Skip to content
BYOIP

Cloudflare BYOIP Integration Overview

BYOIP SUPPORTER
ASN 13335
IPv4 support
IPv6 support
LOA support
ROA support
Process Semi-automatic
Locations supported
Other: South Africa, India, Indonesia, Israel, Japan, Singapore, South Korea, United Arab Emirates, France, Germany, Italy, Netherlands, Poland, Spain, Sweden, United Kingdom, Canada, Mexico, United States, Brazil, Australia, New Zealand

Location

Searching for the best IP providers? Cloudflare’s Enterprise-only BYOIP program lets you bring your own IPv4 and IPv6 prefixes and have them announced from Cloudflare’s global anycast network (300+ cities in 100+ countries) while using the full security and performance stack. As of November 2025, Cloudflare offers a self-serve BYOIP API that automates ownership validation via RPKI and IRR/DNS checks, reducing onboarding from weeks to minutes while still supporting traditional account-team workflows. Below you’ll find Cloudflare setup documentation, BYOIP requirements, pricing notes, and integration steps to bring and control your own IP ranges within Cloudflare’s secure network infrastructure.

Provider Details

FieldInformation
Provider NameCloudflare
WebsiteCloudflare Website
ASN(s)13335
Regions SupportedGlobal anycast (300+ cities, 100+ countries); regional or location-constrained announcements on request
Support ContactExisting customers: Work with your Cloudflare account team to enable BYOIP
New prospects: Contact Cloudflare Sales
Tech Article & DateDIY BYOIP: a new way to Bring Your Own IP prefixes to Cloudflare – November 2025
Bringing Your Own IPs to Cloudflare (BYOIP) – July 2020
BYOIP ScopeEnterprise-only BYOIP for IPv4 and IPv6 with full integration into Cloudflare’s connectivity cloud: CDN/WAF, Magic Transit, Spectrum, Cloudflare One / Gateway dedicated egress, DNS via Address Maps, and Aegis
Supported VersionsIPv4 and IPv6
Supported ServicesCDN & WAF, Spectrum (TCP/UDP apps), Magic Transit (L3), Cloudflare One / Gateway dedicated egress, Aegis, and other L7 security services addressable via BYOIP service bindings

Technical Requirements

RequirementDetails
Prefix SizeIPv4: /24 minimum (smallest routable prefix Cloudflare will announce)
IPv6: /48 minimum
ASN Ownership RequiredDedicated ASN not required for standard deployments; Cloudflare originates BYOIP prefixes from AS13335 by default. Custom ASN / special routing designs may require bespoke engagement with Cloudflare.
IRR or RADb ObjectRequired: IRR route/route6 object or reverse DNS TXT record containing Cloudflare’s ownership validation token and authorizing AS13335 as an origin.
ROA or LOARPKI ROA specifying AS13335 as the origin is required for self-serve BYOIP. Cloudflare automatically generates LOA-style documentation for upstream networks; manual LOA workflows remain available if automation cannot be used.
RIR LimitationsPrefixes must be registered with a Regional Internet Registry that supports IRR and RPKI (typically ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC).

Step-by-Step BYOIP Process

  • Contract eligibility: Confirm your Cloudflare Enterprise contract includes BYOIP and that your prefixes are registered with a RIR (ARIN/RIPE/APNIC/LACNIC/AFRINIC).
  • Routing security setup: Publish a RPKI ROA listing Cloudflare AS13335 as origin and update IRR or reverse DNS TXT records with Cloudflare’s ownership validation token.
  • Self-serve onboarding: Use the BYOIP Addressing API (or Cloudflare Terraform provider) to create prefixes, run validation, and enable dynamic BGP advertisement; Cloudflare auto-generates LOAs for upstreams.
  • Default service binding: Create a default service binding that spans the full prefix to attach it to at least one service (for example Magic Transit, CDN, Spectrum, Gateway egress, or Aegis).
  • Granular service DNS: Add additional service bindings for sub-prefixes or individual IPs and configure Address Maps/DNS so applications and dedicated egress IPs use the desired addresses.

Cost and Limitations

ItemDetails
FeesA single BYOIP prefix can be shared across multiple Cloudflare services simultaneously (for example, Magic Transit for L3 protection plus CDN/WAF or Aegis on selected IPs) using service bindings.
Bundled or StandaloneA single BYOIP prefix can be shared across multiple Cloudflare services simultaneously (for example Magic Transit for L3 protection plus CDN/WAF or Aegis on selected IPs) using service bindings.
Traffic/Peering RestrictionsWhen a prefix is advertised via BYOIP, Cloudflare originates it from AS13335 across its global anycast network. Parallel announcements for the same prefix through other providers are generally discouraged and must be coordinated with Cloudflare to avoid routing conflicts.
Other LimitationsMinimum prefix size is /24 (IPv4) or /48 (IPv6). Each onboarded prefix requires its own validation and default service binding, and Cloudflare requires at least one active service binding for the full prefix to prevent inadvertent black-holing of traffic.

Automation & Developer Access

  • Self-serve BYOIP API: Full REST API coverage (Addressing › Prefixes) for onboarding, validation, dynamic advertisement, and service bindings, including the self-serve BYOIP flow launched in November 2025.
  • Terraform support: Official Cloudflare Terraform provider exposes BYOIP and Address Maps resources (for example cloudflare_byo_ip_prefix and cloudflare_address_map) for infrastructure-as-code workflows.
  • Analytics tooling: BYOIP and Aegis deployments can be monitored via Cloudflare network analytics and the GraphQL Analytics API, enabling integration into existing monitoring and observability stacks.

Abuse & Reputation Management

  • IP reputation; telemetry: Cloudflare’s network and security analytics expose traffic patterns, attack activity, and health metrics for BYOIP prefixes, helping monitor IP reputation.
  • Blacklist/removal workflow: Customers retain primary responsibility for managing IP reputation and blacklist remediation; Cloudflare provides telemetry and guidance but does not directly manage third-party delistings.

Cloudflare BYOIP Developer Docs
DIY BYOIP: a new way to Bring Your Own IP prefixes to Cloudflare
Cloudflare BYOIP GA Blog Post (2020)
Bring your own IP space to Cloudflare – Reference Architecture
Cloudflare Aegis & BYOIP Deep Dive
IPXO Cloudflare BYOIP Setup Guide

FAQ

BYOIP, or Bring Your Own IP, is a service that enables organizations to bring their own public IP addresses—whether owned outright or leased from an IP provider—into a service provider’s network infrastructure. Instead of relying on IP addresses assigned by the provider, BYOIP allows businesses to retain control over their IP resources. This ensures continuity, particularly for organizations with established IP-based reputations, branding, or dependencies on specific address blocks. IP providers can assist in streamlining this process, making it easy to integrate your IPs into the desired network environment.

BYOIP offers several compelling advantages. By using your own IPs, you can maintain continuity in your network’s identity, reduce the risk of disruptions to email deliverability or service recognition, and avoid reputational concerns associated with shared IPs. Additionally, BYOIP provides enhanced flexibility and control over your IP resources.

BYOIP is ideal for organizations that either own public IP addresses or lease them from a trusted IP provider with explicit BYOIP support. This includes enterprises, cloud providers, content delivery networks (CDNs), and businesses with compliance requirements or IP reputation needs. Working with a reputable IP provider ensures that leased IPs can be seamlessly integrated into another provider’s infrastructure without ownership concerns.

You must either legally own the IP addresses or have explicit authorization from a leasing IP provider to route and manage them. IP providers who offer BYOIP-ready IP addresses simplify this process, providing documentation and support to ensure compliance with regional internet registry (RIR) policies and service provider requirements. This collaboration ensures smooth implementation without any legal or operational issues.

To use BYOIP, you’ll typically need to present documentation verifying your authority over the IP block. This can include official records from a regional internet registry (RIR) such as ARIN, RIPE NCC, or APNIC. If you are leasing IPs, the IP provider should supply proof of their ownership and grant you permission for BYOIP. Providers that specialize in IP leasing often handle this paperwork for you, reducing administrative burden and ensuring compliance.

Yes, BYOIP is designed to be a secure and reliable solution. Reputable service providers and IP providers implement robust safeguards to prevent unauthorized use or hijacking of IP addresses. Security measures include BGP filtering, route validation, and advanced protocols like Resource Public Key Infrastructure (RPKI). By collaborating with a trusted IP provider, businesses can benefit from additional layers of protection, ensuring that only authorized traffic is routed through their IP blocks.

The setup process for BYOIP varies by provider, typically taking anywhere from a few hours to a few days. Factors include the complexity of your network, the verification process for IP ownership or authorization, and the time needed for global BGP route propagation. IP providers often expedite the preparation and validation stages, ensuring a smooth and timely integration into the desired infrastructure.

Absolutely. Many providers, in partnership with IP providers, support routing IPs across multiple data centers or geographic regions. This feature optimizes performance for global businesses by reducing latency and improving service availability. When working with an IP provider, you can also ensure that your leased or owned IPs are aligned with your geographic requirements for compliance and efficiency.

If you choose to discontinue BYOIP with a provider, your IP addresses will be released from their network, and routing will cease. You can then reallocate these IPs for use with a different service provider or project.