Breakout traffic

Breakout traffic allows you to define which applications should bypass Cloudflare’s security filtering, and go directly to the Internet. It works via DNS requests inspection. This means that if your network is caching DNS requests, Breakout traffic will only take effect after you cache entries expire and your client issues a new DNS request that the Magic WAN Connector can detect. This can take several minutes.

Warning

Breakout traffic will not work for applications that use DNS-over-HTTPs.

flowchart LR
accTitle: In this example, the applications go directly to the Internet, skipping Cloudflare's security. filtering
    a(Magic WAN Connector) --> b(Cloudflare) -->|Filtered traffic|c(Internet)

    a-- Breakout traffic ---d(Application1) & e(Application2) --> c

    classDef orange fill:#f48120,color: black
    class a,b orange

In the graph above, Applications 1 and 2 are configured to bypass Cloudflare’s security filtering, and go straight to the Internet

A note on security

We recommend routing all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare’s security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard.

Refer to Traffic steering to learn how Cloudflare routes traffic.

Add an application

You need to configure Breakout traffic for each of your existing sites, as it is a per-site configuration.

Dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account.
2. Select Magic WAN > Sites.
3. Select the site you want to configure > Edit.
4. Select Traffic Steering.
5. In Breakout traffic, select Add.

6. Select one or more applications that should bypass Cloudflare filtering from the list. You can also use the search box.
7. Select Add applications.

The traffic for that application will now go directly to the Internet and bypass Cloudflare’s filtering.

API

Note

You will need your account ID and API Key to use the API.

1. Send a GET request to list the applications associated with an account.

   Example:

   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/apps \
   --header "X-Auth-Email: <EMAIL>" \
   --header "X-Auth-Key: <API_KEY>"

   {
     "result": [
       {
         "managed_app_id": "<MANAGED_APP_ID>",
         "name": "<APP_NAME>",
         "type": "<TYPE_OF_APP>",
         "hostnames": ["<HOSTNAME1.com>", "<HOSTNAME2.info>"]
       }
     ],
     "success": true,
     "errors": [],
     "messages": []
   }

   Take note of the "managed_app_id" value for any application you want to configure.

2. Send a POST request to add new apps the breakout traffic policy.

   Example:

   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/app_configs \
   --header "X-Auth-Email: <EMAIL>" \
   --header "X-Auth-Key: <API_KEY>" \
   --header "Content-Type: application/json" \
   --data '{
     "managed_app_id": "<MANAGED_APP_ID>",
     "breakout": true
   }'

   {
     "result": {
       "id": "023e105f4ecef8ad9ca31a8372d0c353",
       "site_id": "023e105f4ecef8ad9ca31a8372d0c353",
       "managed_app_id": "<MANAGED_APP_ID>",
       "breakout": true
     },
     "success": true,
     "errors": [],
     "messages": []
   }

Delete an application

Dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account.
2. Select Magic WAN > Sites.
3. Select the site you want to configure > Edit.
4. Select Traffic Steering.
5. In Breakout traffic, find the application you want to delete, and select the three dots next to it.
6. Select Remove.
7. (Optional) If you have several pages of applications, you can use the search box to quickly find the application you are looking for.

API

Note

You will need your account ID and API Key to use the API.

1. Send a GET request to list the applications associated with a site.

   Example:

   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/app_configs \
   --header "X-Auth-Email: <EMAIL>" \
   --header "X-Auth-Key: <API_KEY>"

   {
     "result": [
       {
         "id": "023e105f4ecef8ad9ca31a8372d0c353",
         "site_id": "023e105f4ecef8ad9ca31a8372d0c353",
         "managed_app_id": "<MANAGED_APP_ID>",
         "breakout": true
       }
     ],
     "success": true,
     "errors": [],
     "messages": []
   }

Take note of the "id" value for the application that want to delete.

2. Send a DELETE request to delete an application from the breakout traffic policy.

   curl --request DELETE \
   https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/app_configs/{id} \
   --header "X-Auth-Email: <EMAIL>" \
   --header "X-Auth-Key: <API_KEY>"

   {
     "result": {
       "id": "023e105f4ecef8ad9ca31a8372d0c353",
       "site_id": "023e105f4ecef8ad9ca31a8372d0c353",
       "managed_app_id": "<MANAGED_APP_ID>",
       "breakout": true
     },
     "success": true,
     "errors": [],
     "messages": []
   }

WARP traffic

If you have Magic WAN Connector and WARP clients deployed in your premises, Magic WAN Connector automatically routes WARP traffic to the Internet rather than Magic WAN IPsec tunnels. This prevents traffic from being encapsulated twice.

You may need to configure your firewall to allow this new traffic. Make sure to allow the following IPs and ports:

• Destination IPs: 162.159.193.0/24, 162.159.197.0/24
• Destination ports: 443, 500, 1701, 2408, 4443, 4500, 8095, 844 Refer to WARP with firewall for more information on this topic.