Configure tunnel endpoints
Cloudflare recommends two GRE tunnels for each ISP and data center router combination, one per Cloudflare GRE endpoint. Cloudflare will assign two Cloudflare GRE endpoint addresses shortly after your onboarding kickoff call that you can use as the GRE tunnel destinations on your data center routers/endpoints.
To configure the GRE tunnel(s) between Cloudflare and your data centers, you must provide the following data for each tunnel:
- GRE tunnel name — A valid Linux interface name with 15 or less characters. The tunnel name cannot contain spaces or special characters, and the name cannot be shared with other GRE tunnels.
- Customer GRE endpoint — A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection like Cloudflare Network Interconnect , you do not need to provide GRE endpoints because Cloudflare will provide them.
- Interface address — A 31-bit subnet (/31 in CIDR notation) supporting 2 hosts, one for each side of the tunnel. Select the subnet from the following private IP space:
- 10.0.0.0–10.255.255.255
- 172.16.0.0–172.31.255.255
- 192.168.0.0–192.168.255.255
- TTL — Time to Live (TTL) in number of hops for the GRE tunnel. The default value is 64.
- MTU — Maximum Transmission Unit (MTU) in bytes for the GRE tunnel. The default value is 1476.
Edge routing configuration example
GRE tunnel | Customer GRE endpoint | Interface address |
---|---|---|
GRE_1_IAD | 104.18.112.75 | 10.10.10.100/31 |
GRE_2_IAD | 104.18.112.75 | 10.10.10.102/31 |
GRE_3_ATL | 104.40.112.125 | 10.10.10.104/31 |
GRE_4_ATL | 104.40.112.125 | 10.10.10.106/31 |
Add GRE tunnels
- Log in to your Cloudflare dashboard and select Magic Transit.
- Next to GRE tunnels and static routes configuration, click Configure.
- From GRE tunnels, click Create.
- On the Add GRE tunnels page, fill out the information for your GRE tunnel.
- (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, click Test tunnels.
- To add multiple tunnels, click Add GRE tunnel for each new tunnel.
- After adding your tunnel information, click Add tunnels to save your changes.
Edit GRE tunnels
- From GRE tunnels, locate the GRE tunnel you want to modify and click Edit. To edit multiple tunnels, select the checkboxes for each tunnel and then click Edit selected tunnels.
- On the Edit GRE tunnels page, fill out the fields you want to modify.
- (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, click Test tunnels.
- After adding your information, click Edit tunnels to save your changes.
Note that you cannot edit the Cloudflare GRE endpoint associated with your GRE tunnel.
Delete GRE tunnels
- From GRE tunnels, locate the GRE tunnel you want to modify and click Delete.
- Confirm the action by selecting the checkbox and clicking Delete.
Network Address Translation
After adding your GRE tunnels, you can use Network Address Translation (NAT) to translate your private IP to your server’s IP address. NAT works by modifying network address information in a packet’s IP header as it moves across a router, which can help with load balancing and connecting private IP networks with non-registered IP addresses to the Internet.
Configure Network Address Translation
- On the router, configure NAT from your private IP address to your server’s current IP address.
Router(config)# ip nat inside source static <LOCAL_IP> <GLOBAL_IP>
- On the router, specify which interfaces connect inside and outside of the network.
Router(config)# interface Tunnel A
Router(config)# ip nat outside
Router(config)# interface 0/0 /* WAN interface */
Router(config)# ip nat outside
Router(config)# interface 0/0 /* LAN interface - to the server */
Router(config)# ip nat inside
- When you are finished, end the configuration.
Router(config)# end
Scoped routes for Anycast GRE or IPsec tunnels
To reduce latency for your Anycast GRE or IPsec tunnel configurations, especially if you operate your own Anycast network, Cloudflare can steer your traffic by scoping it to specific Cloudflare data center regions.
Valid Cloudflare regions include AFR, APAC, EEUR, ENAM, ME, OC, SAM, WEUR, and WNAM.
To configure scoping for your traffic, you must provide Cloudflare with Anycast GRE or IPsec tunnel data for each Cloudflare region.
Scoping configuration data example
GRE tunnel | Region code |
---|---|
GRE_1_IAD | AFR |
GRE_2_IAD | EEUR |
GRE_3_ATL | ENAM |
GRE_4_ATL | ME |
Cloudflare has nine geographic regions across the world which are listed below.
Region codes and associated regions
Region Code | Region |
---|---|
AFR | Africa |
APAC | Asia Pacific |
EEUR | Eastern Europe |
ENAM | Eastern North America |
ME | Middle East |
OC | Oceania |
SAM | South America |
WEUR | Western Europe |
WNAM | Western North America |