cloudflare · RebeccaTamachiro · Jun 3, 2025 · May 19, 2025 · May 19, 2025 · May 20, 2025
@@ -44,4 +44,12 @@ Some customers may only proxy zones through BYOIP addresses, and are prohibited
 
 It is still possible to create more specific zone-level address maps with specific BYOIPs, but DNS will fall back to the account-wide address map without one.
 
-To specify different addresses for certain zones, [create a new address map](/byoip/address-maps/setup/).
+To specify different addresses for certain zones, [create a new address map](/byoip/address-maps/setup/).
+
+---
+
+## Spectrum compatibility
+
+You can use address maps to set up [non-SNI support](/byoip/address-maps/setup/#spectrum-https-applications) for Spectrum HTTPS applications.
+
+However, to control what IP address Cloudflare will use when responding to requests for your Spectrum applications, you should first refer to their respective configuration and set the `edge_ips` field as `static`. For details, refer to the [Spectrum API](/api/resources/spectrum/models/edge_ips/).
@@ -0,0 +1,203 @@
+---
+title: Use BYOIP with CDN and Spectrum
+pcx_content_type: tutorial
+sidebar:
+  order: 4
+  label: CDN and Spectrum
+---
+
+import { Render, APIRequest, Details, Example, TabItem, Tabs, GlossaryTooltip } from  "~/components";
+
+ With [service bindings](/byoip/service-bindings/), CDN[^1] customers using BYOIP can take the same prefix they have onboarded to Cloudflare and use it to selectively route traffic on a per-IP address basis to [Spectrum](/spectrum/)[^2], or vice versa. This means:
+
+- You can upgrade individual IPs within a CDN prefix to a Spectrum IP. For example, if you have a CDN prefix 203.0.113.0/24, you can upgrade 203.0.113.1 to Spectrum.
+
+- You can upgrade individual IPs within a Spectrum prefix to a CDN IP. For example, if you have a Spectrum prefix 203.0.113.0/24, you can upgrade 203.0.113.1 to CDN.
+
+This guide will use the first example, considering a prefix that was onboarded to the CDN and will have a few IPs upgraded to Spectrum.
+
+## Before you begin
+
+<Render
+file="service-bindings-prereqs"
+params={{
+	pre_existing_product: "CDN",
+	added_product: "Spectrum"
+}}
+/>
+
+---
+
+## Prepare your IPs
+
+### 1. Get account information
+
+<Render
+file="service-bindings-account-info"
+params={{
+	pre_existing_product: "CDN",
+	added_product: "Spectrum"
+}}
+/>
+
+### 2. Create service bindings
+
+<Render
+file="service-bindings-create-binding"
+params={{
+	pre_existing_product: "CDN",
+	added_product: "Spectrum"
+}}
+/>
+
+### 3. Verify all service bindings
+
+After the propagation time (four to six hours), the [List Service Bindings](/api/resources/addressing/subresources/prefixes/subresources/service_bindings/methods/get/) endpoint should return all service bindings that are part of the prefix - in this case, CDN and Spectrum.
+
+<APIRequest
+path="/accounts/{account_id}/addressing/prefixes/{prefix_id}/bindings"
+method="GET"
+/>
+
+---
+
+## Set up your Cloudflare services
+
+### CDN
+
+If you already use BYOIP with CDN, you might be able to skip this step. However, if you are using this guide to upgrade a few IPs from a Spectrum prefix to the CDN, consider the following sections on [address maps](#address-maps) and [DNS records](#dns-records).
+
+:::note
+As described below, address maps and DNS records do not apply to Spectrum. To set up your Spectrum application with BYOIP, refer to [Spectrum](#spectrum).
+:::
+
+#### Address maps
+
+Use <GlossaryTooltip term="address map" link="/byoip/address-maps/">address maps</GlossaryTooltip> to specify which IPs should be used by Cloudflare in DNS responses when a record is <GlossaryTooltip term="proxy status" link="/dns/proxy-status/">proxied</GlossaryTooltip>.
+
+You can choose between two different scopes:
+
+- Account-level: uses the address map for all proxied DNS records across all of the zones within an account.
+- Zone-level: uses the address map for all proxied DNS records within a zone.
+
+:::note
+If you need to map only specific subdomains (and not all proxied DNS records) to specific IP addresses, you can use a [Subdomain setup](/dns/zone-setups/subdomain-setup/).
+:::
+
+<Tabs syncKey="dashPlusAPI">
+<TabItem label="Dashboard" no-code="true">
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
+2. Go to **IP Addresses** > **Address Maps**.
+3. Select **Create an address map**.
+4. Choose the scope of the address map.
+5. Add the zones and IP addresses that you want to map.
+6. Name your address map.
+7. Review the information and select **Save and Deploy**.
+
+</TabItem>
+<TabItem label="API" no-code="true">
+
+Use the [Create Address Map](/api/resources/addressing/subresources/address_maps/methods/create/) endpoint.
+
+Make sure you have the correct Key/Token and permissions.
+
+</TabItem>
+</Tabs>
+
+#### DNS records
+
+While the DNS record proxy status and address map will determine how Cloudflare's authoritative DNS responds to requests for your hostnames, the IP addresses specified in `A`/`AAAA` records will determine [how Cloudflare reaches the configured origin](/fundamentals/concepts/how-cloudflare-works/#how-cloudflare-works-as-a-reverse-proxy).
+
+:::note
+As you create the necessary DNS records, [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) can help making sure that you have SSL/TLS certificates in place for all your hostnames.
+:::
+
+<Tabs syncKey="dashPlusAPI">
+<TabItem label="Dashboard" no-code="true">
+
+To create a DNS record in the dashboard:
+
+1.  Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select an account and domain.
+2.  Go to **DNS** > **Records**.
+3.  Select **Add record**.
+4.  Choose an address (`A`/`AAAA`) [record type](/dns/manage-dns-records/reference/dns-record-types/).
+5.  Complete the required fields, setting the **Proxy status** to **proxied**.
+6.  Select **Save**.
+
+</TabItem>
+<TabItem label="API" no-code="true">
+
+To create records with the API, use a [POST request](/api/resources/dns/subresources/records/methods/create/). For field definitions, select a record type under the request body specification.
+
+</TabItem>
+</Tabs>
+
+<Details header="Example">
+
+| Type | Name  | IP address      | Proxy status | TTL    |
+| ---- | ----- | --------------- | ------------ | ------ |
+| `A`  | `www` | `203.0.113.150` | `Proxied`    | `Auto` |
+
+At this point, if an address map for a zone `example.com` specifies that Cloudflare should use `203.0.113.100` for proxied records and the above record exists in the same zone, you can expect the following:
+
+1. Cloudflare responds to DNS requests for `www.example.com` with `203.0.113.100`.
+2. Cloudflare proxies requests through the CDN and then routes the requests to the origin server `203.0.113.150`.
+3. As the HTTP response egresses the Cloudflare network back to the client side, the source IP address of the response becomes `203.0.113.100` (the IP address that the HTTP request originally landed on).
+
+</Details>
+
+:::note
+Having the same IP address as ingress IP (defined in the address map) and origin IP (listed in the DNS record) will not cause any loops.
+:::
+
+<Details header="Example">
+
+Assuming `203.0.113.100` was also the origin IP, the DNS record would look like the following:
+
+| Type | Name  | IP address      | Proxy status | TTL    |
+| ---- | ----- | --------------- | ------------ | ------ |
+| `A`  | `www` | `203.0.113.100` | `Proxied`    | `Auto` |
+
+</Details>
+
+### Spectrum
+
+Configuring Spectrum to use your own IP address is only possible via the [Cloudflare API](/api/resources/spectrum/).
+
+The `origin_direct` field takes the origin IP address, while `edge_ips` allows you to define which IP address from your BYOIP prefix Cloudflare should use to process requests for your Spectrum application.
+
+<APIRequest
+path="/zones/{zone_id}/spectrum/apps"
+method="POST"
+json={[
+    {
+			"protocol":"tcp/22",
+			"dns":{
+				"type":"CNAME",
+				"name":"ssh.example.com"
+				},
+			"origin_direct":["tcp://192.0.2.1:22"],
+			"proxy_protocol":"off",
+			"ip_firewall":true,
+			"tls":"full",
+			"edge_ips":{
+				"type":"static",
+				"ips":["203.0.113.18"]
+				},
+			"traffic_type":"direct",
+			}
+  ]}
+	  code={{
+    mark: [17, 18, 19, 20, 21, "203.0.113.18"]
+  }}
+/>
+
+---
+
+## (Optional) Add layer 7 functionality
+
+<Render file="service-bindings-related-products" />
+
+[^1]: Layer 7 HTTP-based
+[^2]: Layer 4 or Layer 7 HTTP with custom ports
@@ -23,6 +23,8 @@ Customers using BYOIP with Magic Transit, [CDN services](/cache/), or [Spectrum]
 - You can upgrade individual IPs within a CDN prefix to a Spectrum IP. For example, if you have a CDN prefix `203.0.113.0/24`, you can upgrade `203.0.113.1` to Spectrum.
 - You can upgrade individual IPs within a Spectrum prefix to a CDN IP. For example, if you have a Spectrum prefix `203.0.113.0/24`, you can upgrade `203.0.113.1` to CDN.
 
+Refer to [Magic Trasit with CDN](/byoip/service-bindings/magic-transit-with-cdn/) or [CDN and Spectrum](/byoip/service-bindings/cdn-and-spectrum/) for detailed guidance.
+
 :::caution
 Magic Transit customers must ensure that their contract includes CDN and/or Spectrum according to their needs.
 :::
@@ -31,8 +33,6 @@ Magic Transit customers must ensure that their contract includes CDN and/or Spec
 
 When a service binding of type `CDN` is applied, once the change has propagated across Cloudflare's global network (four to six hours), any HTTP requests are directed into the CDN pipeline for Layer 7 processing.
 
-Refer to [Use BYOIP with Magic Transit and CDN](/byoip/service-bindings/magic-transit-with-cdn/) for detailed guidance.
-
 ### Spectrum
 
 When a service binding of type `Spectrum` is applied, once the change has propagated across Cloudflare's global network (four to six hours), any TCP/UDP/HTTP requests are directed into the Spectrum pipeline for Layer 4 or Layer 7 processing.

@@ -8,11 +8,9 @@ sidebar:
 
 import { Details, Example, TabItem, Tabs, GlossaryTooltip, APIRequest } from "~/components";
 
-[Magic Transit](/magic-transit/) customers using BYOIP can also benefit from the performance, reliability, and security that Cloudflare offers for HTTP-based applications.
+[Magic Transit](/magic-transit/) customers using BYOIP can also benefit from the performance, reliability, and security that Cloudflare offers for HTTP-based applications. [Service bindings](/byoip/service-bindings/) allow BYOIP customers to selectively route traffic on a per-IP address basis to the CDN pipeline (which includes [Cache](/cache/), [Web Application Firewall (WAF)](/waf/), and more).
 
-This documentation covers using the Cloudflare API to configure [service bindings](/byoip/service-bindings/) within Cloudflare's IP Address Management framework. Service bindings allow BYOIP customers to selectively route traffic on a per-IP address basis to the CDN pipeline (which includes [Cache](/cache/), [Web Application Firewall (WAF)](/waf/), and more).
-
-It is also possible to define service bindings to route traffic to the Spectrum pipeline selectively. However, this is not in the scope of this guide.
+This guide covers using the Cloudflare API to configure Magic Transit with CDN. It is also possible to define service bindings to route traffic to the Spectrum pipeline selectively. Refer to [scope](/byoip/service-bindings/#scope) for the full list of possible configurations and other available guides.
 
 It is important to note that traffic routed to the CDN pipeline is protected at Layers 3 and 4 by the inherent DDoS protection capabilities native to the CDN pipeline.
 
@@ -62,7 +60,7 @@ At this point, continuing the [example](#before-you-begin), you should have a ma
 
 </Example>
 
-4. To confirm you currently only have a Magic Transit service binding and that it spans across your entire prefix, make a `GET` request to the [List Service Bindings](/api/resources/addressing/subresources/prefixes/subresources/service_bindings/methods/list/) endpoint. Replace the `{prefix_id}` in the URI path by the actual prefix ID you got from the previous step.
+4. To confirm you currently have a Magic Transit service binding and that it spans across your entire prefix, make a `GET` request to the [List Service Bindings](/api/resources/addressing/subresources/prefixes/subresources/service_bindings/methods/list/) endpoint. Replace the `{prefix_id}` in the URI path by the actual prefix ID you got from the previous step.
 
 <Example>
 

@@ -0,0 +1,33 @@
+---
+params:
+ - pre_existing_product
+ - added_product
+---
+
+import { Example, APIRequest } from "~/components";
+
+1. Log in to your Cloudflare account and get your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and [authentication key or token](/fundamentals/api/get-started/). If using an [API token](/fundamentals/api/get-started/create-token/), the permissions should include `Account` - `IP Prefixes` - `Edit`.
+2. Make a `GET` request to the [List Services](/api/resources/addressing/subresources/services/methods/list/) endpoint and take note of the `id` associated with the {props.added_product} service.
+3. Use the [List Prefixes](/api/resources/addressing/subresources/prefixes/methods/list/) endpoint and take note of the `id` associated with the prefix (`cidr`) you will configure.
+
+<Example>
+
+At this point, continuing the [example](#before-you-begin), you should have a mapping similar to the following:
+
+| Variables      | Description                                                                                                                                       |
+| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `{service_id}` | The ID of the {props.added_product} service within Cloudflare. <br /><br /> Example: `969xxxxxxxx000xxx0000000x00001bf`                                             |
+| `{prefix_id}`  | The ID of the {props.pre_existing_product} prefix (`203.0.113.0/24`) you want to configure. <br /><br /> Example: `6b25xxxxxxx000xxx0000000x0000cfc` |
+
+</Example>
+
+4. To confirm you currently have a {props.pre_existing_product} service binding and that it spans across your entire prefix, make a `GET` request to the [List Service Bindings](/api/resources/addressing/subresources/prefixes/subresources/service_bindings/methods/list/) endpoint. Replace the `{prefix_id}` in the URI path by the actual prefix ID you got from the previous step.
+
+<Example>
+
+<APIRequest
+path="/accounts/{account_id}/addressing/prefixes/{prefix_id}/bindings"
+method="GET"
+/>
+
+</Example>
@@ -0,0 +1,54 @@
+---
+params:
+ - pre_existing_product
+ - added_product
+---
+
+import { Example, APIRequest } from "~/components";
+
+:::caution[Caution]
+Once a service binding is created (or deleted), it will take four to six hours to propagate across Cloudflare's global network. Services for the IP addresses in scope will likely be disrupted during this window.
+:::
+
+1. Make a `POST` request to the [Create service binding](/api/resources/addressing/subresources/prefixes/subresources/service_bindings/methods/create/) endpoint, indicating the IP address you want to bind to {props.added_product}. Specify the **corresponding network mask** as needed.
+
+<Example>
+
+Continuing the example, `203.0.113.100/32` designates an IP address that is within the {props.pre_existing_product} prefix `203.0.113.0/24`.
+
+Replace the `{prefix_id}` in the URI with your prefix ID from previous steps. Within the request body, the `cidr` value should correspond to the IP address or subnet that you are configuring for use with {props.added_product}.
+
+<APIRequest
+	path="/accounts/{account_id}/addressing/prefixes/{prefix_id}/bindings"
+	method="POST"
+	json={{
+		  "cidr": "203.0.113.100/32",
+			"service_id": "<SERVICE_ID>"
+	}}
+  code={{
+    mark: [6, 7]
+  }}
+/>
+
+In the response body, the initial provisioning state should be `provisioning`.
+
+```json output {9}
+{
+  "errors": [],
+  "messages": [],
+  "success": true,
+  "result": {
+    "cidr": "203.0.113.100/32",
+    "id": "<SERVICE_BINDING_ID>",
+    "provisioning": {
+      "state": "provisioning"
+      },
+    "service_id": "<SERVICE_ID>",
+    "service_name": "<SERVICE_NAME>"
+  }
+}
+```
+
+</Example>
+
+You can periodically check the service binding status using the [List Service Bindings](/api/resources/addressing/subresources/prefixes/subresources/service_bindings/methods/list/) endpoint.
@@ -0,0 +1,34 @@
+---
+params:
+ - pre_existing_product
+ - added_product
+---
+
+import { Details } from "~/components";
+
+Although it is possible to add discrete bindings for non-contiguous CIDR blocks, implementing service bindings through an **aggregated** CIDR block is **strongly** recommended as it is more efficient.
+
+<Details header="Example">
+
+**{props.pre_existing_product} protected prefix:** `203.0.113.0/24`
+
+**IPs to upgrade to {props.added_product}:**
+
+`203.0.113.16`<br />
+`203.0.113.17`<br />
+`203.0.113.18`<br />
+`203.0.113.19`<br />
+`203.0.113.20`<br />
+`203.0.113.21`<br />
+`203.0.113.22`<br />
+`203.0.113.23`
+
+Add one discrete {props.added_product} service binding for `203.0.113.16` with a `/29` netmask.
+
+</Details>
+
+Once a service binding is created (or deleted), it will take **four** to **six** hours to propagate across Cloudflare's global network. Services for the IP addresses in scope will likely be disrupted during this window.
+
+:::note
+This guide assumes that the prefix is tied to a single Cloudflare account that has both {props.pre_existing_product} and {props.added_product} properties. If you are using [prefix delegations](/byoip/concepts/prefix-delegations/), the service bindings must be [created](#2-create-service-binding) on the parent account.
+:::
@@ -0,0 +1,11 @@
+---
+{}
+---
+
+import { Details } from "~/components";
+
+Leverage other features according to your needs. For example:
+
+- [Cache](/cache/)
+- [WAF custom rules](/waf/custom-rules/)
+- [Security analytics](/waf/analytics/security-analytics/)