cloudflare · marciocloudflare · May 9, 2025 · May 9, 2025 · May 9, 2025 · May 9, 2025
@@ -9,6 +9,8 @@ head:
 
 ---
 
+import { Render } from "~/components"
+
 A Letter of Agency (LOA) - sometimes referred to as a Letter of Authorization - is a document that authorizes Cloudflare to announce a prefix(es) on behalf of another entity. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on behalf of another entity.
 
 The letter must contain both the prefixes you are authorizing Cloudflare to announce and which ASN they will be announced under. Cloudflare can announce a prefix under your ASN or you can use Cloudflare's ASN, which is AS13335.
@@ -25,37 +27,4 @@ An LOA is a formal document which should be on company letterhead and contain a
 
 You can use the below template when creating an LOA document.
 
-```txt title="Letter of Agency template"
-[COMPANY LETTERHEAD]
-
-LETTER OF AGENCY ("LOA")
-
-[DATE]
-
-
-To whom it may concern:
-
-[COMPANY NAME] (the "Company") authorizes Cloudflare, Inc. with AS13335 to advertise the following IP address blocks / originating ASNs:
-
-- - - - - - - - - - - - - - - - - - -
-[Subnet & Originating ASN]
-[Subnet & Originating ASN]
-[Subnet & Originating ASN]
-- - - - - - - - - - - - - - - - - - -
-
-As a representative of the Company that is the owner of the aforementioned IP address blocks / originating ASNs, I hereby declare that I am authorized to sign this LOA on the Company’s behalf.
-
-Should you have any questions please email me at [E-MAIL ADDRESS], or call: [TELEPHONE NUMBER]
-
-Regards,
-
-
-[SIGNATURE]
-
-
-[NAME TYPED]
-[TITLE]
-[COMPANY NAME]
-[COMPANY ADDRESS]
-[COMPANY STAMP]
-```
+<Render file="loa" />
@@ -11,9 +11,9 @@ head:
 
 import { Render } from "~/components"
 
-Cloudflare's Advanced DNS Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as [random prefix attacks](/dns/dns-firewall/random-prefix-attacks/about/).
+<Render file="advanced-ddos/dns-protection-intro" />
 
-<Render file="mt-advanced-ddos-systems-onboarding" />
+<Render file="advanced-ddos/mt-advanced-ddos-systems-onboarding" />
 
 ## How it works
 
@@ -27,7 +27,7 @@ The [Network Analytics dashboard](/analytics/network-analytics/) will display sy
 
 ## Setup
 
-[Create a rule](/ddos-protection/advanced-ddos-systems/how-to/create-rule/#create-an-advanced-dns-protection-rule) to enable Advanced DNS Protection.
+<Render file="advanced-ddos/dns-setup" />
 
 
 ---

@@ -11,9 +11,9 @@ head:
 
 import { Render } from "~/components"
 
-Cloudflare's Advanced TCP Protection, powered by [`flowtrackd`](https://blog.cloudflare.com/announcing-flowtrackd/), is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods.
+<Render file="advanced-ddos/tcp-protection-intro" />
 
-<Render file="mt-advanced-ddos-systems-onboarding" />
+<Render file="advanced-ddos/mt-advanced-ddos-systems-onboarding" />
 
 ## How it works
 
@@ -51,4 +51,4 @@ For more information on the configuration settings of out-of-state TCP rules, re
 
 ## Setup
 
-[Create a global configuration](/ddos-protection/advanced-ddos-systems/overview/#rules) to set up SYN Flood and Out-of-state TCP rules and filters for Advanced TCP Protection.
+<Render file="advanced-ddos/tcp-setup" />
@@ -9,7 +9,7 @@ head:
 
 ---
 
-import { Details, Render } from "~/components"
+import { Render } from "~/components"
 
 Configure the Network-layer DDoS Attack Protection managed ruleset by defining [overrides](/ruleset-engine/managed-rulesets/override-managed-ruleset/) in the Cloudflare dashboard. DDoS overrides allow you to customize the **action** and **sensitivity** of one or more rules in the managed ruleset.
 
@@ -19,35 +19,6 @@ For more information on the available parameters and allowed values, refer to [R
 
 ## Create a DDoS override
 
-1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
-2. Go to Account Home > **L3/4 DDoS** > **Network-layer DDoS Protection**.
-3. Select **Deploy a DDoS override**.
-4. In **Set scope**, specify if you wish to apply the override to all incoming packets or to a subset of the packets.
-5. If you are creating an override for a subset of the incoming packets, define the [custom expression](/ddos-protection/managed-rulesets/network/override-expressions/) that matches the incoming packets you wish to target in the override, using either the Rule Builder or the Expression Editor.
-6. Select **Next**.
-7. Depending on what you wish to override, refer to the following sections (you can perform both configurations on the same override):
-  <Details header="Configure all the rules in the ruleset (ruleset override)">
-  8. Select **Next**.
-  9. Enter a name for your override in **Execution name**.
-  10. To always apply a given action for all the rules in the ruleset, select an action in **Ruleset action**.
-  11. To set the sensitivity level for all the rules in the ruleset, select a value in **Ruleset sensitivity**.
-  </Details>
-
-  <Details header="Configure one or more rules">
-  12. Search for the rules you wish to override using the available filters. You can search for tags.
-  13. To override a single rule, select the desired value for a field in the displayed dropdowns next to the rule.
-
-      To configure more than one rule, select the rules using the row checkboxes and update the fields for the selected rules using the dropdowns displayed before the table. You can also configure all the rules with a given tag. For more information, refer to [Configure rules in bulk in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-rules-in-bulk-in-a-managed-ruleset).
-  14. Select **Next**.
-  15. Enter a name for your override in **Execution name**.
-  </Details>
-
-  :::note[Notes]
-
-  - Tag and rule overrides have priority over ruleset overrides.
-  - <Render file="managed-rulesets/read-only-rules-note" />
-  :::
-
-8. To save and deploy the override, select **Deploy**. If you are not ready to deploy your override, select **Save as Draft**.
+<Render file="managed-rulesets/create-override" />
 
 <Render file="managed-rulesets/delete-override" params={{ one: "select your account", two: "Account Home > L3/4 DDoS > Network-layer DDoS Protection" }} />
@@ -0,0 +1,10 @@
+---
+title: Advertise prefixes
+pcx_content_type: learning-unit
+sidebar:
+  order: 8
+---
+
+import { Render } from "~/components";
+
+<Render file="magic-transit/advertise-prefixes"	product="networking-services" />
@@ -0,0 +1,21 @@
+---
+title: Benefits of using Magic Transit
+pcx_content_type: learning-unit
+sidebar:
+  order: 3
+---
+
+import { PublicStats } from "~/components";
+
+Magic Transit leverages Cloudflare's global anycast network. As of writing this guide, Cloudflare's global network spans <PublicStats id="data_center_cities" />, and has <PublicStats id="total_bandwidth" />. This bandwidth allows it to absorb all manners of attack that otherwise would overwhelm a typical data center or on-premise hardware Distributed Denial-of-Service (DDoS) appliances.
+
+The number of DDoS attacks has been steadily increasing in recent years. In the first quarter of 2025, Cloudflared [mitigated 16.8 million network-layer DDoS attacks](https://blog.cloudflare.com/ddos-threat-report-for-2025-q1/#ddos-attacks-in-numbers). This represents a 397% increase quarter over quarter and a 509% increase year over year.
+
+Other advantages of choosing Magic Transit:
+
+- **Scalability**: As Cloudflare's global network expands, so does Magic Transit ability to absorb ever bigger DDoS attacks.
+- **Ease of management**: Magic Transit offers centralized, cloud-based management tools that simplify configuration and monitoring of your network security.
+- **Improvement of network performance**: Magic Transit steers traffic along tunnel routes based on priorities you define and uses equal-cost multi-path routing to provide load-balancing across tunnels with the same prefix and priority.
+- **Integration with zero-trust services**: Magic Transit integrates with other Cloudflare products, including Cloudflare One's SASE offerings, Magic Firewall, and more.
+- **Integration with CNI**: Directly connect your infrastructure to Cloudflare with CNI and bypass the Internet. Beyond a more reliable and secure experience, using CNI is an alternative to anycast GRE tunnels for getting traffic delivered to your infrastructure with a 1500-byte maximum transmission unit (MTU) handoff.
+- **Real-time traffic visibility and alerting**: Monitor and analyze traffic patterns, threat activity, and mitigation actions in real time through Cloudflare's analytics and logging tools. Set up customized alerts to notify you of potential threats, enabling faster incident response and better-informed network decisions.
@@ -0,0 +1,15 @@
+---
+title: Concepts
+pcx_content_type: overview
+sidebar:
+  order: 1
+---
+
+Learn core concepts about Magic Transit and its functionality, in order to protect your data centers from distributed denial-of-service (DDoS) attacks.
+
+## Objectives
+
+By the end of this module you will be able to:
+- Understand what Magic Transit is
+- Why you should use it to protect your IP network
+
@@ -0,0 +1,18 @@
+---
+title: What is Magic Transit?
+pcx_content_type: learning-unit
+sidebar:
+  order: 2
+---
+
+Magic Transit is a network security and performance solution that offers Distributed Denial-of-Service (DDoS) protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks.
+
+Magic Transit works at Layer 3 of the OSI model, protecting entire IP networks from DDoS attacks. Instead of relying on local infrastructure that can be overwhelmed by large DDoS attacks, Magic Transit uses the [global Cloudflare Network](https://www.cloudflare.com/network/) to ingest and mitigate attacks close to their source.
+
+Magic Transit delivers its connectivity, security, and performance benefits by serving as the front door to your IP network. This means it accepts IP packets destined for your network, processes them, and then forwards them to your origin infrastructure.
+
+The Cloudflare network uses Border Gateway Protocol (BGP) to announce your company's IP address space, extending your network presence globally, and [anycast](/magic-transit/reference/tunnels/#anycast) to to absorb and distribute attack traffic.
+
+Once packets hit Cloudflare's network, traffic is inspected for attacks, filtered, steered, accelerated, and sent onward to your origin. Magic Transit users have two options for their implementation: ingress traffic or ingress and egress traffic. Users with an egress implementation will need to set up policy-based routing (PBR) or ensure default routing on their end forwards traffic to Cloudflare via tunnels.
+
+For an in-depth explanation of Magic Transit, refer to [Magic Transit Reference Architecture](/reference-architecture/architectures/magic-transit/).
@@ -0,0 +1,39 @@
+---
+title: Configure DDoS protection
+pcx_content_type: learning-unit
+sidebar:
+  order: 4
+---
+
+import { Render } from "~/components"
+
+Cloudflare DDoS protection automatically detects and mitigates Distributed Denial of Service (DDoS) attacks using its Autonomous Edge. Magic Transit customers have access to additional features, such as:
+
+- [Advanced TCP protection](/ddos-protection/advanced-ddos-systems/overview/advanced-tcp-protection/) (disabled by default)
+- [Advanced DNS protection (beta)](/ddos-protection/advanced-ddos-systems/overview/advanced-dns-protection/)
+
+## Create a DDoS override
+
+<Render file="managed-rulesets/create-override" product="ddos-protection" />
+
+## DDoS advanced protection
+
+### Advanced TCP Protection
+
+<Render file="advanced-ddos/tcp-protection-intro" product="ddos-protection" />
+
+<Render file="advanced-ddos/mt-advanced-ddos-systems-onboarding" product="ddos-protection" />
+
+#### Setup
+
+<Render file="advanced-ddos/tcp-setup" product="ddos-protection" />
+
+### Advanced DNS Protection
+
+<Render file="advanced-ddos/dns-protection-intro" product="ddos-protection" />
+
+<Render file="advanced-ddos/mt-advanced-ddos-systems-onboarding" product="ddos-protection" />
+
+#### Setup
+
+<Render file="advanced-ddos/dns-setup" product="ddos-protection" />
@@ -0,0 +1,22 @@
+---
+title: Configure routes
+pcx_content_type: learning-unit
+sidebar:
+  order: 2
+---
+
+import { Render } from "~/components"
+
+<Render
+	file="routing/configure-routes"
+	product="networking-services"
+	params={{
+		magicWord: "Magic Transit",
+		trafficSteeringPage: "/magic-transit/reference/traffic-steering/",
+		productName: "Magic Transit",
+		tunnelEndpoints: "/magic-transit/how-to/configure-tunnels/",
+		chooseWeights: "/magic-transit/reference/traffic-steering/#set-priority-and-weights-for-static-routes",
+		publicAsnMT: "[Public ASNs used for Magic Transit](/magic-transit/how-to/advertise-prefixes/#cloudflare-asn-vs-your-own-asn) are verified during the onboarding process.",
+		productGatewayOrEgress: "Magic Transit with Egress"
+	}}
+/>
@@ -0,0 +1,26 @@
+---
+title: Configure tunnels
+pcx_content_type: learning-unit
+sidebar:
+  order: 1
+---
+
+import { GlossaryTooltip, Render } from "~/components";
+
+<Render file="routing/configure-tunnels"
+	product="networking-services"
+	params={{
+		magicWord: "Magic Transit",
+		productName: "Magic Transit",
+		tunnelsAndEncapsulationPagePath: "/magic-transit/reference/tunnels/",
+		ciphersPagePath: "/magic-transit/reference/tunnels/#supported-configuration-parameters",
+		antiReplayPagePath: "/magic-transit/reference/anti-replay-protection/",
+		cniLink: "/magic-transit/network-interconnect/",
+		productPathDash: "Magic Transit > Configuration",
+		updateHCFrequencyPage: "/magic-transit/network-health/update-tunnel-health-checks/",
+		tunnelHealthChecksPage: "/magic-transit/reference/tunnel-health-checks/",
+		antiReplayPagePath: "/magic-transit/reference/anti-replay-protection/",
+		biVsUniHealthCheck: "unidirectional",
+		tunnelHealthDash: "/magic-transit/network-health/check-tunnel-health-dashboard/",
+		biVsUniHealthCheckDefaults: "For Magic Transit this option defaults to unidirectional"
+	}} />
@@ -0,0 +1,15 @@
+---
+title: Configure tunnels and routes
+pcx_content_type: overview
+sidebar:
+  order: 3
+---
+
+In this unit you will learn how to set up tunnels and routes to steer traffic.
+
+## Objectives
+
+By the end of this module you will be able to:
+- Create tunnels on both the Cloudflare side and your router side to connect to your infrastructure.
+- Configure static routes or dynamic routes with BGP peering to steer your traffic via next-hop from Cloudflare's global network to your connected networks.
+
@@ -0,0 +1,15 @@
+---
+title: Enable Magic Firewall
+pcx_content_type: learning-unit
+sidebar:
+  order: 5
+---
+
+
+Magic Transit customers are automatically provided with the [standard features](/magic-firewall/plans/#standard-features) of Magic Firewall, Cloudflare's firewall-as-a-service product.
+
+Cloudflare recommends creating a ruleset customized to your environment and needs. Without any rules configured, Magic Firewall will pass on all traffic after mitigations are applied to your tunnels.
+
+The [Extended ruleset](/magic-firewall/best-practices/extended-ruleset/) is the best practice for reducing your attack surface by adopting a positive security model. If possible, use your current Edge Firewall policies to help you decide what ports to permit/block.
+
+If you cannot use the extended ruleset, then use the [minimal ruleset guidance](/magic-firewall/best-practices/minimal-ruleset/) to create a customized ruleset to block known unwanted traffic and common vectors for attack.
@@ -0,0 +1,31 @@
+---
+title: Enable Notifications
+pcx_content_type: learning-unit
+sidebar:
+  order: 6
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="tunnel-health/magic-tunnel-health-alerts"
+	product="networking-services"
+	params={{
+		magicWord: "Magic Transit",
+		productName: "Magic Transit",
+		magicTunnelHealthCheckCalculation: "/magic-transit/reference/magic-tunnels/",
+		networkAnalyticsPath: "/magic-transit/analytics/network-analytics/",
+		healthChecks: "/magic-transit/reference/tunnel-health-checks/",
+	}}
+/>
+
+## Other notifications
+
+Cloudflare also recommends that you enable the following account notifications for your Magic Transit service:
+
+- Layer 3/4 DDoS Attack Alert
+- Route Leak Detection Alert (to detect BGP Hijacks)
+- (Optional) Advanced Layer 3/4 DDoS Attack Alert
+- (Optional) Cloudflare status - Maintenance Notification (in case you want to be alerted regarding maintenance in specific Cloudflare data centers).
+
+Refer to [Cloudflare Notifications](/notifications/) for more information on how to enable these notifications.
@@ -0,0 +1,10 @@
+---
+title: Get started
+pcx_content_type: learning-unit
+sidebar:
+  order: 2
+---
+
+import { Render } from "~/components"
+
+<Render file="magic-transit/get-started" product="networking-services" params={{ magicWord: "Learning Path" }} />