[MWAN/MT/CNI] BGP

src/content/changelogs/magic-transit.yaml

@@ -5,6 +5,10 @@ productLink: "/magic-wan/"
 productArea: Cloudflare One
 productAreaLink: /cloudflare-one/changelog/
 entries:
+  - publish_date: "2024-12-17"
+    title: BGP support for Cloudflare Network Interconnect (CNI)
+    description: |-
+      Magic Transit customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic Transit routing table.
   - publish_date: "2024-10-01"
     title: Early access testing for BGP on CNI 2.0 circuits
     description: |-

src/content/changelogs/magic-wan.yaml

@@ -5,6 +5,10 @@ productLink: "/magic-wan/"
 productArea: Cloudflare One
 productAreaLink: /cloudflare-one/changelog/
 entries:
+  - publish_date: "2024-12-17"
+    title: BGP support for Cloudflare Network Interconnect (CNI)
+    description: |-
+      Magic WAN customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic WAN table.
   - publish_date: "2024-10-01"
     title: Early access testing for BGP on CNI 2.0 circuits
     description: |-

src/content/changelogs/network-interconnect.yaml

@@ -5,6 +5,10 @@ productLink: "/network-interconnect/"
 productArea: Cloudflare One
 productAreaLink: /cloudflare-one/changelog/
 entries:
+  - publish_date: "2024-12-17"
+    title: BGP support for Cloudflare Network Interconnect (CNI)
+    description: |-
+      Magic WAN and Magic Transit customers can now establish BGP peering over CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic WAN or Magic Transit routing table.
   - publish_date: "2024-10-01"
     title: Early access testing for BGP on CNI 2.0 circuits
     description: |-

src/content/docs/magic-transit/how-to/advertise-prefixes.mdx

@@ -3,7 +3,6 @@ pcx_content_type: how-to
 title: Advertise prefixes
 sidebar:
   order: 3
-
 ---
 
 import { Details, GlossaryTooltip } from "~/components"
@@ -89,6 +88,11 @@ After receiving your information, Cloudflare will update firewall filters to est
 When you withdraw a prefix using BGP, you must ensure the prefix is withdrawn across all BGP sessions on all route reflectors. Otherwise, your prefix will not be withdrawn from Cloudflare's global network.
 :::
 
+### BGP peering
+
+If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, refer to [BGP peering](/magic-transit/how-to/bgp-peering) to learn how to configure BGP peering.
+
+
 ### Regional settings
 
 Magic Transit requires static routing to steer traffic from Cloudflare's network over one of your configured tunnel off-ramps (GRE, IPsec or CNI). Currently, advertisement of routes for traffic engineering purposes is not supported. As a best practice to reduce last-hop latency, you should consider scoping your routes regionally. The default setting for static route regions is **All Regions**. Refer to [Configure static routes](/magic-transit/how-to/configure-static-routes/) for more information.

src/content/docs/magic-transit/how-to/bgp-peering.mdx

@@ -0,0 +1,18 @@
+---
+pcx_content_type: how-to
+title: Configure BGP peering
+sidebar:
+  order: 4
+---
+
+import { Render } from "~/components"
+
+<Render
+	file="bgp-peering"
+	product="network-interconnect"
+	params={{
+		productName: "Magic Transit",
+		productPath: "/magic-transit/reference/tunnel-health-checks/",
+		legacyHCs: "/magic-transit/reference/tunnel-health-checks/#legacy-health-checks-system",
+	}}
+/>

src/content/docs/magic-transit/how-to/run-endpoint-health-checks.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Run endpoint health checks
 sidebar:
-  order: 4
+  order: 5
 
 ---
 

src/content/docs/magic-transit/network-interconnect.mdx

@@ -22,7 +22,7 @@ When working with Magic Transit and CNI, there are a few guidelines you should f
 
 With [Direct CNI](/network-interconnect/express-cni/) you can use the Cloudflare dashboard to provision a connection to Cloudflare in three minutes or less. This type of connection supports IP packets with 1,500 bytes, both for ingress and egress traffic.
 
-For the time being, Direct CNI does not support BGP. If your use case calls for BGP anycast prefix withdrawal or BGP based connection failover, you need to use [Classic CNI](/network-interconnect/classic-cni/) with a Magic Transit GRE tunnel.
+With Direct CNI you can also setup BGP peering between your network and Cloudflare.
 
 ### Classic CNI
 

src/content/docs/magic-wan/configuration/manually/how-to/bgp-peering.mdx

@@ -0,0 +1,18 @@
+---
+pcx_content_type: how-to
+title: Configure BGP peering
+sidebar:
+  order: 3
+---
+
+import { Render } from "~/components"
+
+<Render
+	file="bgp-peering"
+	product="network-interconnect"
+	params={{
+		productName: "Magic WAN",
+		productPath: "/magic-wan/reference/tunnel-health-checks/",
+		legacyHCs: "/magic-wan/reference/tunnel-health-checks/#legacy-health-checks-system",
+	}}
+/>

src/content/docs/magic-wan/network-interconnect.mdx

@@ -18,7 +18,7 @@ When working with Magic WAN and Cloudflare Network Interconnect (CNI), there are
 
 With [Direct CNI](/network-interconnect/express-cni/) you can use the Cloudflare dashboard to provision a connection to Cloudflare in three minutes or less. This type of connection supports IP packets with 1,500 bytes, both for ingress and egress traffic.
 
-For the time being, Direct CNI does not support BGP. You need to create policy-based routes to ensure traffic is routed correctly. You also need to implement tracking of network traffic to ensure that the CNI and Cloudflare data center is functioning properly.
+With Direct CNI you can also setup BGP peering between your network and Cloudflare.
 
 ### Bidirectional health checks
 

src/content/partials/magic-transit/static-routes/static-routes3.mdx

@@ -64,7 +64,7 @@ customer service manager.
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
 2. Go to **{props.createPath}**.
-3. From the **Static Routes** tab, select **Create** to add a new route.
+3. From the **Routes** tab, select **Create** to add a new route.
 4. Enter a descriptive name for your route in **Description**.
 5. In **Prefix**, enter your range of IP addresses. For example, `10.10.10.100/24`.
 6. In **Tunnel/Next hop** select which tunnel you want your route to go through. Choose from the tunnels you have created in <a href={props.tunnelEndpoints}>Configure tunnel endpoints</a>.
@@ -114,7 +114,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/routes \
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
-1. In **Static routes**, select **Edit** next to the route you want to modify.
+1. In **Routes**, select **Edit** next to the route you want to modify.
 2. Enter the updated route information.
 3. (Optional) We highly recommend testing your route before adding it by selecting **Test routes**.
 4. Select **Edit routes** to save the new information when you are done.
@@ -160,7 +160,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/routes \
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
-1. In **Static routes**, locate the static route you want to modify and select **Delete**.
+1. In **Routes**, locate the static route you want to modify and select **Delete**.
 2. Confirm the action by selecting the checkbox and select **Delete**.
 
 </TabItem> <TabItem label="API">

src/content/partials/network-interconnect/bgp-peering.mdx

@@ -0,0 +1,83 @@
+---
+params:
+  - productName
+  - productPath
+  - legacyHCs
+---
+
+import { Markdown } from "~/components";
+
+{props.productName} customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.
+
+Using BGP peering with a CNI allows customers to:
+- Automate the process of adding or removing networks and subnets
+- Take advantage of failure detection and session recovery features
+
+With this functionality, customers can:
+- Establish an eBGP session between their devices and the {props.productName} service when connected via CNI
+- Secure the session by MD5 authentication to prevent misconfigurations.
+- Exchange routes dynamically between their devices and their Magic routing table.
+
+## Route distribution and convergence
+
+Routes received from the customer device will be redistributed into the Magic routing table, which is used by both Magic WAN and Magic Transit.
+
+All routes in the Magic routing table are advertised to BGP peers. Each BGP peer will receive each prefix route along with the full `AS_PATH`, with the selected Cloudflare side ASN prepended. This is so that the peer can accurately perform [loop prevention](https://datatracker.ietf.org/doc/html/rfc4271#section-9.1.2).
+
+BGP peering sessions can advertise reachable prefixes to a peer and withdraw previously advertised prefixes. This should not take more than a few minutes to propagate.
+
+## Limitations
+
+BGP multipath is supported. If the same prefix is learned on two different interconnects then traffic destined for that prefix will be distributed across each interconnect according to the usual ECMP behavior.
+
+BGP support currently has the following limitations:
+- The Cloudflare account ASN and the customer device ASN must be different. Only eBGP is supported.
+- Routes are always injected with a priority of 100
+- Bidirectional Forwarding Detection (BFD) is not supported
+- 4-byte ASNs are not supported
+
+## Tunnel health checks
+
+You need to enable <a href={props.productPath}>tunnel health checks</a> alongside BGP. This is essential to determine if a specific Cloudflare datacenter is reachable from a customer router or not. Tunnel health checks will modify the route's priorities for dynamically learned BGP routes.
+
+{props.productName} customers should configure legacy <a href={props.legacyHCs}>bidirectional health checks</a>.
+
+## How to choose an ASN for BGP peering
+
+The Magic routing table is under the control of the customer, and the customer is able to choose both the Cloudflare side ASN and their customer device side ASN.
+
+By default each BGP peering session will use the same Cloudflare side ASN to represent peering with the Magic WAN/Transit routing table. This default ASN is called the **CF Account ASN** and should be configured to a private 2-byte ASN (64512 and 65534). To set this ASN:
+
+1. Log in to the Cloudflare dashboard, and select your account.
+2. Go to Magic WAN / Transit > Configuration > BGP.
+3. In CF Account ASN, enter Cloudflare's ASN.
+
+### For Magic WAN customers
+- The Cloudflare side ASN will be included in the `AS PATH` of announced routes to any BGP enabled interconnect.
+- The customer device ASN can be chosen by the customer, and should be different to the Cloudflare side ASN.
+
+### For Magic Transit customers
+- The Cloudflare side ASN will never be exposed in `AS PATH` of anycast announcements from the Cloudflare edge. In those announcements, Cloudflare will always use the Cloudflare ASN of `13335` optionally prepended with a bring-your-own ASN as described in [Cloudflare ASN vs. your own ASN](/magic-transit/how-to/advertise-prefixes/#cloudflare-asn-vs-your-own-asn)
+- The customer device ASN can be a private ASN, or the ASN they are using for Magic Transit anycast announcements at the edge: this has no impact on the ASN for the Anycast announced prefix at the edge of the Cloudflare global network.
+
+## How to set up BGP peering
+
+:::caution
+BGP peering is only available to {props.productName} customers with Direct CNI as an on-ramp. If your network is set up with GRE or IPsec tunnels, you cannot use BGP peering.
+:::
+
+You need to configure two ASNs:
+- The Cloudflare [account-scoped ASN](#how-to-choose-an-asn-for-bgp-peering).
+- One ASN for each Interconnect you want to configure with BGP.
+
+If you already have set up your Cloudflare account ASN, you can skip steps two and three below.
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
+2. Go to **{props.productName}** > **Configuration** > **BGP**.
+3. In **CF Account ASN**, enter Cloudflare's ASN.
+4. Go to **Interconnects**.
+5. Find the Direct CNI interconnect you want to configure with BGP > select the **three dots** next to it > **Configure BGP**.
+6. In **Customer device ASN**, enter the ASN for your network.
+7. In **MD5 key**, you can optionally enter the key for your network. Note that this is meant to prevent accidental misconfigurations, and is not a security mechanism.
+8. (Optional) In **Advertised prefix list**, input the additional static prefixes automatically assigned by Cloudflare during the creation of the CNI interconnect, to advertise alongside your existing routes. Leave blank if you do not want to advertise extra routes.
+9. Select **Enable BGP**.