24 expert Cloudflare Byoip answers researched from official documentation. Every answer cites authoritative sources you can verify.
Service Bindings are mappings that control which Cloudflare service processes traffic for each IP address in your prefix. Options include: CDN pipeline (caching, WAF, Workers), Magic Transit (Layer 3/4 DDoS protection), or Spectrum (TCP/UDP proxy). You can bind different IPs within the same prefix to different services - for example, use 203.0.113.1-10 for CDN and 203.0.113.11-20 for Spectrum.
Address Maps specify which BYOIP addresses should be used in DNS responses for proxied records. Two scope levels: (1) Account-level: applies to all proxied DNS records across all zones, (2) Zone-level: applies only to a specific zone. Cloudflare may create immutable account-wide address maps if you're required to never use Cloudflare IPs. Address Maps don't change how Cloudflare reaches your origin - they only affect DNS responses to end users.
Prefix Delegations allow a prefix owner (Account A) to authorize another account (Account B) to use all or part of their prefix. The original account retains ownership and management, but the delegated account can use those IPs with services like Address Maps or Cloudflare for SaaS. Use case: SaaS provider with BYOIP can delegate IPs to customer accounts for custom hostname validation and traffic serving.
Two options: (1) Cloudflare's ASN (AS13335): Simpler setup, Cloudflare appears as origin. Required for self-serve DIY onboarding. (2) Your own ASN: Your organization appears as origin, requires manual LOA process. Note: For new onboardings using Cloudflare's ASN, you must use AS13335. Legacy customers using AS209242 can continue with that ASN.
Spectrum supports Proxy Protocol for passing original client IPs to your origin. For TCP: Enable Proxy Protocol v1 (human-readable, compatible with Amazon ELB and NGINX) in your Spectrum application config. For UDP: Cloudflare uses Simple Proxy Protocol, a custom UDP-compatible format. Configure via API when creating the Spectrum application. Your origin must be configured to parse the proxy protocol header to extract the real client IP.
Enabling advertisement typically takes 2-7 minutes for Cloudflare to start announcing the prefix. Full global BGP propagation takes 2-4 hours as the route spreads through the internet's routing tables. Disabling advertisement (withdrawing the route) takes approximately 15 minutes.
Use the BGP Prefixes API (preferred over deprecated advertisement_status): PATCH /accounts/{account_id}/addressing/prefixes/{prefix_id}/bgp/status with body {"advertised": true} or {"advertised": false}. The newer BGP Prefixes endpoints also allow advertising specific subnets within your prefix. Ensure users have Administrator or Super Administrator role to manage advertisement status.
Service binding changes (creating, modifying, or deleting) take 4-6 hours to propagate across Cloudflare's global network. During this window, incoming packets may be dropped due to inconsistent routing. Cloudflare is working to reduce this to minutes, but currently plan for service disruption during binding changes.
To avoid dropped routes during migration: (1) Enable Cloudflare advertisement FIRST, (2) Wait for full BGP propagation (2-4 hours), (3) Verify traffic is flowing through Cloudflare, (4) THEN withdraw advertisement from your original location. This ensures the route is always announced somewhere. Withdrawing first creates a window where the prefix is unreachable.
Magic Transit provides DDoS protection and traffic acceleration for on-premise, cloud, and hybrid networks at Layer 3/4. With BYOIP, Cloudflare announces your prefix, traffic flows to nearest Cloudflare edge for DDoS scrubbing, passes through Magic Firewall, then clean traffic routes to your origin via GRE/IPsec tunnels or Cloudflare Network Interconnect (CNI). BYOIP is required for Magic Transit - you must bring your own IPs.
Direct Server Return (DSR) means response traffic from your servers goes directly to end users over the internet, bypassing Cloudflare's network on the return path. Inbound traffic: User -> Cloudflare (DDoS filtering) -> Your origin. Outbound traffic: Your origin -> directly to User (no Cloudflare hop). This reduces latency and Cloudflare egress costs. To use DSR with cloud infrastructure, you must have BYOIP configured with your cloud provider as well.
Spectrum provides TCP/UDP proxy for non-HTTP traffic (gaming, SSH, databases). With BYOIP, configure via API by setting origin_direct (your origin IP) and edge_ips (which BYOIP addresses to use). Create A/AAAA DNS records pointing to your BYOIP addresses. Enterprise plans support all TCP/UDP traffic; Pro/Business plans support selected protocols only. BYOIP is not included with Spectrum by default - contact your account team to enable.
Cloudflare's DDoS protection for BYOIP prefixes uses the Autonomous Edge system with 321+ Tbps mitigation capacity. When attacks are detected, they're mitigated at the edge closest to the source - typically under 3 seconds globally. The same system that handles Cloudflare's own infrastructure (including stopping a 942 Gbps attack) protects BYOIP customers. All traffic is scrubbed before reaching your origin via tunnels or interconnects.
The minimum prefix size is /24 for IPv4 (256 addresses) and /48 for IPv6. You cannot onboard prefixes smaller than these thresholds. This requirement exists because BGP routing tables on the internet generally filter out more specific routes to prevent table bloat.
An LOA must be: (1) On company letterhead, (2) In PDF format (not JPG/PNG), (3) Contain a wet signature or clear digital signature, (4) List the specific IP prefixes being authorized, (5) Specify which ASN they will be announced under (Cloudflare AS13335 or your own ASN). Cloudflare shares this LOA with transit partners as evidence of authorization to announce the route.
No. You cannot use IPs leased from cloud providers like AWS Elastic IPs or Azure Public IPs with Cloudflare BYOIP. You must own the IP space outright - registered in your name at a Regional Internet Registry (ARIN, RIPE, APNIC, etc.). Cloud provider IPs are owned by the provider and cannot have ROAs/LOAs issued for announcement by third parties.
Cloudflare's DIY BYOIP uses a two-step automated verification: (1) Verification of intent - Create an RPKI ROA authorizing Cloudflare's AS13335 to originate your prefix, (2) Verification of ownership - Modify IRR route objects or rDNS records to prove you control the prefix. When using the API, set delegate_loa_creation to true and Cloudflare generates the LOA automatically based on cryptographic proof of ownership. This eliminates manual LOA document handling.
RPKI ROA (Resource Public Key Infrastructure Route Origin Authorization) is a cryptographically signed object that authorizes an ASN to originate your prefix. To configure: (1) Log into your RIR portal (ARIN, RIPE, APNIC, etc.), (2) Navigate to ROA management, (3) Create a ROA specifying your prefix and AS13335 (Cloudflare) as authorized origin, (4) Set max-length appropriately (usually same as prefix length). Use Cloudflare's RPKI Portal or Routinator to verify ROAs are published correctly.
You need route or route6 objects in a Regional Internet Registry database containing: (1) Route field: the exact prefix you're onboarding (e.g., 203.0.113.0/24), (2) Origin field: AS13335 (Cloudflare) or your own ASN. Create entries in your RIR's routing registry (ARIN, RIPE, APNIC, AFRINIC, LACNIC). Cloudflare uses IRR records to prove authorization to transit providers who filter based on IRR.
Cloudflare BYOIP (Bring Your Own IP) allows enterprise customers to use their owned IPv4/IPv6 address blocks with Cloudflare services while maintaining full IP ownership. Cloudflare announces your prefixes via BGP through their anycast network to 330+ global data centers. Traffic destined for your IPs routes to the nearest Cloudflare edge, where it benefits from DDoS protection, caching, WAF, Workers, and other services. Your IPs remain registered in your name at your Regional Internet Registry (ARIN, RIPE, APNIC, AFRINIC, LACNIC).
Use these diagnostic tools: (1) IRR Explorer (irrexplorer.nlnetlabs.nl): Search by prefix to verify ASN associations and find IRR errors, (2) WHOIS: Run 'whois 203.0.113.0/24' to verify origin ASN and routing data, (3) Cloudflare RPKI Portal: Verify ROA records are published correctly, (4) Routinator: Second source to cross-check RPKI data, (5) BGP looking glasses (e.g., RIPE RIS, RouteViews): Verify Cloudflare is announcing your prefix and it's propagating.
Yes. If you don't meet the /24 minimum for BYOIP, you can use Cloudflare-owned IP addresses with Magic Transit. Cloudflare allocates IPs from their pool to protect your network. However, you lose the benefits of BYOIP: no IP reputation preservation, no regulatory compliance with specific IPs, and you'll need to update DNS/firewall rules to Cloudflare's IPs.
As of September 2024, 53% of IPv4 prefixes have valid ROA records (IPv6 reached this in late 2023), up from only 6% in 2017. 70.3% of internet traffic is exchanged with ROA-protected prefixes. RPKI matters for BYOIP because: (1) Networks using Route Origin Validation (ROV) will reject announcements without valid ROAs, (2) ROAs cryptographically prove authorization, preventing hijacking, (3) Major networks (Cloudflare, Google, Amazon) drop RPKI-invalid routes.
Key use cases: (1) IP reputation preservation: Email providers, banks, gaming platforms with years of IP reputation that can't risk IP changes affecting deliverability, fraud prevention, or anti-cheat whitelists. (2) Regulatory compliance: Government, healthcare, financial services requiring specific IP ranges for audit logs and compliance frameworks. (3) Third-party integrations: SaaS platforms with thousands of customer IP whitelists that can't coordinate mass IP changes. (4) Multi-vendor strategy: Route same IP block through different CDN providers via BGP for instant failover capability.