cloudflare
references/network-interconnect/patterns.md
.md 167 lines
Content
# CNI Patterns
See [README.md](README.md) for overview.
## High Availability
**Critical:** Design for resilience from day one.
**Requirements:**
- Device-level diversity (separate hardware)
- Backup Internet connectivity (no SLA on CNI)
- Network-resilient locations preferred
- Regular failover testing
**Architecture:**
```
Your Network A ──10G CNI v2──> CF CCR Device 1
│
Your Network B ──10G CNI v2──> CF CCR Device 2
│
CF Global Network (AS13335)
```
**Capacity Planning:**
- Plan across all links
- Account for failover scenarios
- Your responsibility
## Pattern: Magic Transit + CNI v2
**Use Case:** DDoS protection, private connectivity, no GRE overhead.
```typescript
// 1. Create interconnect
const ic = await client.networkInterconnects.interconnects.create({
account_id: id,
type: 'direct',
facility: 'EWR1',
speed: '10G',
name: 'magic-transit-primary',
});
// 2. Poll until active
const status = await pollUntilActive(id, ic.id);
// 3. Configure Magic Transit tunnel via Dashboard/API
```
**Benefits:** 1500 MTU both ways, simplified routing.
## Pattern: Multi-Cloud Hybrid
**Use Case:** AWS/GCP workloads with Cloudflare.
**AWS Direct Connect:**
```typescript
// 1. Order Direct Connect in AWS Console
// 2. Get LOA + VLAN from AWS
// 3. Send to CF account team (no API)
// 4. Configure static routes in Magic WAN
await configureStaticRoutes(id, {
prefix: '10.0.0.0/8',
nexthop: 'aws-direct-connect',
});
```
**GCP Cloud Interconnect:**
```
1. Get VLAN attachment pairing key from GCP Console
2. Create via Dashboard: Interconnects → Create → Cloud Interconnect → Google
- Enter pairing key, name, MTU, speed
3. Configure static routes in Magic WAN (BGP routes from GCP ignored)
4. Configure custom learned routes in GCP Cloud Router
```
**Note:** Dashboard-only. No API/SDK support yet.
## Pattern: Multi-Location HA
**Use Case:** 99.99%+ uptime.
```typescript
// Primary (NY)
const primary = await client.networkInterconnects.interconnects.create({
account_id: id,
type: 'direct',
facility: 'EWR1',
speed: '10G',
name: 'primary-ewr1',
});
// Secondary (NY, different hardware)
const secondary = await client.networkInterconnects.interconnects.create({
account_id: id,
type: 'direct',
facility: 'EWR2',
speed: '10G',
name: 'secondary-ewr2',
});
// Tertiary (LA, different geography)
const tertiary = await client.networkInterconnects.interconnects.create({
account_id: id,
type: 'partner',
facility: 'LAX1',
speed: '10G',
name: 'tertiary-lax1',
});
// BGP local preferences:
// Primary: 200
// Secondary: 150
// Tertiary: 100
// Internet: Last resort
```
## Pattern: Partner Interconnect (Equinix)
**Use Case:** Quick deployment, no colocation.
**Setup:**
1. Order virtual circuit in Equinix Fabric Portal
2. Select Cloudflare as destination
3. Choose facility
4. Send details to CF account team
5. CF accepts in portal
6. Configure BGP
**No API automation** – partner portals managed separately.
## Failover & Security
**Failover Best Practices:**
- Use BGP local preferences for priority
- Configure BFD for fast detection (v1)
- Test regularly with traffic shift
- Document runbooks
**Security:**
- BGP password authentication
- BGP route filtering
- Monitor unexpected routes
- Magic Firewall for DDoS/threats
- Minimum API token permissions
- Rotate credentials periodically
## Decision Matrix
| Requirement | Recommended |
|-------------|-------------|
| Collocated with CF | Direct |
| Not collocated | Partner |
| AWS/GCP workloads | Cloud |
| 1500 MTU both ways | v2 |
| VLAN tagging | v1 |
| Public peering | v1 |
| Simplest config | v2 |
| BFD fast failover | v1 |
| LACP bundling | v1 |
## Resources
- [Magic Transit Docs](https://developers.cloudflare.com/magic-transit/)
- [Magic WAN Docs](https://developers.cloudflare.com/magic-wan/)
- [Argo Smart Routing](https://developers.cloudflare.com/argo/)