mode 100644
index 000000000000000..6ce3ac97b4e835e
--- /dev/null
+++ b/src/content/docs/magic-transit/how-to/bgp-peering.mdx
@@ -0,0 +1,18 @@
+---
+pcx_content_type: how-to
+title: Configure BGP peering
+sidebar:
+ order: 4
+---
+
+import { Render } from "~/components"
+
+
diff --git a/src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx b/src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx
index b772eec6796e99e..d286ff7b77230d8 100644
--- a/src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx
+++ b/src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx
@@ -2,7 +2,7 @@
pcx_content_type: how-to
title: Run endpoint health checks
sidebar:
- order: 4
+ order: 5
---
diff --git a/src/content/docs/magic-transit/network-interconnect.mdx b/src/content/docs/magic-transit/network-interconnect.mdx
index 4146857c2fd5db3..b2e533fc978bd17 100644
--- a/src/content/docs/magic-transit/network-interconnect.mdx
+++ b/src/content/docs/magic-transit/network-interconnect.mdx
@@ -22,7 +22,7 @@ When working with Magic Transit and CNI, there are a few guidelines you should f
With [Direct CNI](/network-interconnect/express-cni/) you can use the Cloudflare dashboard to provision a connection to Cloudflare in three minutes or less. This type of connection supports IP packets with 1,500 bytes, both for ingress and egress traffic.
-For the time being, Direct CNI does not support BGP. If your use case calls for BGP anycast prefix withdrawal or BGP based connection failover, you need to use [Classic CNI](/network-interconnect/classic-cni/) with a Magic Transit GRE tunnel.
+With Direct CNI you can also setup BGP peering between your network and Cloudflare.
### Classic CNI
diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx
new file mode 100644
index 000000000000000..4b4e73e0d5f0220
--- /dev/null
+++ b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx
@@ -0,0 +1,18 @@
+---
+pcx_content_type: how-to
+title: Configure BGP peering
+sidebar:
+ order: 3
+---
+
+import { Render } from "~/components"
+
+
diff --git a/src/content/docs/magic-wan/network-interconnect.mdx b/src/content/docs/magic-wan/network-interconnect.mdx
index a80a60c34c21466..12ffa7253cebeab 100644
--- a/src/content/docs/magic-wan/network-interconnect.mdx
+++ b/src/content/docs/magic-wan/network-interconnect.mdx
@@ -18,7 +18,7 @@ When working with Magic WAN and Cloudflare Network Interconnect (CNI), there are
With [Direct CNI](/network-interconnect/express-cni/) you can use the Cloudflare dashboard to provision a connection to Cloudflare in three minutes or less. This type of connection supports IP packets with 1,500 bytes, both for ingress and egress traffic.
-For the time being, Direct CNI does not support BGP. You need to create policy-based routes to ensure traffic is routed correctly. You also need to implement tracking of network traffic to ensure that the CNI and Cloudflare data center is functioning properly.
+With Direct CNI you can also setup BGP peering between your network and Cloudflare.
### Bidirectional health checks
diff --git a/src/content/partials/magic-transit/static-routes/static-routes3.mdx b/src/content/partials/magic-transit/static-routes/static-routes3.mdx
index 1edd550f098a886..b2cf97c0e7515d8 100644
--- a/src/content/partials/magic-transit/static-routes/static-routes3.mdx
+++ b/src/content/partials/magic-transit/static-routes/static-routes3.mdx
@@ -64,7 +64,7 @@ customer service manager.
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
2. Go to **{props.createPath}**.
-3. From the **Static Routes** tab, select **Create** to add a new route.
+3. From the **Routes** tab, select **Create** to add a new route.
4. Enter a descriptive name for your route in **Description**.
5. In **Prefix**, enter your range of IP addresses. For example, `10.10.10.100/24`.
6. In **Tunnel/Next hop** select which tunnel you want your route to go through. Choose from the tunnels you have created in Configure tunnel endpoints.
@@ -114,7 +114,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/routes \
-1. In **Static routes**, select **Edit** next to the route you want to modify.
+1. In **Routes**, select **Edit** next to the route you want to modify.
2. Enter the updated route information.
3. (Optional) We highly recommend testing your route before adding it by selecting **Test routes**.
4. Select **Edit routes** to save the new information when you are done.
@@ -160,7 +160,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/routes \
-1. In **Static routes**, locate the static route you want to modify and select **Delete**.
+1. In **Routes**, locate the static route you want to modify and select **Delete**.
2. Confirm the action by selecting the checkbox and select **Delete**.
diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx
new file mode 100644
index 000000000000000..644d580d075ad90
--- /dev/null
+++ b/src/content/partials/network-interconnect/bgp-peering.mdx
@@ -0,0 +1,85 @@
+---
+params:
+ - productName
+ - productPath
+ - legacyHCs
+---
+
+import { Markdown } from "~/components";
+
+{props.productName} customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.
+
+Using BGP peering with a CNI allows customers to:
+- Automate the process of adding or removing networks and subnets.
+- Take advantage of failure detection and session recovery features.
+
+With this functionality, customers can:
+- Establish an eBGP session between their devices and the {props.productName} service when connected via CNI
+- Secure the session by MD5 authentication to prevent misconfigurations.
+- Exchange routes dynamically between their devices and their Magic routing table.
+
+## Route distribution and convergence
+
+Routes received from the customer device will be redistributed into the Magic routing table, which is used by both Magic WAN and Magic Transit.
+
+All routes in the Magic routing table are advertised to BGP peers. Each BGP peer will receive each prefix route along with the full `AS_PATH`, with the selected Cloudflare side ASN prepended. This is so that the peer can accurately perform [loop prevention](https://datatracker.ietf.org/doc/html/rfc4271#section-9.1.2).
+
+BGP peering sessions can advertise reachable prefixes to a peer and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate.
+
+## Limitations
+
+BGP multipath is supported. If the same prefix is learned on two different interconnects then traffic destined for that prefix will be distributed across each interconnect according to the usual ECMP behavior.
+
+BGP support currently has the following limitations:
+- The Cloudflare account ASN and the customer device ASN must be different. Only eBGP is supported.
+- Routes are always injected with a priority of 100.
+- Bidirectional Forwarding Detection (BFD) is not supported.
+- 4-byte ASNs are not supported.
+
+## Tunnel health checks
+
+You need to enable tunnel health checks alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes.
+
+{props.productName} customers should configure legacy bidirectional health checks.
+
+## How to choose an ASN for BGP peering
+
+The Magic routing table is under the control of the customer, and the customer is able to choose both the Cloudflare side ASN and their customer device side ASN.
+
+By default each BGP peering session will use the same Cloudflare side ASN to represent peering with the Magic WAN/Transit routing table. This default ASN is called the **CF Account ASN** and should be configured to a private 2-byte ASN (64512 and 65534). To set this ASN:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account.
+2. Go to **Magic WAN / Transit** > **Configuration** > **BGP**.
+3. In CF Account ASN, enter Cloudflare's ASN.
+
+### For Magic WAN customers
+
+- The Cloudflare side ASN will be included in the `AS PATH` of announced routes to any BGP enabled interconnect.
+- The customer device ASN can be chosen by the customer, and should be different to the Cloudflare side ASN.
+
+### For Magic Transit customers
+
+- The Cloudflare side ASN will never be exposed in `AS PATH` of anycast announcements from the Cloudflare edge. In those announcements, Cloudflare will always use the Cloudflare ASN of `13335` optionally prepended with a bring-your-own ASN as described in [Cloudflare ASN vs. your own ASN](/magic-transit/how-to/advertise-prefixes/#cloudflare-asn-vs-your-own-asn)
+- The customer device ASN can be a private ASN, or the ASN they are using for Magic Transit anycast announcements at the edge: this has no impact on the ASN for the anycast announced prefix at the edge of the Cloudflare global network.
+
+## How to set up BGP peering
+
+:::caution
+BGP peering is only available to {props.productName} customers with Direct CNI as an on-ramp. If your network is set up with GRE or IPsec tunnels, you cannot use BGP peering.
+:::
+
+You need to configure two ASNs:
+- The Cloudflare [account-scoped ASN](#how-to-choose-an-asn-for-bgp-peering).
+- One ASN for each Interconnect you want to configure with BGP.
+
+If you already have set up your Cloudflare account ASN, you can skip steps two and three below.
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
+2. Go to **{props.productName}** > **Configuration** > **BGP**.
+3. In **CF Account ASN**, enter Cloudflare's ASN.
+4. Go to **Interconnects**.
+5. Find the Direct CNI interconnect you want to configure with BGP > select the **three dots** next to it > **Configure BGP**.
+6. In **Customer device ASN**, enter the ASN for your network.
+7. In **MD5 key**, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism.
+8. (Optional) In **Advertised prefix list**, input the additional static prefixes automatically assigned by Cloudflare during the creation of the CNI interconnect, to advertise alongside your existing routes. Leave blank if you do not want to advertise extra routes.
+9. Select **Enable BGP**.