← Act 2: Network Services & Zero Trust

Magic Transit

What is it?

Magic Transit extends Cloudflare's DDoS protection and network security to entire IP networks — not just websites. While standard Cloudflare DDoS protection secures individual domains (Layer 7), Magic Transit protects at the network layer (Layer 3/4), making it ideal for protecting data centers, cloud infrastructure, and enterprise networks.

What problem does it solve?

Large organizations don't just have websites — they have entire IP address ranges that need protection:

  • Data center DDoS attacks: Volumetric attacks targeting IP ranges can overwhelm routers and bring down entire networks.
  • Legacy hardware costs: Traditional DDoS scrubbing centers are expensive, require dedicated hardware, and introduce latency because traffic must be rerouted to a scrubbing location.
  • Performance tradeoffs: Legacy DDoS protection often forces traffic through a distant scrubbing center, adding latency. Magic Transit doesn't have this problem because protection runs on every Cloudflare data center.

How does it work?

  1. The customer advertises their IP address space through Cloudflare using BGP (Border Gateway Protocol). This means all traffic destined for those IPs arrives at Cloudflare first.
  2. Cloudflare inspects traffic across all 300+ data centers simultaneously using anycast.
  3. DDoS attacks are absorbed and dropped at the edge — closest to the source of the attack.
  4. Clean traffic is forwarded to the customer's origin via GRE/IPsec tunnels or Cloudflare Network Interconnect (CNI).
  5. The Cloudflare Network Firewall (previously Magic Firewall) can be applied on top for additional packet-level filtering.

Magic Transit can be deployed as:

  • Always-on: All traffic always flows through Cloudflare.
  • On-demand: Traffic only flows through Cloudflare during an active attack (lower cost but slower mitigation start).

Why it matters strategically

Magic Transit is a key product for large enterprise and infrastructure customers — ISPs, financial institutions, gaming companies, and government agencies with their own IP space. It's a higher-ACV (annual contract value) product that competes with Akamai's Prolexic, AWS Shield Advanced, and traditional DDoS scrubbing vendors. It also serves as the entry point to the broader network services portfolio (Cloudflare WAN, Network Firewall), creating a path to a full SASE deployment.

Learn more

← Cloudflare Tunnel Magic WAN →