cloudflare · RebeccaTamachiro · Oct 30, 2025 · Sep 8, 2025 · Sep 8, 2025 · Sep 10, 2025
@@ -1,34 +1,19 @@
 ---
-title: Best practices
+title: Manage IRR entries
 pcx_content_type: reference
 sidebar:
   order: 7
-head:
-  - tag: title
-    content: IRR entry updates best practices
-
 ---
 
-import { GlossaryTooltip } from "~/components"
-
-An Internet Routing Registry (IRR) record is what notifies internet service providers (ISPs) of how you are allowing your resources to be used. It is necessary to keep your IRR entries up to date so that it is public information that Cloudflare has permission to advertise your prefix or prefixes and to ensure that your traffic can be properly routed on the internet.
+import { GlossaryTooltip } from "~/components";
 
-The American Registry for Internet Numbers (ARIN) maintains an IRR that allows registrants of AS numbers and IP addresses to publish that information so that ISPs can make appropriate routing decisions. This helps ensure ISPs will recognize your routes as legitimate and enables them to ignore unauthorized routes published by someone else.
+You must keep your <GlossaryTooltip term="Internet Routing Registry (IRR)" link="/byoip/concepts/irr-entries/">Internet Routing Registry (IRR)</GlossaryTooltip> entries up to date so that it is public information that Cloudflare has permission to advertise your prefix or prefixes, and to ensure that your traffic can be properly routed on the internet.
 
 ## Configure an IRR entry
 
-You can add or update an IRR entry by following the directions within any of the recommended internet registries listed in the [Internet Routing Registry](https://www.irr.net/index.html).
-
-If you own your own subnet, use the RIPE and APNIC routing registries. These registries allow you to verify subnet ownership.
-
-If you lease your subnet, follow these guidelines:
-
-* When you do not need ownership verification, use the AFRINIC or NTT routing registry.
-* When you submit a route object via email, use the ARIN registry. Address blocks owned by others do not appear in the ARIN interface.
+You can add or update an IRR entry by following the directions of your routing registry. Each routing registry has its own set of instructions to configure an IRR entry.
 
-The recommended registries are AFRINIC, APNIC, ARIN, NTT, RADB, and RIPE.
-
-Each routing registry has its own set of instructions to configure an IRR entry. Refer to the table below for more information.
+The recommended registries are AFRINIC, APNIC, ARIN, LACNIC, and RIPE. Refer to the table below for more information.
 
 <table>
 <thead>
@@ -50,13 +35,9 @@ Each routing registry has its own set of instructions to configure an IRR entry.
       <td>ARIN</td>
       <td><a href="https://www.arin.net/resources/manage/irr/quickstart/">https://www.arin.net/resources/manage/irr/quickstart/</a></td>
     </tr>
-    <tr>
-      <td>NTT</td>
-      <td><a href="https://www.gin.ntt.net/support-center/policies-procedures/routing-registry/">https://www.gin.ntt.net/support-center/policies-procedures/routing-registry/</a></td>
-    </tr>
-    <tr>
-      <td>RADB</td>
-      <td><a href="https://www.radb.net/support/">https://www.radb.net/support/</a></td>
+		    <tr>
+      <td>LACNIC</td>
+      <td><a href="https://lacnic.zendesk.com/hc/articles/360038667154-What-are-a-route-and-a-route-6-objects">https://lacnic.zendesk.com/hc/articles/360038667154-What-are-a-route-and-a-route-6-objects</a></td>
     </tr>
     <tr>
       <td>RIPE</td>
@@ -72,8 +53,8 @@ Verify your Internet Routing Registry (IRR) entries to ensure that the IP prefix
 Each IRR entry record must include the following information:
 
 * **Route**: Each IP prefix Cloudflare advertises for you.
-* **Origin ASN**: Your ASN, or if you do not have your own ASN, the Cloudflare ASN (AS13335).
-* **Source**: The name of the routing registry, for example, AFRINIC, APNIC, ARIN, RADB, RIPE, or NTT.
+* **Origin ASN**: The Cloudflare ASN (AS13335) or your own ASN.
+* **Source**: The name of the routing registry (for example, ARIN).
 
 Add or update IRR entries when they meet any of these criteria:
 

@@ -1,17 +1,22 @@
 ---
-title: Internet Routing Registry
+title: Internet Routing Registry (IRR)
 pcx_content_type: concept
 sidebar:
   order: 2
-
+  label: Overview
+  group:
+    label: Internet Routing Registry
+head:
+  - tag: title
+    content: IRR Overview
 ---
 
-The [Internet Routing Registry (IRR)](http://www.irr.net/index.html) is a globally distributed database of routing information. The IRR contains announced routes and routing policies in a common format, and network operators use this information to configure their backbone routers.
+import { GlossaryDefinition } from "~/components";
 
-The IRR consists of many individual [routing registries](http://www.irr.net/docs/list.html), and some are managed by regional entities, such as APNIC, ARIN, and RIPE. Each routing registry contains IRR entries that provide information about IP prefixes and the [autonomous systems](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/) authorized to announce them.
+<GlossaryDefinition term="Internet Routing Registry (IRR)" prepend="The [Internet Routing Registry (IRR)](http://www.irr.net/index.html) is " />
 
-To announce your subnet prefixes, Cloudflare requires accurate IRR entries for your prefixes and autonomous system numbers (ASNs).
+The IRR consists of many individual [routing registries](http://www.irr.net/docs/list.html), and some are managed by regional entities - such as the American Registry for Internet Numbers (ARIN), the Regional Internet Registry for Europe, Middle East and Central Asia (RIPE), and so on. Each routing registry contains IRR entries that provide information about IP prefixes and the [autonomous systems](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/) authorized to announce them.
 
-When you configure network infrastructure for services such as [Magic Transit](/magic-transit/about/), [verify your IRR entries](/byoip/concepts/irr-entries/best-practices/#verify-an-irr-entry).
+To announce your subnet prefixes, Cloudflare requires accurate IRR entries for your prefixes and autonomous system numbers (ASNs).
 
-For help with adding missing IRR entries or updating inaccurate entries, refer to the [best practices for IRR entries](/byoip/concepts/irr-entries/best-practices/).
+When you configure network infrastructure for services such as [Magic Transit](/magic-transit/about/), or before onboarding your IP to Cloudflare, [verify your IRR entries](/byoip/concepts/irr-entries/best-practices/#verify-an-irr-entry).
@@ -10,20 +10,26 @@ head:
 
 import { Render } from "~/components";
 
-A Letter of Agency (LOA) - sometimes referred to as a Letter of Authorization - is a document that authorizes Cloudflare to announce a prefix(es) on behalf of another entity. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on behalf of another entity.
+A Letter of Agency (LOA) - sometimes referred to as a Letter of Authorization - is a document that authorizes Cloudflare to announce prefixes on behalf of another entity. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on behalf of another entity.
 
 The letter must contain both the prefixes you are authorizing Cloudflare to announce and which ASN they will be announced under. Cloudflare can announce a prefix under your ASN or you can use Cloudflare's ASN, which is AS13335.
 
-:::note
-For all future onboardings, you must use AS13335. Current customers who are already using Cloudflare's AS209242 do not need to make any changes and can continue using that ASN.
-:::
+## Requirements
 
-Cloudflare accepts digital signatures on an LOA, as long as it is clear who is signing the LOA.
+- For all future onboardings, if using the Cloudflare ASN, you must use AS13335. Current customers who are already using Cloudflare's AS209242 do not need to make any changes and can continue using that ASN.
 
-:::note[Note]
-An LOA is a formal document which should be on company letterhead and contain a wet signature. The Letter of Agency must be a PDF. Transit providers may reject the LOA if it is in a JPG or PNG format.
-:::
+- Cloudflare accepts digital signatures on an LOA, as long as it is clear who is signing the LOA.
 
-You can use the below template when creating an LOA document.
+- An LOA is a formal document which should be on company letterhead and contain a wet signature. The Letter of Agency must be a PDF. Transit providers may reject the LOA if it is in a JPG or PNG format.
+
+## Auto-generated LOA
+
+If you are onboarding your own IPs via the [self-serve flow](/byoip/get-started/), you can set `delegate_loa_creation` (in the [Add Prefix API call](/api/resources/addressing/subresources/prefixes/methods/create/)) to `true` . This will allow Cloudflare to automatically generate the LOA, speeding up the process.
+
+Auto-generated LOAs rely on [RPKI-signed ROAs](/byoip/concepts/route-filtering-rpki/) and [ownership validation](/byoip/get-started/#validate-prefix-ownership) checks.
+
+## Template
+
+If you need to create an LOA document, you can use the template below.
 
 <Render file="loa" product="byoip" />
@@ -0,0 +1,16 @@
+---
+title: Route filtering and RPKI
+pcx_content_type: concept
+sidebar:
+  order: 2
+---
+
+import { GlossaryTooltip } from "~/components";
+
+As referred in the [IRR concept page](/byoip/concepts/irr-entries/), network operators use IRR records to configure backbone routers. In summary, it is the IRR records that provide information about IP prefixes and the <GlossaryTooltip term="autonomous system numbers (ASNs)">autonomous systems (ASN)</GlossaryTooltip> authorized to announce them. Then, network operators will apply filtering policies to avoid invalid announcements.
+
+Considering this important role of IRR records, validation via Resource Public Key Infrastructure (RPKI) was introduced. With RPKI, the IP/ASN association is cryptographically validated before being passed on to the routers.
+
+When registering your prefix under one of the five Regional Internet Registries (RIRs)[^1], you can generate a cryptographically-signed object called Route Origin Authorization (ROA). ROAs are public and you can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator) or other sources, such as [Routinator](https://rpki-validator.ripe.net/ui/), to check your prefixes.
+
+[^1]: AFRINIC, APNIC, ARIN, LACNIC, and RIPE.