Magic Transit egress

The suggestions in the Minimal ruleset and Extended ruleset are recommendations for ingress (incoming) traffic. This page covers the additional consideration needed for egress (outgoing) traffic.

Cloudflare Network Firewall does not track connection state (it is not "stateful"). A stateful firewall automatically allows return traffic for active connections — for example, if you send a request outbound, the response is allowed back in. Because Network Firewall is not stateful, each packet — whether ingress or egress — is evaluated independently against your rules. This means ingress block rules can inadvertently block egress traffic.

For Magic Transit egress traffic, consider the following:

• Network Firewall rules apply to both Magic Transit ingress and egress traffic passing through Cloudflare.

• If you have a "default drop" catchall rule (a final rule that blocks all traffic not matched by earlier rules) for ingress traffic, you must add an earlier rule to permit traffic sourced from your Magic Transit prefix with the destination as any to allow outbound egress traffic.

  For example, place the following allow rule before any default-drop catchall rule:

  Match: ip.src in {<YOUR_MAGIC_TRANSIT_PREFIX>}
  Action: Allow