The attack surface has outgrown the hardware era
The largest DDoS attack Cloudflare has ever seen clocked in at 7.3 Tbps. A top-of-the-line enterprise firewall handles roughly 25 Gbps. To match that single attack with hardware, an organization would need to purchase 292 firewalls at $7.3 million — before installation, maintenance, or the next refresh cycle.
This is not a hypothetical edge case. It is the new normal. In Q1 2025 alone, Cloudflare mitigated 16.8 million network-layer DDoS attacks — a 509% increase year-over-year. The attack volume is growing faster than any organization can scale physical infrastructure to match it.
Magic Transit and Magic Firewall are Cloudflare's answer: a cloud-native, always-on network protection architecture that moves the defensive perimeter from your data center to Cloudflare's global edge. Traffic is inspected and scrubbed in 330+ cities before it ever reaches your infrastructure. You get the full capacity of Cloudflare's network — not just what a rack of hardware can absorb.
"A volumetric attack doesn't care how many firewalls you bought. It saturates your ISP link before your appliance ever sees a packet. The only effective defense is stopping the attack upstream — at the edge of the Internet, not the edge of your data center."
— Cloudflare Network Protection Architecture GuideThe Modern DDoS Threat Landscape
DDoS attacks are no longer the domain of unsophisticated actors with a single tool. Modern attacks are multi-vector, globally distributed, and increasingly automated — launched by botnets spanning hundreds of countries simultaneously to maximize the chance of saturating any single defensive choke point.
Attack Volume Is Growing Exponentially
Source: Cloudflare DDoS Threat Report, Q1 2025. Q1 2025 represents a 397% QoQ and 509% YoY increase.
Attack Size Has Crossed the Hardware Threshold
The critical inflection point happened when attack sizes began routinely exceeding the capacity of enterprise-grade hardware appliances. Hardware-based DDoS protection is fundamentally capped by the speed of your ISP uplink — and modern volumetric attacks are designed specifically to saturate that link before any appliance can respond.
Hardware capacity based on Fortinet enterprise-class appliance (25 Gbps). Attack sizes based on publicly reported incidents and Cloudflare threat data.
Hardware DDoS appliances sit inside your data center, behind your ISP connection. By the time a 1+ Tbps volumetric attack reaches your appliance, your entire ISP uplink is already saturated. Legitimate traffic cannot get through regardless of how capable your hardware is. The attack wins before your defense fires a single packet.
Attack Categories: What You're Defending Against
| Attack Type | Layer | Mechanism | Hardware Defense | Magic Transit |
|---|---|---|---|---|
| Volumetric Flood | L3/L4 | Saturate bandwidth with junk traffic | ✗ ISP link saturated first | ✓ Absorbed at edge |
| SYN/ACK Flood | L4 | Exhaust connection state tables | ~ Limited capacity | ✓ Stateless mitigation at edge |
| UDP Reflection | L3 | Amplify traffic via open resolvers/NTP | ✗ Amplification overwhelms uplink | ✓ Scrubbed before ISP uplink |
| Protocol Exploit | L3/L4 | Exploit fragmentation, TTL, IP options | ~ Requires manual rule updates | ✓ Magic Firewall rules + IDS |
| Multi-Vector | L3–L7 | Simultaneous attack on multiple layers | ✗ Requires multiple appliances | ✓ Single unified protection layer |
Why On-Premise Hardware Is No Longer Sufficient
On-premise DDoS appliances were the right answer for a threat landscape that no longer exists. The attacks of 2025 are categorically different — in scale, sophistication, and geographic distribution — from the attacks these appliances were designed to absorb.
The Three Unsolvable Problems with Hardware
The ISP Choke Point
Hardware lives downstream of your ISP link. A volumetric attack saturates that link first. Your appliance never gets a chance to act — your network is offline before the hardware can respond. No amount of scrubbing capacity inside your data center solves this problem.
Capacity Ceiling
A top enterprise appliance handles ~25 Gbps. Cloudflare has seen attacks at 7,300 Gbps. To match that attack with hardware, you would need 292 appliances — at every location you need to protect. Hardware capacity is a fixed ceiling; attack sizes are not.
CapEx, Maintenance, and Refresh Cycles
Hardware requires upfront capital, ongoing power and cooling costs, manual patching, and forced 3–5 year refresh cycles. Threat intelligence must be manually updated. Every upgrade window is a window of vulnerability. The total cost of ownership is consistently underestimated.
The Existing Alternatives Also Fall Short
| Approach | Strengths | Critical Weaknesses |
|---|---|---|
| On-Prem Hardware Radware, Arbor, Fortinet |
Full control; low latency for local traffic | ISP link saturated before defense activates; capacity ceiling; manual patching |
| Cloud Scrubbing Centers Akamai/Prolexic, Imperva, Vercara |
Better capacity than on-prem | Usually manually activated — requires a human to "press the button"; adds latency via backhaul; centralized = single point of congestion |
| ISP-Provided Protection Verizon, Lumen, AT&T |
Low cost; upstream from customer | Slow to activate (manual); if attack threatens other ISP customers, they black-hole your traffic — including legitimate users |
| Magic Transit Cloudflare |
Always-on; 405+ Tbps capacity; 330+ PoPs; sub-3s detection; zero hardware | Requires BGP advertisement of IP prefixes (/24 minimum); enterprise-only |
Magic Transit — DDoS Protection at Cloudflare Scale
Magic Transit is Cloudflare's network security and performance solution for enterprises with their own IP space. It uses Cloudflare's global anycast network to absorb and scrub all traffic before it reaches your data center — protecting on-premises, cloud-hosted, and hybrid networks without adding latency.
How It Works
BGP Advertisement — Traffic Enters Cloudflare's Network
Cloudflare advertises your IP prefixes via BGP from all 330+ global locations simultaneously. All Internet traffic destined for your IPs is routed to the nearest Cloudflare data center — before it touches your ISP link.
Edge Scrubbing — Attack Traffic Dropped at the Source
Cloudflare's automated DDoS protection system analyzes all inbound traffic in real time. Attack patterns are detected within seconds and mitigation rules are deployed across the entire global network simultaneously. Bad traffic is dropped at the edge — never forwarded.
Tunnel Forwarding — Only Clean Traffic Reaches You
Scrubbed, legitimate traffic is forwarded to your data center over encrypted GRE or IPsec tunnels. Your infrastructure only ever sees clean traffic. Direct Server Return (DSR) means outbound traffic doesn't need to pass through Cloudflare, preserving performance.
Anycast Resilience — Automatic Failover, No Redundant Hardware
Because Cloudflare uses anycast addressing, your tunnel endpoint connects to all Cloudflare data centers simultaneously. If any location experiences an issue, traffic automatically reroutes — with zero impact to performance and no manual intervention required.
Key Capabilities
Always-On DDoS Protection
No manual activation. Protection is active 24/7 from the moment traffic is routed through Cloudflare. Sub-3 second detection and mitigation for new attack vectors.
Traffic Acceleration
Magic Transit steers traffic along optimized tunnel routes using equal-cost multi-path routing. The closest Cloudflare PoP handles every request — reducing latency, not adding it.
Anycast Global Network
A single tunnel configuration connects your network to all 330+ Cloudflare data centers. No per-location configuration. Automatic global failover built in.
BGP Peering & Prefix Control
Use BGP to dynamically advertise and withdraw prefixes, automate failover, and maintain full control over which traffic flows through Magic Transit at any given time.
Real-Time Visibility
Monitor traffic patterns, attack activity, and mitigation actions in real time via Cloudflare's analytics dashboard. Set custom alerts for any threshold — no SIEM required.
Cloudflare Network Interconnect
Connect directly to Cloudflare via CNI, bypassing the public Internet entirely for the most sensitive workloads. 1500-byte MTU handoff, maximum reliability.
Network Performance: The Counter-Intuitive Truth
Traditional security thinking assumes that routing traffic through a third party adds latency. Magic Transit inverts this assumption. Because Cloudflare's network spans 330+ cities and peers directly with ISPs, CDNs, and cloud providers globally, traffic is often faster through Cloudflare than around it — optimized routes replace suboptimal public Internet paths.
Magic Transit uses equal-cost multi-path (ECMP) routing to load-balance across tunnels with the same prefix and priority — providing both resilience and throughput optimization simultaneously. Security does not have to mean a latency tradeoff.
Magic Firewall — Firewall-as-a-Service at the Edge
Magic Firewall (now Cloudflare Network Firewall) is a cloud-delivered firewall that runs on Cloudflare's global network, complementing Magic Transit's DDoS protection with deep packet filtering, protocol-level controls, and active intrusion detection. It replaces the need for physical firewall appliances at each network location.
Rules are written using the Cloudflare Rules language — a syntax inspired by Wireshark, familiar to any network engineer — allowing precise allow/deny decisions on any traffic attribute: protocol, port, packet length, IP range, bit flags, and more.
Core Capabilities
Advanced Packet Filtering
Apply rules based on protocol, source/destination IP, port, packet length, TCP flags, ICMP type, and more. Craft precise policies that block exactly what you need to block without touching legitimate traffic.
Intrusion Detection System (IDS)
Actively monitor traffic for thousands of known threat signatures — ransomware, data exfiltration, network scanning, lateral movement. Go beyond packet filtering to detect sophisticated multi-stage attacks.
Wireshark-Inspired Rule Syntax
Write firewall rules in a syntax your network engineers already know. The Cloudflare Rules language is expressive, well-documented, and consistent with the syntax used across all Cloudflare security products.
Globally Enforced, Centrally Managed
A single rule set enforced across every Cloudflare data center simultaneously. No appliance-by-appliance configuration. No drift between locations. Changes deploy globally in seconds.
Office Network Protection
Protect branch offices and corporate networks — not just data centers. Magic Firewall extends network security to every location connected to Cloudflare, including those connected via Cloudflare WAN.
Zero Trust Integration
Magic Firewall is a building block of Cloudflare's broader Zero Trust and SASE architecture. Network-layer firewall policies integrate natively with identity, device posture, and application-layer controls.
Intrusion Detection: Beyond Packet Filtering
The IDS capability in Magic Firewall extends protection from "block known-bad packets" to "detect known attack patterns in traffic flows." This matters because sophisticated attackers increasingly use protocol-compliant traffic to evade traditional packet filters — the packets themselves look legitimate, but the pattern reveals malicious intent.
| Threat Category | Detection Method | Hardware Firewall | Magic Firewall IDS |
|---|---|---|---|
| Ransomware C2 Traffic | Signature matching on known C2 patterns | ✗ Requires manual signature updates | ✓ Auto-updated signatures globally |
| Data Exfiltration | Anomalous outbound data volume patterns | ~ Limited without deep inspection | ✓ IDS signature coverage |
| Network Scanning | Port sweep and probe pattern detection | ~ Basic rate-limiting only | ✓ Full scan pattern detection |
| Lateral Movement | East-west traffic analysis | ✗ Not visible to perimeter appliance | ✓ Detected in transit |
Hardware vs. Cloud: The Full Comparison
The decision to move from hardware to cloud-native network protection is not just a technology choice — it's a financial and operational one. The total cost of ownership for hardware consistently exceeds initial estimates once power, cooling, staffing, patching, and refresh cycles are included.
Feature Comparison
| Capability | On-Prem Hardware | Cloud Scrubbing | Magic Transit + Magic Firewall |
|---|---|---|---|
| Max DDoS Mitigation Capacity | ~25 Gbps per appliance | Tbps-scale, but centralized | 405+ Tbps, globally distributed |
| Protection Activation | Manual (human must act) | Usually manual | Always-on, automatic |
| Upstream of ISP Link | ✗ No | ✓ Yes, but via backhaul | ✓ Yes, at global edge |
| Latency Impact | None (local) | Adds latency via backhaul | None to negative (route optimization) |
| Threat Intelligence Updates | Manual patching | Vendor-managed | Automatic, real-time, global |
| High Availability | Requires duplicate hardware | Vendor-dependent | Built-in anycast failover |
| Cost Model | High CapEx + OpEx | OpEx, but per-attack pricing | Predictable OpEx subscription |
| Firewall Policy Management | Per-appliance, location by location | Limited filtering at scrubbing center | Single policy, globally enforced |
| Intrusion Detection (IDS) | Add-on, limited signatures | Varies by vendor | Built-in, auto-updated signatures |
| Zero Trust Integration | ✗ Separate architecture | ✗ Separate architecture | ✓ Native Cloudflare One integration |
| Scalability | Buy more hardware | Limited by scrubbing center capacity | Scales with Cloudflare network growth |
The Financial Case: CapEx vs. OpEx
Illustrative model. Hardware costs include appliance purchase, power/cooling (est. $15K/yr per rack), staffing for patching and maintenance, and one refresh cycle at year 3. Cloudflare pricing is representative subscription cost.
Hardware — Hidden Costs
- Upfront appliance purchase ($25K–$500K+)
- Redundant hardware for HA (2× cost)
- Power and cooling ($10K–$20K/yr per rack)
- Staff time for patching and maintenance
- Forced hardware refresh every 3–5 years
- Professional services for deployment
- Separate hardware at each protected location
- No protection against ISP-link saturation attacks
Magic Transit — What's Included
- 405+ Tbps global DDoS mitigation capacity
- Always-on, automatic protection (no activation)
- 330+ cities — all covered under one subscription
- Real-time threat intelligence, auto-updated
- Built-in anycast HA — no redundant hardware needed
- Magic Firewall packet filtering + IDS
- Cloudflare One Zero Trust integration
- Real-time analytics and alerting dashboard
Reference Architecture
Magic Transit and Magic Firewall are designed to integrate with existing network infrastructure via standard protocols — no forklift upgrade required. The most common deployment uses anycast GRE or IPsec tunnels from your data center edge routers to Cloudflare, with BGP for prefix advertisement and route control.
Deployment Options
Default: Ingress Protection + Direct Server Return (DSR)
Magic Transit scrubs all inbound traffic. Clean traffic is forwarded to your data center via GRE/IPsec tunnel. Outbound (return) traffic bypasses Cloudflare via your ISP — no additional latency, no bandwidth cost on egress. This is the most common deployment pattern.
Bidirectional: Full Traffic Steering
Both inbound and outbound traffic flows through Cloudflare. Enables full traffic visibility, outbound filtering, and integration with Cloudflare's Zero Trust and SASE stack. Used when complete network visibility is required.
Cloudflare Network Interconnect (CNI)
For the highest-security and highest-performance deployments: connect your infrastructure directly to Cloudflare via a dedicated physical or virtual interconnect, bypassing the public Internet entirely. 1500-byte MTU handoff, maximum reliability, private peering.
Hybrid Cloud
Protect on-premises data centers, cloud-hosted infrastructure (AWS, Azure, GCP), and co-location facilities under a single Magic Transit configuration. Cloudflare's network topology-aware routing handles prefix advertisement across all environments simultaneously.
Integration with Cloudflare One (Zero Trust)
Magic Transit and Magic Firewall are native building blocks of Cloudflare's Connectivity Cloud — the same platform that powers Cloudflare Access, Gateway, WARP, and the full SASE suite. This means network protection and Zero Trust access control share the same policy engine, the same identity context, and the same management plane — eliminating the integration work required when these are separate vendor products.
Organizations running Magic Transit alongside Cloudflare One get unified visibility across their entire network and access control stack — from L3/L4 DDoS protection to L7 application access, from on-premises infrastructure to remote workers. A single Cloudflare dashboard replaces dashboards from multiple point solution vendors.
Who Needs Enterprise Network Protection
Any organization that operates its own IP infrastructure — data centers, co-lo facilities, hybrid cloud environments — and whose business continuity depends on network availability is a candidate for Magic Transit. The risk profile is highest in industries where downtime carries direct financial, regulatory, or reputational consequences.
Source: Cloudflare DDoS Threat Report 2025. Index based on relative attack frequency per industry segment.
Ideal Organization Profile
Strong Fit — Magic Transit
- Owns or leases IP space (/24 prefix or larger)
- Operates hybrid or on-premises data center infrastructure
- Highly regulated industry (Finance, Healthcare, Government)
- Existing legacy on-premise DDoS appliance nearing refresh
- Global infrastructure presence — multiple locations to protect
- Prior DDoS incident or known attack history in their sector
- Sensitivity to downtime: payments, reservations, real-time ops
- Actively looking to reduce hardware CapEx
Consider Carefully
- 100% of infrastructure in public cloud (no own IP space)
- Digital-native organizations (cloud-native by design)
- ISPs or telcos needing multi-tenant, large-prefix capabilities
- Organizations below /24 prefix ownership threshold
- Buyers with multi-year lock-in on incumbent solutions
- Organizations with no self-managed network infrastructure
Industry Impact Examples
| Industry | Critical Applications at Risk | Cost of a Major DDoS Outage |
|---|---|---|
| Financial Services | Trading platforms, payment processing, customer portal, core banking | $500K–$5M+ per hour (regulatory fines + lost transactions) |
| Healthcare | Patient records, pharmacy systems, medical device networks, scheduling | Patient safety risk; HIPAA exposure; operational paralysis |
| Gaming & Media | Game servers, streaming infrastructure, CDN origin | Direct revenue loss; player churn; SLA penalties |
| Retail & E-Commerce | Checkout, inventory, POS systems, customer accounts | Lost sales (avg. $5K/min for large retailers during peak) |
| Government & Public Sector | Citizen services, emergency systems, elections infrastructure | National security implications; public trust erosion |
| Telecommunications | Core network infrastructure, DNS, customer-facing services | Cascading outages for downstream customers; regulatory liability |
Next Steps
Moving from hardware to Magic Transit does not require a forklift migration. The typical onboarding process takes 4–6 weeks from contract signature to live traffic protection, and can be done in parallel with existing infrastructure — with a clean cutover when you're ready.
Onboarding Process Overview
Scope Your Configuration
Identify the IP prefixes (/24 minimum) you want to protect. Verify IRR entries and router compatibility. Draft Letter of Agency (LOA) authorizing Cloudflare to announce your prefixes.
Configure Tunnels
Establish GRE or IPsec tunnels from your data center edge router(s) to Cloudflare. Set MSS clamping per Cloudflare's router vendor guidelines. Configure health check probes.
Define Magic Firewall Policies
Write your initial packet filtering rules in the Cloudflare Rules language. Enable IDS for your required threat categories. Test rules in log-only mode before enforcing.
Cut Over Traffic
Cloudflare begins advertising your prefixes via BGP. Traffic flows through the Cloudflare network. Monitor the real-time analytics dashboard. Decommission or repurpose hardware on your own timeline.
Prerequisites
IP Space: You must own or lease at least one /24 IP prefix (or use Cloudflare IPs for smaller networks). | Router Compatibility: Your edge router must support GRE or IPsec tunnel configuration. | IRR Registration: Your prefixes must be registered in an Internet Routing Registry. | Enterprise Contract: Magic Transit is an Enterprise-only product — contact your Cloudflare account team or sales@cloudflare.com.
Resources
Magic Transit Documentation
Full product docs, getting started guides, tunnel configuration, and traffic steering reference.
Reference Architecture
Deep dive into deployment architectures, BGP configuration, and hybrid cloud integration patterns.
Data Center Protection Learning Path
Step-by-step guided learning path for evaluating and deploying Magic Transit in your environment.
Talk to an Expert
Contact your Cloudflare account team or reach out at cloudflare.com/enterprise to start a conversation.