From f0ecd4cc825bb9a8db8a84d2066d3b2a0c72c41c Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:38:40 +0000 Subject: [PATCH 01/25] added bgp peering ingo --- .../docs/magic-transit/how-to/advertise-prefixes.mdx | 6 +++++- src/content/docs/magic-transit/how-to/bgp-peering.mdx | 10 ++++++++++ .../docs/magic-transit/network-interconnect.mdx | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 src/content/docs/magic-transit/how-to/bgp-peering.mdx diff --git a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx index 40794657f3984d2..f33bc751036b5fe 100644 --- a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx +++ b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx @@ -3,7 +3,6 @@ pcx_content_type: how-to title: Advertise prefixes sidebar: order: 3 - --- import { Details, GlossaryTooltip } from "~/components" @@ -86,6 +85,11 @@ After receiving your information, Cloudflare will update firewall filters to est When you withdraw a prefix using BGP, you must ensure the prefix is withdrawn across all BGP sessions on all route reflectors. Otherwise, your prefix will not be withdrawn from Cloudflare's global network. ::: +### BGP peering + +If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, refer to the how to section to learn how to configure BGP peering. + + ### Regional settings Magic Transit requires static routing to steer traffic from Cloudflare's network over one of your configured tunnel off-ramps (GRE, IPsec or CNI). Currently, advertisement of routes for traffic engineering purposes is not supported. As a best practice to reduce last-hop latency, you should consider scoping your routes regionally. The default setting for static route regions is **All Regions**. Refer to [Configure static routes](/magic-transit/how-to/configure-static-routes/) for more information. diff --git a/src/content/docs/magic-transit/how-to/bgp-peering.mdx b/src/content/docs/magic-transit/how-to/bgp-peering.mdx new file mode 100644 index 000000000000000..49f248fcce062b2 --- /dev/null +++ b/src/content/docs/magic-transit/how-to/bgp-peering.mdx @@ -0,0 +1,10 @@ +--- +pcx_content_type: how-to +title: Advertise prefixes with BGP +sidebar: + order: 4 +--- + +import { Render } from "~/components" + + diff --git a/src/content/docs/magic-transit/network-interconnect.mdx b/src/content/docs/magic-transit/network-interconnect.mdx index 4146857c2fd5db3..b2e533fc978bd17 100644 --- a/src/content/docs/magic-transit/network-interconnect.mdx +++ b/src/content/docs/magic-transit/network-interconnect.mdx @@ -22,7 +22,7 @@ When working with Magic Transit and CNI, there are a few guidelines you should f With [Direct CNI](/network-interconnect/express-cni/) you can use the Cloudflare dashboard to provision a connection to Cloudflare in three minutes or less. This type of connection supports IP packets with 1,500 bytes, both for ingress and egress traffic. -For the time being, Direct CNI does not support BGP. If your use case calls for BGP anycast prefix withdrawal or BGP based connection failover, you need to use [Classic CNI](/network-interconnect/classic-cni/) with a Magic Transit GRE tunnel. +With Direct CNI you can also setup BGP peering between your network and Cloudflare. ### Classic CNI From 4308395b8a963ca7e82a70a2cf2b35768a4db11c Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:45:13 +0000 Subject: [PATCH 02/25] created bgp partial --- .../network-interconnect/bgp-peering.mdx | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 src/content/partials/network-interconnect/bgp-peering.mdx diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx new file mode 100644 index 000000000000000..fb1b7a4f57ab01b --- /dev/null +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -0,0 +1,40 @@ +--- +params: + - productName + - tunnelHcPath + - productPath +--- + +import { Markdown } from "~/components"; + +{props.productName} customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and Cloudflare when using a Direct CNI on-ramp. Using BGP peering with a CNI allows customers to: +- Exchange routes dynamically +- Automate the process of adding or removing networks and subnets +- Take advantage of failure detection and session recovery features +- Establish an eBGP session between their routers and Cloudflare in a single-hop link, secured by MD5 authentication to prevent misconfigurations. +- Established sessions both with dedicated ports using Direct CNI, as well as Cloud CNI dedicated and virtual circuits. + +## Route distribution and convergence + +All {props.productName} routes are distributed into BGP announcements. Each BGP peer will receive each prefix route along with the full `AS_PATH`, with the selected overlay ASN prepended. This is so that the peer can accurately perform [loop prevention](https://datatracker.ietf.org/doc/html/rfc4271#section-9.1.2). + +BGP peering sessions can advertise reachable prefixes to a peer, and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate. + +## Tunnel health checks + +You need to enable [tunnel health checks]({props.tunnelHcPath}) alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes, like what happens for static routes. + +{props.productName} customers should configure unidirectional health checks. + +## How to set up BGP peering + +BGP peering if available to Magic WAN/Transit customers with Direct CNI as an on-ramp. If your network is set up with GRE or IPsec tunnels, you cannot use BGP peering + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. +2. Go to **Interconnects**. +3. Find the Direct CNI interconnect you want to configure with BGP > select the **three dots** next to it > **Configure BGP**. +4. In **Customer device ASN**, enter the ASN for your network. +5. In **MD5 key**, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism. +6. In **Advertised prefix list**, input the inside IP tunnel addresses automatically assigned by Cloudflare during the creation of the CNI interconnect. +7. Select **Enable BPG**. + From 52a7d4dd0ada4eedcc864d381387654354d3ac9c Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:46:51 +0000 Subject: [PATCH 03/25] added vars --- src/content/docs/magic-transit/how-to/bgp-peering.mdx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/content/docs/magic-transit/how-to/bgp-peering.mdx b/src/content/docs/magic-transit/how-to/bgp-peering.mdx index 49f248fcce062b2..94bf28bd5609d15 100644 --- a/src/content/docs/magic-transit/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-transit/how-to/bgp-peering.mdx @@ -7,4 +7,11 @@ sidebar: import { Render } from "~/components" - + From c61d69af14383b3ca0a110a2f2174ec7082e8025 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:46:58 +0000 Subject: [PATCH 04/25] corrected var --- src/content/partials/network-interconnect/bgp-peering.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index fb1b7a4f57ab01b..f6e0f67b9f16846 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -1,7 +1,6 @@ --- params: - productName - - tunnelHcPath - productPath --- @@ -22,7 +21,7 @@ BGP peering sessions can advertise reachable prefixes to a peer, and withdraw pr ## Tunnel health checks -You need to enable [tunnel health checks]({props.tunnelHcPath}) alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes, like what happens for static routes. +You need to enable [tunnel health checks]({props.productPath}) alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes, like what happens for static routes. {props.productName} customers should configure unidirectional health checks. From f4870a4561dd9ebfe5dcb795d0adef0b27495301 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:48:06 +0000 Subject: [PATCH 05/25] added bgp mwan --- .../manually/how-to/bgp-peering.mdx | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx new file mode 100644 index 000000000000000..1c7ada0c311b42f --- /dev/null +++ b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx @@ -0,0 +1,17 @@ +--- +pcx_content_type: how-to +title: Advertise prefixes with BGP +sidebar: + order: 3 +--- + +import { Render } from "~/components" + + From 313da895976bd56f807dd1a26f540605fa49b4dd Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:49:45 +0000 Subject: [PATCH 06/25] corrected vars --- .../magic-wan/configuration/manually/how-to/bgp-peering.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx index 1c7ada0c311b42f..38f14f4c9e52d4c 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx @@ -11,7 +11,7 @@ import { Render } from "~/components" file="bgp-peering" product="network-interconnect" params={{ - productName: "Magic Transit", - backgroundInfoPath: "/magic-transit/reference/tunnel-health-checks/", + productName: "Magic WAN", + backgroundInfoPath: "/magic-wan/reference/tunnel-health-checks/", }} /> From 0ad15cece9b924ed47e2ec056c4fcc22eeee79e9 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:51:14 +0000 Subject: [PATCH 07/25] refined direct cni text --- src/content/docs/magic-wan/network-interconnect.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-wan/network-interconnect.mdx b/src/content/docs/magic-wan/network-interconnect.mdx index a80a60c34c21466..12ffa7253cebeab 100644 --- a/src/content/docs/magic-wan/network-interconnect.mdx +++ b/src/content/docs/magic-wan/network-interconnect.mdx @@ -18,7 +18,7 @@ When working with Magic WAN and Cloudflare Network Interconnect (CNI), there are With [Direct CNI](/network-interconnect/express-cni/) you can use the Cloudflare dashboard to provision a connection to Cloudflare in three minutes or less. This type of connection supports IP packets with 1,500 bytes, both for ingress and egress traffic. -For the time being, Direct CNI does not support BGP. You need to create policy-based routes to ensure traffic is routed correctly. You also need to implement tracking of network traffic to ensure that the CNI and Cloudflare data center is functioning properly. +With Direct CNI you can also setup BGP peering between your network and Cloudflare. ### Bidirectional health checks From aa83fb8efd176d51863492e344403f0c10e56a42 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:52:29 +0000 Subject: [PATCH 08/25] added link --- src/content/docs/magic-transit/how-to/advertise-prefixes.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx index f33bc751036b5fe..9da7b0cfd1443ba 100644 --- a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx +++ b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx @@ -87,7 +87,7 @@ When you withdraw a prefix using BGP, you must ensure the prefix is withdrawn ac ### BGP peering -If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, refer to the how to section to learn how to configure BGP peering. +If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, refer to [BGP peering](/magic-transit/how-to/bgp-peering) to learn how to configure BGP peering. ### Regional settings From deaf0e102423ea4b11e08008e9594a6819b9db4f Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:56:18 +0000 Subject: [PATCH 09/25] corrected title --- src/content/docs/magic-transit/how-to/bgp-peering.mdx | 2 +- .../magic-wan/configuration/manually/how-to/bgp-peering.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-transit/how-to/bgp-peering.mdx b/src/content/docs/magic-transit/how-to/bgp-peering.mdx index 94bf28bd5609d15..6cb132f8f93c3fb 100644 --- a/src/content/docs/magic-transit/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-transit/how-to/bgp-peering.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: Advertise prefixes with BGP +title: BGP peering sidebar: order: 4 --- diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx index 38f14f4c9e52d4c..6a1b30dc1c1e6fc 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: Advertise prefixes with BGP +title: BGP peering sidebar: order: 3 --- From f9f197dadd9c4938ea6b9778a14775a71a6022f8 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:56:25 +0000 Subject: [PATCH 10/25] corrected page order --- .../docs/magic-transit/how-to/run-endpoint-health-checks.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx b/src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx index f6abb438e51ffef..a5c90bf181696ae 100644 --- a/src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx +++ b/src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Run endpoint health checks sidebar: - order: 4 + order: 5 --- From 56b4b364e85fc8e167120d6adaddccf585dcf4a6 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 16:58:39 +0000 Subject: [PATCH 11/25] corrected url code --- src/content/partials/network-interconnect/bgp-peering.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index f6e0f67b9f16846..7215f9d938c9775 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -21,7 +21,7 @@ BGP peering sessions can advertise reachable prefixes to a peer, and withdraw pr ## Tunnel health checks -You need to enable [tunnel health checks]({props.productPath}) alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes, like what happens for static routes. +You need to enable tunnel health checks alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes, like what happens for static routes. {props.productName} customers should configure unidirectional health checks. From 470ace78bc0933e583063de34500ebcc90242683 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Mon, 9 Dec 2024 17:00:55 +0000 Subject: [PATCH 12/25] corrected var name --- src/content/docs/magic-transit/how-to/bgp-peering.mdx | 2 +- .../magic-wan/configuration/manually/how-to/bgp-peering.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-transit/how-to/bgp-peering.mdx b/src/content/docs/magic-transit/how-to/bgp-peering.mdx index 6cb132f8f93c3fb..4c09f587840c6de 100644 --- a/src/content/docs/magic-transit/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-transit/how-to/bgp-peering.mdx @@ -12,6 +12,6 @@ import { Render } from "~/components" product="network-interconnect" params={{ productName: "Magic Transit", - backgroundInfoPath: "/magic-transit/reference/tunnel-health-checks/", + productPath: "/magic-transit/reference/tunnel-health-checks/", }} /> diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx index 6a1b30dc1c1e6fc..a55b5b1430b3075 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx @@ -12,6 +12,6 @@ import { Render } from "~/components" product="network-interconnect" params={{ productName: "Magic WAN", - backgroundInfoPath: "/magic-wan/reference/tunnel-health-checks/", + productPath: "/magic-wan/reference/tunnel-health-checks/", }} /> From 45b97b1fb23d7c745397904bbdb7973a229118f8 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Tue, 10 Dec 2024 10:09:34 +0000 Subject: [PATCH 13/25] typo --- src/content/partials/network-interconnect/bgp-peering.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index 7215f9d938c9775..59a70ff4901ec05 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -35,5 +35,5 @@ BGP peering if available to Magic WAN/Transit customers with Direct CNI as an on 4. In **Customer device ASN**, enter the ASN for your network. 5. In **MD5 key**, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism. 6. In **Advertised prefix list**, input the inside IP tunnel addresses automatically assigned by Cloudflare during the creation of the CNI interconnect. -7. Select **Enable BPG**. +7. Select **Enable BGP**. From 092deae15cb953ae1723f949db41763e9a880387 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Thu, 12 Dec 2024 14:27:05 +0000 Subject: [PATCH 14/25] changed from static routes to routes --- .../partials/magic-transit/static-routes/static-routes3.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/partials/magic-transit/static-routes/static-routes3.mdx b/src/content/partials/magic-transit/static-routes/static-routes3.mdx index 47d9cfccbbdb7eb..b77ad1c9db631d5 100644 --- a/src/content/partials/magic-transit/static-routes/static-routes3.mdx +++ b/src/content/partials/magic-transit/static-routes/static-routes3.mdx @@ -64,7 +64,7 @@ customer service manager. 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. 2. Go to **{props.createPath}**. -3. From the **Static Routes** tab, select **Create** to add a new route. +3. From the **Routes** tab, select **Create** to add a new route. 4. Enter a descriptive name for your route in **Description**. 5. In **Prefix**, enter your range of IP addresses. For example, `10.10.10.100/24`. 6. In **Tunnel/Next hop** select which tunnel you want your route to go through. Choose from the tunnels you have created in Configure tunnel endpoints. @@ -114,7 +114,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/routes \ -1. In **Static routes**, select **Edit** next to the route you want to modify. +1. In **Routes**, select **Edit** next to the route you want to modify. 2. Enter the updated route information. 3. (Optional) We highly recommend testing your route before adding it by selecting **Test routes**. 4. Select **Edit routes** to save the new information when you are done. @@ -160,7 +160,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/routes \ -1. In **Static routes**, locate the static route you want to modify and select **Delete**. +1. In **Routes**, locate the static route you want to modify and select **Delete**. 2. Confirm the action by selecting the checkbox and select **Delete**. From 5820a84d48f2172621f19883e5ba50003bd1f8a9 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 13 Dec 2024 11:44:31 +0000 Subject: [PATCH 15/25] refined language --- src/content/partials/network-interconnect/bgp-peering.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index 59a70ff4901ec05..0837eeafbedcb61 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -21,13 +21,15 @@ BGP peering sessions can advertise reachable prefixes to a peer, and withdraw pr ## Tunnel health checks -You need to enable tunnel health checks alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes, like what happens for static routes. +You need to enable tunnel health checks alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes. {props.productName} customers should configure unidirectional health checks. ## How to set up BGP peering -BGP peering if available to Magic WAN/Transit customers with Direct CNI as an on-ramp. If your network is set up with GRE or IPsec tunnels, you cannot use BGP peering +:::caution +BGP peering is only available to Magic WAN/Transit customers with Direct CNI as an on-ramp. If your network is set up with GRE or IPsec tunnels, you cannot use BGP peering. +::: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. 2. Go to **Interconnects**. From e9ec77d4db49aa0e621b773f3a5e1487ecbd7a71 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 13 Dec 2024 16:36:05 +0000 Subject: [PATCH 16/25] updated config steps --- .../partials/network-interconnect/bgp-peering.mdx | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index 0837eeafbedcb61..05576264f1c912c 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -32,10 +32,12 @@ BGP peering is only available to Magic WAN/Transit customers with Direct CNI as ::: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. -2. Go to **Interconnects**. -3. Find the Direct CNI interconnect you want to configure with BGP > select the **three dots** next to it > **Configure BGP**. -4. In **Customer device ASN**, enter the ASN for your network. -5. In **MD5 key**, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism. -6. In **Advertised prefix list**, input the inside IP tunnel addresses automatically assigned by Cloudflare during the creation of the CNI interconnect. -7. Select **Enable BGP**. +2. Go to **{props.productName}** > **Configuration** > **BGP**. +3. In **CF Account ASN**, enter Cloudflare's ASN. +4. Go to **Interconnects**. +5. Find the Direct CNI interconnect you want to configure with BGP > select the **three dots** next to it > **Configure BGP**. +6. In **Customer device ASN**, enter the ASN for your network. +7. In **MD5 key**, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism. +8. In **Advertised prefix list**, input the inside IP tunnel addresses automatically assigned by Cloudflare during the creation of the CNI interconnect. +9. Select **Enable BGP**. From 3a65722f1218cd9f265efb7d65e3ad89a663d013 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 13 Dec 2024 16:37:02 +0000 Subject: [PATCH 17/25] updated titles --- src/content/docs/magic-transit/how-to/bgp-peering.mdx | 2 +- .../magic-wan/configuration/manually/how-to/bgp-peering.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/magic-transit/how-to/bgp-peering.mdx b/src/content/docs/magic-transit/how-to/bgp-peering.mdx index 4c09f587840c6de..a0b394d59261a43 100644 --- a/src/content/docs/magic-transit/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-transit/how-to/bgp-peering.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: BGP peering +title: Configure BGP peering sidebar: order: 4 --- diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx index a55b5b1430b3075..3ea55d4a71acd85 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: how-to -title: BGP peering +title: Configure BGP peering sidebar: order: 3 --- From 0109d7b52c535b858d3b01b6d9c686c6a6d57ca0 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 13 Dec 2024 16:40:41 +0000 Subject: [PATCH 18/25] refined text --- src/content/partials/network-interconnect/bgp-peering.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index 05576264f1c912c..18dedcdaa069b0d 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -31,6 +31,13 @@ You need to enable tunnel health checks alongsid BGP peering is only available to Magic WAN/Transit customers with Direct CNI as an on-ramp. If your network is set up with GRE or IPsec tunnels, you cannot use BGP peering. ::: +You need to configure two ASNs: +- The Cloudflare global account one. +- One ASN for each Interconnect you want to configure with BGP. + +If you already have set up your Cloudflare account ASN, you can skip steps two and three below. + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. 2. Go to **{props.productName}** > **Configuration** > **BGP**. 3. In **CF Account ASN**, enter Cloudflare's ASN. From ad685733b1c3ebf63bd3e2894cbac458c3d71979 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Fri, 13 Dec 2024 16:49:52 +0000 Subject: [PATCH 19/25] refined language --- src/content/partials/network-interconnect/bgp-peering.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index 18dedcdaa069b0d..deca2891aa41bdf 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -45,6 +45,6 @@ If you already have set up your Cloudflare account ASN, you can skip steps two a 5. Find the Direct CNI interconnect you want to configure with BGP > select the **three dots** next to it > **Configure BGP**. 6. In **Customer device ASN**, enter the ASN for your network. 7. In **MD5 key**, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism. -8. In **Advertised prefix list**, input the inside IP tunnel addresses automatically assigned by Cloudflare during the creation of the CNI interconnect. +8. (Optional) In **Advertised prefix list**, input the additional static prefixes automatically assigned by Cloudflare during the creation of the CNI interconnect, to advertise alongside your existing routes. Leave blank if you do not want to advertise extra routes. 9. Select **Enable BGP**. From 746714454987607ce6cffcdc5a40464fc9f2d8d1 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Tue, 17 Dec 2024 10:57:40 +0000 Subject: [PATCH 20/25] added changelog --- src/content/changelogs/magic-transit.yaml | 4 ++++ src/content/changelogs/magic-wan.yaml | 4 ++++ src/content/changelogs/network-interconnect.yaml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/src/content/changelogs/magic-transit.yaml b/src/content/changelogs/magic-transit.yaml index d4775557e51b555..74a48137711cfaa 100644 --- a/src/content/changelogs/magic-transit.yaml +++ b/src/content/changelogs/magic-transit.yaml @@ -5,6 +5,10 @@ productLink: "/magic-wan/" productArea: Cloudflare One productAreaLink: /cloudflare-one/changelog/ entries: + - publish_date: "2024-12-17" + title: BGP support for Cloudflare Network Interconnect (CNI) + description: |- + Magic Transit customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic Transit routing table. - publish_date: "2024-10-01" title: Early access testing for BGP on CNI 2.0 circuits description: |- diff --git a/src/content/changelogs/magic-wan.yaml b/src/content/changelogs/magic-wan.yaml index c28580002b594ac..8e35b1784209c12 100644 --- a/src/content/changelogs/magic-wan.yaml +++ b/src/content/changelogs/magic-wan.yaml @@ -5,6 +5,10 @@ productLink: "/magic-wan/" productArea: Cloudflare One productAreaLink: /cloudflare-one/changelog/ entries: + - publish_date: "2024-12-17" + title: BGP support for Cloudflare Network Interconnect (CNI) + description: |- + Magic WAN customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic WAN table. - publish_date: "2024-10-01" title: Early access testing for BGP on CNI 2.0 circuits description: |- diff --git a/src/content/changelogs/network-interconnect.yaml b/src/content/changelogs/network-interconnect.yaml index 7922b44f0945d4f..00c886e196f91b3 100644 --- a/src/content/changelogs/network-interconnect.yaml +++ b/src/content/changelogs/network-interconnect.yaml @@ -5,6 +5,10 @@ productLink: "/network-interconnect/" productArea: Cloudflare One productAreaLink: /cloudflare-one/changelog/ entries: + - publish_date: "2024-12-17" + title: BGP support for Cloudflare Network Interconnect (CNI) + description: |- + Magic WAN and Magic Transit customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic WAN or Magic Transit routing table. - publish_date: "2024-10-01" title: Early access testing for BGP on CNI 2.0 circuits description: |- From d8d30da9e494253c2133deb10d06fb5d9ba8b676 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Tue, 17 Dec 2024 18:45:55 +0000 Subject: [PATCH 21/25] added edits from steve --- .../network-interconnect/bgp-peering.mdx | 57 +++++++++++++++---- 1 file changed, 46 insertions(+), 11 deletions(-) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index deca2891aa41bdf..767ab181e3bcbba 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -2,42 +2,78 @@ params: - productName - productPath + - legacyHCs --- import { Markdown } from "~/components"; -{props.productName} customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and Cloudflare when using a Direct CNI on-ramp. Using BGP peering with a CNI allows customers to: -- Exchange routes dynamically +{props.productName} customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp. + +Using BGP peering with a CNI allows customers to: - Automate the process of adding or removing networks and subnets - Take advantage of failure detection and session recovery features -- Establish an eBGP session between their routers and Cloudflare in a single-hop link, secured by MD5 authentication to prevent misconfigurations. -- Established sessions both with dedicated ports using Direct CNI, as well as Cloud CNI dedicated and virtual circuits. + +With this functionality, customers can: +- Establish an eBGP session between their devices and the {props.productName} service when connected via CNI +- Secure the session by MD5 authentication to prevent misconfigurations. +- Exchange routes dynamically between their devices and their Magic routing table. + ## Route distribution and convergence -All {props.productName} routes are distributed into BGP announcements. Each BGP peer will receive each prefix route along with the full `AS_PATH`, with the selected overlay ASN prepended. This is so that the peer can accurately perform [loop prevention](https://datatracker.ietf.org/doc/html/rfc4271#section-9.1.2). +Routes received from the customer device will be redistributed into the Magic routing table, which is used by both Magic WAN and Magic Transit. + +All routes in the Magic routing table are advertised to BGP peers. Each BGP peer will receive each prefix route along with the full `AS_PATH`, with the selected Cloudflare side ASN prepended. This is so that the peer can accurately perform loop prevention. -BGP peering sessions can advertise reachable prefixes to a peer, and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate. +BGP peering sessions can advertise reachable prefixes to a peer and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate. + +## Limitations + +BGP multipath is supported. If the same prefix is learned on two different interconnects then traffic destined for that prefix will be distributed across each interconnect according to the usual ECMP behavior. + +BGP support currently has the following limitations: +- The Cloudflare account ASN and the customer device ASN must be different. Only eBGP is supported. +- Routes are always injected with a priority of 100 +- Bidirectional Forwarding Detection (BFD) is not supported +- 4-byte ASNs are not supported ## Tunnel health checks You need to enable tunnel health checks alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes. -{props.productName} customers should configure unidirectional health checks. +{props.productName} customers should configure legacy bidirectional health checks. + +## How to choose an ASN for BGP peering + +The Magic routing table is under the control of the customer, and the customer is able to choose both the Cloudflare side ASN and their customer device side ASN. + +By default each BGP peering session will use the same Cloudflare side ASN to represent peering with the Magic WAN/Transit routing table. This default ASN is called the **CF Account ASN** and should be configured to a private 2-byte ASN (64512 and 65534). To set this ASN: + +1. Log in to the Cloudflare dashboard, and select your account. +2. Go to Magic WAN / Transit > Configuration > BGP. +3. In CF Account ASN, enter Cloudflare's ASN. + +### For Magic WAN customers +- The Cloudflare side ASN will be included in the `AS PATH` of announced routes to any BGP enabled interconnect. +- The customer device ASN can be chosen by the customer, and should be different to the Cloudflare side ASN. + +### For Magic Transit customers +- The Cloudflare side ASN will never be exposed in `AS PATH` of anycast announcements from the Cloudflare edge. In those announcements, Cloudflare will always use the Cloudflare ASN of `13335` optionally prepended with a bring-your-own ASN as described in [Cloudflare ASN vs. your own ASN](/magic-transit/how-to/advertise-prefixes/#cloudflare-asn-vs-your-own-asn) +- The customer device ASN can be a private ASN, or the ASN they are using for Magic Transit anycast announcements at the edge: this has no impact on the ASN for the Anycast announced prefix at the edge of the Cloudflare global network. + ## How to set up BGP peering :::caution -BGP peering is only available to Magic WAN/Transit customers with Direct CNI as an on-ramp. If your network is set up with GRE or IPsec tunnels, you cannot use BGP peering. +BGP peering is only available to {props.productName} customers with Direct CNI as an on-ramp. If your network is set up with GRE or IPsec tunnels, you cannot use BGP peering. ::: You need to configure two ASNs: -- The Cloudflare global account one. +- The Cloudflare [account-scoped ASN](#how-to-choose-an-asn-for-bgp-peering). - One ASN for each Interconnect you want to configure with BGP. If you already have set up your Cloudflare account ASN, you can skip steps two and three below. - 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account. 2. Go to **{props.productName}** > **Configuration** > **BGP**. 3. In **CF Account ASN**, enter Cloudflare's ASN. @@ -47,4 +83,3 @@ If you already have set up your Cloudflare account ASN, you can skip steps two a 7. In **MD5 key**, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism. 8. (Optional) In **Advertised prefix list**, input the additional static prefixes automatically assigned by Cloudflare during the creation of the CNI interconnect, to advertise alongside your existing routes. Leave blank if you do not want to advertise extra routes. 9. Select **Enable BGP**. - From df3d5bc79614a10846a38bd044eb098e125b7b3f Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Tue, 17 Dec 2024 18:48:32 +0000 Subject: [PATCH 22/25] added legacy hc --- src/content/docs/magic-transit/how-to/bgp-peering.mdx | 1 + .../docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx | 1 + src/content/partials/network-interconnect/bgp-peering.mdx | 1 - 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/content/docs/magic-transit/how-to/bgp-peering.mdx b/src/content/docs/magic-transit/how-to/bgp-peering.mdx index a0b394d59261a43..57ff2901132834d 100644 --- a/src/content/docs/magic-transit/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-transit/how-to/bgp-peering.mdx @@ -13,5 +13,6 @@ import { Render } from "~/components" params={{ productName: "Magic Transit", productPath: "/magic-transit/reference/tunnel-health-checks/", + legacyHCs: "/magic-transit/reference/tunnel-health-checks/#legacy-health-checks-system" }} /> diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx index 3ea55d4a71acd85..6cad26c796a8935 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx @@ -13,5 +13,6 @@ import { Render } from "~/components" params={{ productName: "Magic WAN", productPath: "/magic-wan/reference/tunnel-health-checks/", + legacyHCs: "/magic-wan/reference/tunnel-health-checks/#legacy-health-checks-system" }} /> diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index 767ab181e3bcbba..6368deb2cde4532 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -18,7 +18,6 @@ With this functionality, customers can: - Secure the session by MD5 authentication to prevent misconfigurations. - Exchange routes dynamically between their devices and their Magic routing table. - ## Route distribution and convergence Routes received from the customer device will be redistributed into the Magic routing table, which is used by both Magic WAN and Magic Transit. From b980c2f90d9539b842b6321d266b5e724103023b Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Tue, 17 Dec 2024 19:05:26 +0000 Subject: [PATCH 23/25] refined code --- src/content/docs/magic-transit/how-to/bgp-peering.mdx | 2 +- .../magic-wan/configuration/manually/how-to/bgp-peering.mdx | 2 +- src/content/partials/network-interconnect/bgp-peering.mdx | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/content/docs/magic-transit/how-to/bgp-peering.mdx b/src/content/docs/magic-transit/how-to/bgp-peering.mdx index 57ff2901132834d..6ce3ac97b4e835e 100644 --- a/src/content/docs/magic-transit/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-transit/how-to/bgp-peering.mdx @@ -13,6 +13,6 @@ import { Render } from "~/components" params={{ productName: "Magic Transit", productPath: "/magic-transit/reference/tunnel-health-checks/", - legacyHCs: "/magic-transit/reference/tunnel-health-checks/#legacy-health-checks-system" + legacyHCs: "/magic-transit/reference/tunnel-health-checks/#legacy-health-checks-system", }} /> diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx index 6cad26c796a8935..4b4e73e0d5f0220 100644 --- a/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx +++ b/src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx @@ -13,6 +13,6 @@ import { Render } from "~/components" params={{ productName: "Magic WAN", productPath: "/magic-wan/reference/tunnel-health-checks/", - legacyHCs: "/magic-wan/reference/tunnel-health-checks/#legacy-health-checks-system" + legacyHCs: "/magic-wan/reference/tunnel-health-checks/#legacy-health-checks-system", }} /> diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index 6368deb2cde4532..85abbd701d0e1b7 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -22,7 +22,7 @@ With this functionality, customers can: Routes received from the customer device will be redistributed into the Magic routing table, which is used by both Magic WAN and Magic Transit. -All routes in the Magic routing table are advertised to BGP peers. Each BGP peer will receive each prefix route along with the full `AS_PATH`, with the selected Cloudflare side ASN prepended. This is so that the peer can accurately perform loop prevention. +All routes in the Magic routing table are advertised to BGP peers. Each BGP peer will receive each prefix route along with the full `AS_PATH`, with the selected Cloudflare side ASN prepended. This is so that the peer can accurately perform [loop prevention](https://datatracker.ietf.org/doc/html/rfc4271#section-9.1.2). BGP peering sessions can advertise reachable prefixes to a peer and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate. @@ -60,7 +60,6 @@ By default each BGP peering session will use the same Cloudflare side ASN to rep - The Cloudflare side ASN will never be exposed in `AS PATH` of anycast announcements from the Cloudflare edge. In those announcements, Cloudflare will always use the Cloudflare ASN of `13335` optionally prepended with a bring-your-own ASN as described in [Cloudflare ASN vs. your own ASN](/magic-transit/how-to/advertise-prefixes/#cloudflare-asn-vs-your-own-asn) - The customer device ASN can be a private ASN, or the ASN they are using for Magic Transit anycast announcements at the edge: this has no impact on the ASN for the Anycast announced prefix at the edge of the Cloudflare global network. - ## How to set up BGP peering :::caution From 73edf14ce67a5a06f50984b2da38a2473ca25522 Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Tue, 17 Dec 2024 19:09:17 +0000 Subject: [PATCH 24/25] Update src/content/partials/network-interconnect/bgp-peering.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- src/content/partials/network-interconnect/bgp-peering.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index 85abbd701d0e1b7..a7e01376f49fb7a 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -58,7 +58,7 @@ By default each BGP peering session will use the same Cloudflare side ASN to rep ### For Magic Transit customers - The Cloudflare side ASN will never be exposed in `AS PATH` of anycast announcements from the Cloudflare edge. In those announcements, Cloudflare will always use the Cloudflare ASN of `13335` optionally prepended with a bring-your-own ASN as described in [Cloudflare ASN vs. your own ASN](/magic-transit/how-to/advertise-prefixes/#cloudflare-asn-vs-your-own-asn) -- The customer device ASN can be a private ASN, or the ASN they are using for Magic Transit anycast announcements at the edge: this has no impact on the ASN for the Anycast announced prefix at the edge of the Cloudflare global network. +- The customer device ASN can be a private ASN, or the ASN they are using for Magic Transit anycast announcements at the edge: this has no impact on the ASN for the anycast announced prefix at the edge of the Cloudflare global network. ## How to set up BGP peering From efa136e4804ac9d8c746a8490e438792839571e0 Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Tue, 17 Dec 2024 19:25:52 +0000 Subject: [PATCH 25/25] Apply suggestions from code review Co-authored-by: Kian Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- .../magic-transit/how-to/advertise-prefixes.mdx | 2 +- .../network-interconnect/bgp-peering.mdx | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx index 29418cb5514d746..52a822580c5857b 100644 --- a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx +++ b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx @@ -90,7 +90,7 @@ When you withdraw a prefix using BGP, you must ensure the prefix is withdrawn ac ### BGP peering -If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, refer to [BGP peering](/magic-transit/how-to/bgp-peering) to learn how to configure BGP peering. +If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, refer to [BGP peering](/magic-transit/how-to/bgp-peering/) to learn how to configure BGP peering. ### Regional settings diff --git a/src/content/partials/network-interconnect/bgp-peering.mdx b/src/content/partials/network-interconnect/bgp-peering.mdx index a7e01376f49fb7a..644d580d075ad90 100644 --- a/src/content/partials/network-interconnect/bgp-peering.mdx +++ b/src/content/partials/network-interconnect/bgp-peering.mdx @@ -10,8 +10,8 @@ import { Markdown } from "~/components"; {props.productName} customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp. Using BGP peering with a CNI allows customers to: -- Automate the process of adding or removing networks and subnets -- Take advantage of failure detection and session recovery features +- Automate the process of adding or removing networks and subnets. +- Take advantage of failure detection and session recovery features. With this functionality, customers can: - Establish an eBGP session between their devices and the {props.productName} service when connected via CNI @@ -32,9 +32,9 @@ BGP multipath is supported. If the same prefix is learned on two different inter BGP support currently has the following limitations: - The Cloudflare account ASN and the customer device ASN must be different. Only eBGP is supported. -- Routes are always injected with a priority of 100 -- Bidirectional Forwarding Detection (BFD) is not supported -- 4-byte ASNs are not supported +- Routes are always injected with a priority of 100. +- Bidirectional Forwarding Detection (BFD) is not supported. +- 4-byte ASNs are not supported. ## Tunnel health checks @@ -48,15 +48,17 @@ The Magic routing table is under the control of the customer, and the customer i By default each BGP peering session will use the same Cloudflare side ASN to represent peering with the Magic WAN/Transit routing table. This default ASN is called the **CF Account ASN** and should be configured to a private 2-byte ASN (64512 and 65534). To set this ASN: -1. Log in to the Cloudflare dashboard, and select your account. -2. Go to Magic WAN / Transit > Configuration > BGP. +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account. +2. Go to **Magic WAN / Transit** > **Configuration** > **BGP**. 3. In CF Account ASN, enter Cloudflare's ASN. ### For Magic WAN customers + - The Cloudflare side ASN will be included in the `AS PATH` of announced routes to any BGP enabled interconnect. - The customer device ASN can be chosen by the customer, and should be different to the Cloudflare side ASN. ### For Magic Transit customers + - The Cloudflare side ASN will never be exposed in `AS PATH` of anycast announcements from the Cloudflare edge. In those announcements, Cloudflare will always use the Cloudflare ASN of `13335` optionally prepended with a bring-your-own ASN as described in [Cloudflare ASN vs. your own ASN](/magic-transit/how-to/advertise-prefixes/#cloudflare-asn-vs-your-own-asn) - The customer device ASN can be a private ASN, or the ASN they are using for Magic Transit anycast announcements at the edge: this has no impact on the ASN for the anycast announced prefix at the edge of the Cloudflare global network.