Skip to content
BYOIP

Cloudflare BYOIP Integration Overview

BYOIP SUPPORTER
ASN 13335
IPv4 support
IPv6 support
LOA support
ROA support
Process Semi-automatic
Locations supported
Other: South Africa, India, Indonesia, Israel, Japan, Singapore, South Korea, United Arab Emirates, France, Germany, Italy, Netherlands, Poland, Spain, Sweden, United Kingdom, Canada, Mexico, United States, Brazil, Australia, New Zealand

Location

Searching for the best IP providers? Cloudflare’s Enterprise-only BYOIP program lets you bring your own IPv4 and IPv6 prefixes onto Cloudflare’s global anycast network so your applications can keep your IP space while using Cloudflare’s security and performance services. Since November 2025, Cloudflare has offered a self-serve BYOIP API for eligible onboardings, using RPKI plus IRR or reverse-DNS TXT ownership validation instead of relying only on manual LOA handling; however, Magic Transit onboarding still follows a separate account-team-led path rather than the generic self-serve BYOIP flow. Below you’ll find Cloudflare setup documentation, BYOIP requirements, commercial notes, and practical onboarding steps.

Provider Details

FieldInformation
Provider NameCloudflare
WebsiteCloudflare Website
ASN(s)13335 (documented self-serve onboarding path); custom ASN and certain service-specific cases require coordination with Cloudflare
Regions SupportedGlobal anycast across Cloudflare’s network worldwide; service behavior depends on the product and service-binding configuration
Support ContactExisting customers: confirm BYOIP contract coverage with your Cloudflare account team
Magic Transit, custom-ASN, or non-standard onboarding: work through your account team / Cloudflare Professional Services
New prospects: contact Cloudflare Sales
Tech Article & DateDIY BYOIP: a new way to Bring Your Own IP prefixes to Cloudflare – November 2025
Bringing Your Own IPs to Cloudflare (BYOIP) – July 2020
Cloudflare outage on February 20, 2026 – February 2026
BYOIP ScopeEnterprise-only BYOIP for IPv4 and IPv6 across Cloudflare services including CDN services, Spectrum, Magic Transit, Gateway DNS locations, and dedicated egress IP use cases. Service bindings allow compatible per-prefix or per-IP routing between supported services.
Supported VersionsIPv4 and IPv6
Supported ServicesCDN / WAF and related Layer 7 services, Spectrum, Magic Transit, Gateway DNS locations, dedicated CDN egress IPs, plus Address Maps for proxied DNS IP control

Technical Requirements

RequirementDetails
Prefix SizeIPv4: /24 minimum
IPv6: /48 minimum
ASN Ownership RequiredA dedicated customer ASN is not required for the documented self-serve path, but that path currently supports Cloudflare ASN AS13335 only. If you need your own ASN in the announcement path, or have a Magic Transit-specific routing design, coordinate with Cloudflare.
IRR or RADb ObjectRequired and must be current: exact route / route6 objects for the prefix, with the correct origin ASN. For ownership validation, Cloudflare can use IRR remarks / description fields containing the Cloudflare validation token.
ROA or LOAAccurate RPKI ROAs are required for the modern validation flow. Self-serve onboarding validates RPKI plus IRR or reverse-DNS TXT ownership checks; Cloudflare can auto-generate LOA-style documentation for downstream acceptance. Manual or service-specific cases may still involve explicit LOA handling.
RIR LimitationsPrefixes must be registered under a supported Regional Internet Registry: AFRINIC, APNIC, ARIN, LACNIC, or RIPE NCC.

Step-by-Step BYOIP Process

  • Contract and product fit: Confirm your Enterprise contract covers BYOIP and the specific service scope you need. For Magic Transit, start with your Cloudflare account team because Magic Transit onboarding is not part of the generic self-serve BYOIP path.
  • Registry and routing prep: Ensure the prefix is registered with a supported RIR, update exact IRR route/route6 objects, and publish accurate RPKI ROAs. For the standard self-serve flow, ROAs should authorize AS13335.
  • Add the prefix: Use Cloudflare’s Addressing API to create the prefix object. Cloudflare can generate LOA-style documentation on your behalf as part of the modern workflow.
  • Validate ownership: Complete ownership checks using either IRR remarks/description fields or reverse-DNS TXT records with Cloudflare’s validation token. Wait until RPKI, IRR, and ownership checks pass.
  • Create the default service binding: Every onboarded prefix needs one service binding that spans the full prefix. This tells Cloudflare which service should handle traffic for the range by default.
  • Advertise and refine: After the default binding is in place, advertise the BGP prefix. If needed, add more-specific service bindings for supported use cases such as CDN and Spectrum, keeping in mind propagation windows.
  • Map and deploy services: Use Address Maps for proxied DNS IP selection, assign application-specific bindings where appropriate, and for Magic Transit complete the separate tunnel and routing onboarding steps with Cloudflare.

Cost and Limitations

ItemDetails
FeesNo public BYOIP list price is published. Commercial terms are enterprise-contract specific, so confirm pricing and packaging with your Cloudflare account team or Sales.
Bundled or StandaloneBYOIP is consumed through supported Cloudflare enterprise products rather than a public standalone plan. One onboarded prefix can support multiple compatible services through service bindings, but a single prefix can be used for either CDN ingress or dedicated CDN egress, not both.
Traffic/Peering RestrictionsCloudflare announces the onboarded prefix from its global anycast network. Keep IRR and ROA records exact, avoid conflicting external announcements, and coordinate any custom-ASN or Magic Transit-specific route behavior through Cloudflare.
Other LimitationsEach onboarded prefix requires one default service binding covering the entire prefix. Additional bindings can be more specific. Service binding changes typically take about 4–6 hours to propagate and may briefly disrupt traffic during that window. Spectrum UDP applications are not supported with BYOIP.

Automation & Developer Access

  • Addressing API: Cloudflare provides API coverage for creating prefixes, validating ownership, delegating prefixes, advertising BGP prefixes, and managing service bindings.
  • Validation automation: Ownership can be verified through IRR token placement or reverse-DNS TXT records, with RPKI checks used to confirm routing authorization.
  • Address Maps and delegations: BYOIP prefixes can be mapped to proxied DNS records through Address Maps, and portions of a prefix can be delegated to other accounts while service bindings remain managed on the parent account.
  • API-first workflow: Service binding operations are currently API-based, which makes Cloudflare BYOIP suitable for scripted onboarding and infrastructure automation.

Abuse & Reputation Management

  • Customer responsibility: You retain primary responsibility for IP reputation, allowlisting, and third-party delisting or remediation workflows tied to your address space.
  • Operational visibility: Cloudflare provides routing controls and product-level observability, but external blacklist or sender-reputation management still remains with the customer.

Cloudflare BYOIP Developer Docs
Cloudflare BYOIP Get Started
Cloudflare IP Address Service Bindings
Cloudflare Address Maps
Cloudflare Spectrum BYOIP
Cloudflare Magic Transit: Advertise Prefixes
DIY BYOIP: a new way to Bring Your Own IP prefixes to Cloudflare
Cloudflare outage on February 20, 2026
Bring your own IP space to Cloudflare – Reference Architecture
Cloudflare BYOIP GA Blog Post (2020)

FAQ

BYOIP, or Bring Your Own IP, is a service that enables organizations to bring their own public IP addresses—whether owned outright or leased from an IP provider—into a service provider’s network infrastructure. Instead of relying on IP addresses assigned by the provider, BYOIP allows businesses to retain control over their IP resources. This ensures continuity, particularly for organizations with established IP-based reputations, branding, or dependencies on specific address blocks. IP providers can assist in streamlining this process, making it easy to integrate your IPs into the desired network environment.

BYOIP offers several compelling advantages. By using your own IPs, you can maintain continuity in your network’s identity, reduce the risk of disruptions to email deliverability or service recognition, and avoid reputational concerns associated with shared IPs. Additionally, BYOIP provides enhanced flexibility and control over your IP resources.

BYOIP is ideal for organizations that either own public IP addresses or lease them from a trusted IP provider with explicit BYOIP support. This includes enterprises, cloud providers, content delivery networks (CDNs), and businesses with compliance requirements or IP reputation needs. Working with a reputable IP provider ensures that leased IPs can be seamlessly integrated into another provider’s infrastructure without ownership concerns.

You must either legally own the IP addresses or have explicit authorization from a leasing IP provider to route and manage them. IP providers who offer BYOIP-ready IP addresses simplify this process, providing documentation and support to ensure compliance with regional internet registry (RIR) policies and service provider requirements. This collaboration ensures smooth implementation without any legal or operational issues.

To use BYOIP, you’ll typically need to present documentation verifying your authority over the IP block. This can include official records from a regional internet registry (RIR) such as ARIN, RIPE NCC, or APNIC. If you are leasing IPs, the IP provider should supply proof of their ownership and grant you permission for BYOIP. Providers that specialize in IP leasing often handle this paperwork for you, reducing administrative burden and ensuring compliance.

Yes, BYOIP is designed to be a secure and reliable solution. Reputable service providers and IP providers implement robust safeguards to prevent unauthorized use or hijacking of IP addresses. Security measures include BGP filtering, route validation, and advanced protocols like Resource Public Key Infrastructure (RPKI). By collaborating with a trusted IP provider, businesses can benefit from additional layers of protection, ensuring that only authorized traffic is routed through their IP blocks.

The setup process for BYOIP varies by provider, typically taking anywhere from a few hours to a few days. Factors include the complexity of your network, the verification process for IP ownership or authorization, and the time needed for global BGP route propagation. IP providers often expedite the preparation and validation stages, ensuring a smooth and timely integration into the desired infrastructure.

Absolutely. Many providers, in partnership with IP providers, support routing IPs across multiple data centers or geographic regions. This feature optimizes performance for global businesses by reducing latency and improving service availability. When working with an IP provider, you can also ensure that your leased or owned IPs are aligned with your geographic requirements for compliance and efficiency.

If you choose to discontinue BYOIP with a provider, your IP addresses will be released from their network, and routing will cease. You can then reallocate these IPs for use with a different service provider or project.