[MWAN] ARR routing (#27005)

marciocloudflare · web-flow · commit 4f3efb9e3a8a · 2025-12-09T10:00:44.000Z
* added gre arr step

* conditional to only show in mwan and wan tunnels

* arr ipsec

* arr routes

* corrected code

* corrected code

* added howto arr

* corrected code

* added tunnels var

* added links

* added links

* info

* added arr ref

* added links

* refined text

* refined text

* apirequest

* corrected param

* note for warp connector

* added api link
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/index.mdx
@@ -29,7 +29,7 @@ import { Render, Details} from "~/components";
 </Details>
 
 :::note
-WARP Connector is not currently supported in accounts that have [Magic WAN](/magic-wan/) enabled.
+Accounts on Legacy routing mode do not support WARP Connector when [Magic WAN](/magic-wan/) is enabled. Your account needs to be on the Cloudflare One Unified Routing for this to be supported. Contact your account team for more information.
 :::
 
 Cloudflare WARP Connector (beta) is a software client[^1] that enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure. WARP Connector establishes a secure Layer 3 proxy between a private network and Cloudflare, allowing you to:
diff --git a/src/content/docs/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-routes.mdx b/src/content/docs/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-routes.mdx
@@ -23,6 +23,9 @@ import { Render } from "~/components"
 		publicAsnMT: " ",
 		productGatewayOrEgress: "WAN Tunnels with Gateway",
 		cfTunnelURL: "/cloudflare-one/networks/connectors/wan-tunnels/zero-trust/cloudflare-tunnel/",
-		sitesURL: "/cloudflare-one/networks/connectors/wan-tunnels/configuration/common-settings/sites/"
+		sitesURL: "/cloudflare-one/networks/connectors/wan-tunnels/configuration/common-settings/sites/",
+		addTunnelsURL: "/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-tunnel-endpoints/#add-tunnels",
+		unifiedRoutingModeURL: "/cloudflare-one/networks/connectors/wan-tunnels/reference/traffic-steering/#unified-routing-mode",
+		arrReferenceURL: "/cloudflare-one/networks/connectors/wan-tunnels/reference/traffic-steering/#automatic-return-routing-beta"
 	}}
 />
diff --git a/src/content/docs/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-tunnel-endpoints.mdx b/src/content/docs/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-tunnel-endpoints.mdx
@@ -27,6 +27,7 @@ import { GlossaryTooltip, Render } from "~/components";
 		tunnelHealthDash: "/cloudflare-one/networks/connectors/wan-tunnels/configuration/common-settings/check-tunnel-health-dashboard/",
 		biVsUniHealthCheckDefaults: "For WAN Tunnels this option defaults to bidirectional",
 		configureRoutesURL: "/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-routes/",
-		sitesURL: "/cloudflare-one/networks/connectors/wan-tunnels/configuration/common-settings/sites/"
+		sitesURL: "/cloudflare-one/networks/connectors/wan-tunnels/configuration/common-settings/sites/",
+		configureARRURL: "/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-routes/#configure-automatic-return-routing-beta"
 	}}
 />
diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/configure-routes.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/configure-routes.mdx
@@ -24,6 +24,9 @@ import { Render } from "~/components"
 		productGatewayOrEgress: "Magic WAN with Gateway",
 		dashButtonPath: "/?to=/:account/magic-wan/configuration",
 		cfTunnelURL: "/magic-wan/zero-trust/cloudflare-tunnel/",
-		sitesURL: "/magic-wan/configuration/common-settings/sites/"
+		sitesURL: "/magic-wan/configuration/common-settings/sites/",
+		addTunnelsURL: "/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/#add-tunnels",
+		unifiedRoutingModeURL: "/magic-wan/reference/traffic-steering/#unified-routing-mode",
+		arrReferenceURL: "/magic-wan/reference/traffic-steering/#automatic-return-routing-beta"
 	}}
 />
diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints.mdx
@@ -28,6 +28,7 @@ import { GlossaryTooltip, Render } from "~/components";
 		tunnelHealthDash: "/magic-wan/configuration/common-settings/check-tunnel-health-dashboard/",
 		biVsUniHealthCheckDefaults: "For Magic WAN this option defaults to bidirectional",
 		configureRoutesURL: "/magic-wan/configuration/manually/how-to/configure-routes/",
-		sitesURL: "/magic-wan/configuration/common-settings/sites/"
+		sitesURL: "/magic-wan/configuration/common-settings/sites/",
+		configureARRURL: "/magic-wan/configuration/manually/how-to/configure-routes/#configure-automatic-return-routing-beta"
 	}}
 />
diff --git a/src/content/partials/networking-services/reference/traffic-steering.mdx b/src/content/partials/networking-services/reference/traffic-steering.mdx
@@ -26,7 +26,8 @@ The Magic networking routing table is a virtual network overlay, private to your
 - Magic Transit delivery for [DoS](/ddos-protection/) and <a href={props.mFirewallURL}>{props.mFirewallName}</a> filtered Internet traffic, from the entry data center where the traffic ingressed, to your publicly addressed edge/border network.
 - {props.productName} packet transport between Magic tunnels, interconnects, [Cloudflare Load Balancer](/load-balancing/), and [Zero Trust](/cloudflare-one/) connections such as <a href={props.warpClientURL}>WARP Client</a>, <a href={props.remoteBrowserURL}>Remote Browser Isolation</a>, <a href={props.accessURL}>Access</a>, and <a href={props.gatewayURL}>Gateway</a>.
 
-The Magic routing table supports routing the {props.productName} traffic via anycast tunnels using <a href={props.greIpsecReferenceURL}>GRE and Internet Protocol Security (IPsec)</a> or [Direct Cloudflare Network Interconnect (CNI)](/network-interconnect/). Entries can be added to the Magic routing table via static route configuration or via routes learned through BGP peering (only available over Direct CNI).
+The Magic routing table supports routing the {props.productName} traffic via anycast tunnels using <a href={props.greIpsecReferenceURL}>GRE and Internet Protocol Security (IPsec)</a> or [Direct Cloudflare Network Interconnect (CNI)](/network-interconnect/). Entries can be added to the Magic routing table via static route configuration or via routes learned through BGP peering (only available over Direct CNI).{ props.magicWord !== "Magic Transit" && (<> Traffic can also be routed automatically according to tracked flow state.</>)}
+
 
 ### Allowed IP ranges
 
@@ -142,6 +143,80 @@ AS_PATH: 65000 65000 65000 65200
 
 Cloudflare adjusts route priority when using AS prepending with communities. For example, if a route is tagged with `13335:60150`, the base priority is set to `150`. If you prepend your ASN twice, Cloudflare adds `10` for each prepend, increasing the route priority to `180`.
 
+{ props.magicWord !== "Magic Transit" && (
+	<>
+		<AnchorHeading title="Automatic Return Routing (beta)" depth={2} />
+		<Markdown
+		text={`
+Automatic Return Routing (ARR) allows Cloudflare to track network flows from your Magic WAN connected locations, ensuring return traffic is routed back to the connection where it was received without requiring static or dynamic routes. This functionality requires the new [Unified Routing mode](#unified-routing-mode).
+
+Instead of relying on static or dynamic routes for the return path, Magic WAN learns flows and remembers which connection a given flow arrived on. For any matching return traffic, Magic WAN uses this learned state to choose the next hop. This simplifies configuration, reduces the number of routes you must manage, and helps preserve symmetry for stateful traffic.
+
+ARR provides the following benefits:
+
+- **Removes the need for return routes**: For supported traffic types like new TCP connections (TCP SYN), UDP, and ICMP echo traffic, Magic WAN no longer requires a routing table entry to return traffic to the originating tunnel or interconnect.
+- **Maintains symmetric routing for flows**: Responses to a given flow (for example, a TCP session) return over the same Magic WAN connection that carried the initial request — important for stateful firewalls and middleboxes.
+- **Supports overlapping IP space**: Because the return path is tied to the learned connection state instead of a destination prefix in the routing table, Automatic Return Routing can support scenarios where different sites use overlapping private address space.
+- **Operates per connection**: You decide which IPsec / GRE tunnels or network interconnects should use this behavior by enabling the feature on each connection.
+		`}
+		inline={false}
+		/>
+
+		<AnchorHeading title="How ARR works" depth={3} />
+		<Markdown
+		text={`
+When traffic that is eligible for Automatic Return Routing (ARR) arrives on a connection with ARR enabled, Magic WAN creates a flow entry that records:
+
+- The source and destination IP addresses
+- The relevant ports or identifiers, depending on the protocol
+- The connection (tunnel or interconnect) that the traffic arrived on
+
+For any subsequent packets that match this flow and require a next hop, Magic WAN:
+
+1. Checks for a matching Automatic Return Routing flow.
+2. If a match exists, routes the packet back to the same connection where the flow was learned, instead of consulting the Magic WAN routing table.
+
+The initial request from your network to the Internet still uses your configured static or BGP routes. ARR only affects the return path for supported traffic after the flow is learned.
+		`}
+		inline={false}
+		/>
+
+		<AnchorHeading title="Traffic and destinations affected" depth={3} />
+		<Markdown
+		text={`
+Automatic Return Routing applies when:
+
+- Traffic is received on a tunnel or network interconnect where the feature is enabled.
+- The received traffic is one of:
+  - New TCP connections (TCP SYN)
+  - UDP
+  - ICMP echo (ping) requests
+- The traffic is destined for:
+  - Internet egress through Cloudflare
+  - A WARP client
+  - A private network connected to Cloudflare via Cloudflare Tunnel
+  - A private network connected to Cloudflare via WARP Connector
+
+In this initial release, ARR does not change routing for traffic between Magic WAN connections (for example, traffic from one Magic WAN tunnel or interconnect to another). That traffic continues to follow your configured Magic WAN routes.
+		`}
+		inline={false}
+		/>
+
+		<AnchorHeading title="Unified routing mode" depth={2} />
+		<Markdown
+		text={`
+The Unified routing mode is the newer Cloudflare One data plane that uses a single routing fabric for all supported connection types. Unified routing mode routes traffic across WARP, Cloudflare Tunnel, IPsec, GRE, and Cloudflare Network Interconnect (CNI) in a single system, making it easier to set up your Cloudflare One connections.
+
+In the Magic WAN dashboard, routing mode appears where you manage Magic routes:
+
+- **Routing mode: Unified** — your account is on the unified data plane and supports the new routing features.
+- **Routing mode: Legacy** — your account uses the previous data plane and does not support all unified routing features.
+		`}
+		inline={false}
+		/>
+	</>
+)}
+
 ## Scoping routes to specific regions
 
 If you have multiple connectivity paths to a network segment and you would like to apply different route prioritization based on where the traffic arrives at the Cloudflare network, you can scope routes to specific Cloudflare data center regions. This is useful, for example, if you run your own anycast network and want your end-user traffic to arrive at your network location closest to the user. When a route is scoped to a Cloudflare data center region it will only show up in the Magic routing table in that region, along with all global routes that do not have any region scope. Route prioritization and ECMP logic apply across both region-scoped and global routes.
diff --git a/src/content/partials/networking-services/routing/configure-routes.mdx b/src/content/partials/networking-services/routing/configure-routes.mdx
@@ -11,6 +11,9 @@ params:
   - dashButtonPath?
   - cfTunnelURL?
   - sitesURL?
+  - addTunnelsURL?
+  - unifiedRoutingModeURL?
+  - arrReferenceURL?
 ---
 
 import { AnchorHeading, Aside, APIRequest, DashButton, Markdown, Render, TabItem, Tabs } from "~/components";
@@ -21,6 +24,7 @@ Refer to <a href={props.trafficSteeringPage}>Traffic Steering</a> for more infor
 - Routes' priorities and weights
 - Regional scoping of traffic to reduce latency
 - BGP peering
+{ props.magicWord !== "Magic Transit" && (<Markdown text={`- Automatic Return Routing (ARR)`} inline={false} />)}
 
 { props.magicWord === "Magic Transit" && (
   <>
@@ -355,6 +359,51 @@ Example:
 
 </TabItem> </Tabs>
 
+{ props.magicWord !== "Magic Transit" && (
+	<>
+		<AnchorHeading title="Configure Automatic Return Routing (beta)" depth={2} />
+		<Markdown
+		text={`
+		[Automatic Return Routing (beta)](${props.arrReferenceURL}) allows Cloudflare to track network flows from your Magic WAN connected locations, ensuring return traffic is routed back to the connection where it was received without requiring static or dynamic routes. This functionality requires the new [Unified Routing mode](${props.unifiedRoutingModeURL}).
+
+		To enable ARR:
+		`}
+		inline={false}
+		/>
+
+		<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+		<Markdown
+		text={`
+1. Follow the [Add tunnels](${props.addTunnelsURL}) information to learn how to create an IPsec or GRE tunnel.
+2. On the tunnel's options, select **Automatic return routing**.
+3. Select **Add tunnels** to save your changes.
+		`}
+		inline={false}
+		/>
+
+		</TabItem> <TabItem label="API">
+
+		<Markdown text={`Create a \`POST\` request to create an [IPsec](/api/resources/magic_transit/subresources/ipsec_tunnels/methods/create/) or [GRE](/api/resources/magic_transit/subresources/gre_tunnels/methods/create/) tunnel with ARR enabled. For example:`} inline={false} />
+
+	<APIRequest
+		path="/accounts/{account_id}/magic/ipsec_tunnels"
+		method="POST"
+		json={{
+			"cloudflare_endpoint": "<CLOUDFLARE_ENDPOINT>",
+			"interface_address": "<INTERFACE_ADDRESS>",
+			"name": "IPsec_1",
+			"customer_endpoint": "<CUSTOMER_ENDPOINT>",
+			"description": "Tunnel for ISP X",
+			"psk": "<PSK>",
+			"automatic_return_routing": "true"
+		}}
+	/>
+		</TabItem> </Tabs>
+	</>
+)}
+
+
 
 ## Configure BGP routes
 
diff --git a/src/content/partials/networking-services/routing/configure-tunnels.mdx b/src/content/partials/networking-services/routing/configure-tunnels.mdx
@@ -15,6 +15,7 @@ params:
   - biVsUniHealthCheckDefaults
   - configureRoutesURL?
   - sitesURL?
+  - configureARRURL?
 ---
 
 import { AnchorHeading, APIRequest, CURL, DashButton, Details, GlossaryTooltip, Markdown, Render, TabItem, Tabs } from "~/components";
@@ -132,8 +133,9 @@ Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onb
 13. The **Health check direction** defaults to **{props.biVsUniHealthCheck}** for {props.productName}. Refer to [Bidirectional vs unidirectional health checks](#bidirectional-vs-unidirectional-health-checks) for more details.
 14. _(Optional)_ **Health check target** is the customer end of the tunnel. This field is only visible when the **Health check direction** is set to _Unidirectional_.
 15. _(Optional)_ We recommend you test your tunnel before officially adding it. To test the tunnel, select **Test tunnels**.
-16. To add multiple tunnels, select **Add GRE tunnel** for each new tunnel.
-17. After adding your tunnel information, select **Add tunnels** to save your changes.
+{ props.magicWord !== "Magic Transit" && (<Markdown text={`16. (Optional) Select **Automatic return routing** if you are setting up this tunnel for a site that only needs to send traffic to and receive responses from Cloudflare, and does not need to receive traffic from other sites in your WAN. Refer to [Configure Automatic Return Routing](${props.configureARRURL}) for more information.`} inline={false} />)}
+<Markdown text={`${props.magicWord !== "Magic Transit" ? "17" : "16"}. To add multiple tunnels, select **Add GRE tunnel** for each new tunnel.`} inline={false} />
+<Markdown text={`${props.magicWord !== "Magic Transit" ? "18" : "17"}. After adding your tunnel information, select **Add tunnels** to save your changes.`} inline={false} />
 
 </Details>
 
@@ -170,6 +172,9 @@ Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onb
     4. Select **Add tunnels**.
 
 16. (Optional) Enable **Replay protection** if you have devices that do not support disabling it. Refer to <a href={props.antiReplayPagePath}>Anti-replay protection</a> for more information.
+{ props.magicWord !== "Magic Transit" && (<Markdown text={`17. (Optional) Select **Automatic return routing** if you are setting up this tunnel for a site that only needs to send traffic to and receive responses from Cloudflare, and does not need to receive traffic from other sites in your WAN. Refer to [Configure Automatic Return Routing](${props.configureARRURL}) for more information.`} inline={false} />)}
+<Markdown text={`${props.magicWord !== "Magic Transit" ? "18" : "17"}. To add multiple tunnels, select **Add IPsec tunnel** for each new tunnel.`} inline={false} />
+<Markdown text={`${props.magicWord !== "Magic Transit" ? "19" : "18"}. After adding your tunnel information, select **Add tunnels** to save your changes.`} inline={false} />
 
 </Details>
 
