Skip to content

[CNI] Small updates to language #25013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Sep 9, 2025
Merged

[CNI] Small updates to language #25013

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
aff182f
added content explicitly to both columns
marciocloudflare Sep 9, 2025
a28f84c
added bgp info
marciocloudflare Sep 9, 2025
a0fdb2e
explicit how long to provision cni
marciocloudflare Sep 9, 2025
ec658c5
refined text
marciocloudflare Sep 9, 2025
78a632c
lower cased title
marciocloudflare Sep 9, 2025
a2cbcc9
refined loa text
marciocloudflare Sep 9, 2025
bce5605
lowercased titles
marciocloudflare Sep 9, 2025
908a99b
refined text
marciocloudflare Sep 9, 2025
ac2ec58
refined text
marciocloudflare Sep 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 12 additions & 11 deletions src/content/docs/network-interconnect/get-started.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ Consider the following service levels when planning your deployment:
- **Observability**: There is no visibility of the interconnect config/status within the Cloudflare dashboard.
- **Availability**: While network-resilient locations are designed to maintain connectivity during maintenance, single-homed locations can experience full service disruption.
- **Backup Connectivity**: You are required to maintain alternative Internet connectivity as a backup for all CNI implementations.
- **BGP**: Customers must have a BGP session established for Dataplane 1.0/1.1 to be operational.

## Location Alignment

Expand All @@ -66,7 +67,7 @@ Cloudflare partners with leading global providers, including: Console Connect, C

## End-to-End Implementation Workflow

The process of provisioning a CNI can take several weeks, depending on the complexity and third-party provider timelines. The most common delays occur during the physical connection phase, which is outside of Cloudflare's direct control.
The process of provisioning a CNI typically takes two to four weeks, depending on the complexity of implementation and third-party provider timelines. The most common delays occur during the physical connection phase, which is outside of Cloudflare's direct control.

1. **Submit Request**: Work with your account team to create a CNI request ticket, providing your desired CNI type, location, use case, and technical details. An Implementation Manager will be assigned to guide the process.
2. **Review Configuration**: The Implementation Manager will provide a detailed configuration document covering IP addressing, VLANs, and other technical specifications. You must review and approve this document.
Expand All @@ -79,7 +80,7 @@ The process of provisioning a CNI can take several weeks, depending on the compl
7. [Add maintenance notifications](/network-interconnect/monitoring-and-alerts/#enable-cloudflare-status-maintenance-notification).
8. Enable tunnel health checks for Magic [Transit](/magic-transit/how-to/configure-tunnel-endpoints/#add-tunnels) / [WAN](/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/#add-tunnels).

## How-To Guides
## How-To guides

### How-To: Provision a Direct Interconnect

Expand All @@ -88,41 +89,41 @@ The process of provisioning a CNI can take several weeks, depending on the compl
- required port speeds (10G or 100G)
- BGP ASN for Peering/Magic Transit
- BGP password (optional)
2. **Order Cross-Connect**: Cloudflare will issue a Letter of Authorization (LOA). This document grants you permission to order a physical cross-connect between your equipment and a specific port on Cloudflare's hardware within the data center. This process can take one to two weeks or more, depending on the facility provider. Cloudflare's demarcation is the port that is specified in the LOA: you are responsible for the deployment, provisioning and ongoing support and operation of this connection and the commercial relationships with the facility provider and any third-party connectivity providers.
2. **Order Cross-Connect**: Cloudflare will issue a Letter of Authorization (LOA). This document grants you permission to order a physical cross-connect between your equipment and a specific port on Cloudflare's hardware within the data center. The end-to-end process for ordering a cross-connect can take one to two weeks or more, depending on the facility provider. Cloudflare's demarcation is the port that is specified in the LOA: you are responsible for the deployment, provisioning and ongoing support and operation of this connection, and the commercial relationships with the facility provider and any third-party connectivity providers.

### How-To: Provision a Partner Interconnect

Cloudflare partners with leading connectivity providers globally. To provision a Partner Interconnect, you will initiate a connection request from your chosen provider's administrative portal. Cloudflare will then review and accept the request to activate the virtual circuit.

### How-To: Configure BGP and Routing
### How-To: Configure BGP and routing

Once your physical cross-connect or virtual circuit is provisioned, the next phase is to configure IP routing using Border Gateway Protocol (BGP). This process typically takes about one week to complete.

#### Step 1: IP Address Provisioning
#### Step 1: IP Address provisioning

1. Cloudflare will send you a set of IPv4 and IPv6 addresses for your connection.
2. Assign the provided IPs to your router's interface that connects to Cloudflare.
3. Perform ping tests between your router and Cloudflare's router to confirm that the physical or virtual link is active and passing packets correctly.
- **For Partner Interconnects**: If you are using a partner like Megaport, ensure you have configured the correct VLAN provided by your Customer Success Manager, as an incorrect VLAN can cause IP provisioning to fail.

#### Step 2: BGP Session Establishment
#### Step 2: BGP session establishment

After you confirm connectivity with successful ping tests, the next step is to establish the BGP session.

1. Cloudflare will configure its side of the BGP session, and notify you once ready.
2. You will configure your side of the BGP session and accept the routes.
2. You will configure your side of the BGP session and accept the routes you need.
3. Once the session is established, traffic will begin to flow over the CNI. Contact your solutions engineer to verify that traffic is routing as expected.

#### BGP Configuration Options and Use Cases
#### BGP configuration options and use cases

Depending on the Cloudflare services you use, your BGP configuration may vary:

- **Standard Peering**: This is the most common scenario, where BGP is used to exchange routes between your network and Cloudflare. Cloudflare learns your network routes, which is useful for services like CDN-only deployments or on-demand Magic Transit. It is important to note that prefixes Cloudflare learns via CNI remain local to that specific data center and are not propagated to other Cloudflare locations.
- **Standard Peering**: This is the most common scenario, where BGP is used to exchange routes between your network and Cloudflare. Cloudflare learns your network routes, which is useful for services like CDN-only deployments or on-demand Magic Transit. It is important to note that this is not peering with the Magic Transit routing table, which is global. Instead, this is peering with the specific data center's Internet edge network. This means that prefixes Cloudflare learns via CNI remain local to that specific data center and are not propagated to other Cloudflare locations.
- **Magic Transit with Controlled Advertisement**: Magic Transit customers can use a second BGP session to control which prefixes are advertised to the Internet. In this setup, Cloudflare advertises no prefixes to you, and you advertise only the specific prefixes you want Cloudflare to announce on your behalf.

#### Important Note on Accepting Routes from Cloudflare
#### Important note on accepting routes from Cloudflare

If you wish to use the CNI for egress traffic from your network to Cloudflare-advertised prefixes (such as anycast or BYOIP addresses), you can accept the BGP prefixes you receive from Cloudflare (typically there will be around 4,000 routes advertised by Cloudflare). However, be aware that there is a 1 Gbps capacity limitation for traffic you send to Cloudflare over the CNI link.
If you wish to use the CNI for egress traffic from your network to Cloudflare-advertised prefixes (such as anycast or BYOIP addresses), you can accept the BGP prefixes you receive from Cloudflare (typically there will be around 4,000 to 6,000 routes advertised by Cloudflare).

#### Optional: Bidirectional Forwarding Detection (BFD)

Expand Down
4 changes: 2 additions & 2 deletions src/content/partials/networking-services/cni-product-use-cases.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ CNI provides a private point-to-point IP connection with Cloudflare. There are t
| **Magic Transit Direct Server Return (DSR)** <br /> DDoS protection for all ingress traffic from the Internet to your public network. Send egress traffic via your ISP. | Supported with a GRE tunnel established over the interconnect circuit. | Supported with or without a GRE tunnel established over the interconnect circuit. |
| **Magic Transit with Egress** <br /> DDoS protection for all ingress traffic from the Internet to your public network. Send egress traffic via Cloudflare. | Supported with a GRE tunnel established over the interconnect circuit. | Supported with a GRE tunnel established over the interconnect circuit. |
| **Magic WAN and Zero Trust** <br /> Build a secure, private network backbone connecting your Zero Trust users and applications with all your sites, data centers, and clouds. | Supported with a GRE tunnel established over the interconnect circuit. | Supported with or without a GRE tunnel established over the interconnect circuit. |
| **Peering** <br /> Exchange public routes with a single Cloudflare PoP (Point of Presence). | Supported. All customers connecting with the edge data center will exchange public routes at that PoP with AS13335. Connectivity is established at each individual PoP. Routes for other edge locations in Cloudflare's network may not be available. Routes for customer-advertised prefixes will be available only in the connected PoP. | |
| **Application Security and Performance** <br /> Improve the performance and security of your web applications | **Supported via peering**: Customers can use Argo Smart Routing to direct origin traffic via the edge peering connection when it is determined to be the lowest latency option. Customers must maintain a direct Internet connection which will always be used for a portion of traffic and during failure scenarios. <br /> **Supported Via Magic Transit**: Customers may configure any product with an origin server IP address that is protected by Magic Transit. Magic Transit will direct this traffic via the overlay and customer can control interconnect next-hops using the Magic networking routing table. | |
| **Peering** <br /> Exchange public routes with a single Cloudflare PoP (Point of Presence). | Supported. All customers connecting with the edge data center will exchange public routes at that PoP with AS13335. Connectivity is established at each individual PoP. Routes for other edge locations in Cloudflare's network may not be available. Routes for customer-advertised prefixes will be available only in the connected PoP. | Supported. All customers connecting with the edge data center will exchange public routes at that PoP with AS13335. Connectivity is established at each individual PoP. Routes for other edge locations in Cloudflare's network may not be available. Routes for customer-advertised prefixes will be available only in the connected PoP. |
| **Application Security and Performance** <br /> Improve the performance and security of your web applications | **Supported via peering**: Customers can use Argo Smart Routing to direct origin traffic via the edge peering connection when it is determined to be the lowest latency option. Customers must maintain a direct Internet connection which will always be used for a portion of traffic and during failure scenarios. <br /> **Supported Via Magic Transit**: Customers may configure any product with an origin server IP address that is protected by Magic Transit. Magic Transit will direct this traffic via the overlay and customer can control interconnect next-hops using the Magic networking routing table. | **Supported via peering**: Customers can use Argo Smart Routing to direct origin traffic via the edge peering connection when it is determined to be the lowest latency option. Customers must maintain a direct Internet connection which will always be used for a portion of traffic and during failure scenarios. <br /> **Supported Via Magic Transit**: Customers may configure any product with an origin server IP address that is protected by Magic Transit. Magic Transit will direct this traffic via the overlay and customer can control interconnect next-hops using the Magic networking routing table. |

For more details refer to the [prerequisites section](/network-interconnect/get-started/#prerequisites).