Traffic flow through Cloudflare
Internet traffic is made up of people, services, and agents requesting online resources from wherever they are hosted. Your resources may be publicly available, like a website or application that anyone on the Internet can access. Or your resources may be privately available, like an internal app or network that only your employees and partners should be able to access.
Both public and private resources can be connected to the Cloudflare network to ensure only good actors can access what they are supposed to be able to access with high performance.
For example, you may not always want the direct traffic because it can come from malicious sources, like hackers, or in the form of DDoS attacks ↗. Additionally, depending on the location where the request originated, you want to ensure the traffic is routed through the most efficient and fastest path.
Cloudflare's global network ↗, coupled with Anycast ↗ IP addressing, ensures that requests are handled by a Cloudflare server that is as close to the source as possible.
If you want to protect your traffic and ensure it travels efficiently, you need to configure Cloudflare to be in front of whatever you are trying to protect, such as your application, service, or server. How you put your resources behind Cloudflare's network will depend on the type of traffic and how you want to control it.
Traffic that enters Cloudflare's network is referred to as "on-ramping," and traffic that exits Cloudflare's network is referred to as "off-ramping." You may also know this as ingress and egress or "routing your traffic" through a network.
When you on-ramp traffic to Cloudflare, this allows Cloudflare to act on, secure, and increase performance of that traffic.
One example of on-ramping traffic to Cloudflare is updating your public website to use Cloudflare as the primary authoritative DNS provider for your domain.
However, maybe you need to protect a private application that is not directly available on the Internet. In this scenario, you can:
- Connect your private application to Cloudflare using secure tunnels, and use a device agent to connect as a user.
- For users already connected to a private company network, connect the entire network to Cloudflare using secure tunnels, and any request from a user device will access the private application through those tunnels.
With these options, any request from a user device can access internal private applications via the secure private tunnels.
Refer to the list below for products you can use to on-ramp traffic to Cloudflare.
- Anycast routing ↗ uses Anycast IP addressing to route traffic to the nearest Cloudflare data center. Selective routing allows an Anycast network to be resilient in the face of high traffic volume, network congestion, and DDoS attacks ↗.
- DNS-based traffic resolves domains onboarded to Cloudflare's CDN. Cloudflare's DNS directs traffic to Cloudflare's global network of servers instead of a website's origin server.
- Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP address so that your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.
- Magic Transit offers DDoS protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks by accepting IP packets destined for your network, processing them, and outputting the packets to your origin infrastructure.
- The Cloudflare WARP client securely and privately sends traffic from corporate devices to Cloudflare's global network while also applying advanced Zero Trust policies that check for a device's health before it connects to corporate applications.
If you need to ensure traffic leaves Cloudflare's network in a specific way, you can manage how traffic is off-ramped.
For example, if you need to adhere to regional laws that dictate user traffic and require data never leaves your country, you can configure off-ramp and on-ramp traffic on servers in the same geographical area.
Or maybe you want to force traffic to off-ramp in a certain country to maintain your user's experience. For example, if you have employees in India who travel frequently, you can configure the off-ramp traffic to always appear to come from India so websites they visit maintain their language and preferences.
You can also utilize caching to help with performance. Instead of off-ramp traffic going to a server across the globe, Cloudflare can cache that content locally for the user to reduce the overall time for their request.
Refer to the list below for products you can use to off-ramp traffic from Cloudflare.
- Argo Smart Routing detects real-time network issues and routes your web traffic across the most efficient network path, avoiding congestion.
- Cache works with cached content to avoid off-ramping to origin servers and instead serving directly from Cloudflare's global network.
- Regional services lets you choose which subset of data centers decrypt and service HTTPS traffic, which can help customers who have to meet regional compliance or have preferences for maintaining regional control over their data.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark