To the casual observer, Cloudflare’s IP ranges appear fixed—104.16.0.0/12 is 104.16.0.0/12. But network engineers know better. These addresses are dynamic entities, simultaneously present in 330+ cities, constantly shifting, responding to internet weather in real-time. Understanding this mobility is essential for anyone serious about network architecture.
Anycast is the technique: the same IP address advertised from multiple locations via BGP (Border Gateway Protocol), the internet’s routing glue. When you query a Cloudflare-protected domain, DNS returns an anycast address. Your ISP’s routers, through BGP path selection, direct your packets to the “nearest” Cloudflare data center—nearest by AS-path length, not geography .
This isn’t abstraction. It’s physical infrastructure with measurable consequences for latency, reliability, and security.
BGP: The Internet’s Weather System
BGP operates through path announcements. Cloudflare’s routers broadcast to upstream providers: “I can reach 104.16.0.0/12.” Each provider propagates this to their peers. Your ISP hears multiple announcements, selects the shortest AS-path, and installs routes.
But “shortest” is relative. BGP doesn’t know about fiber latency, submarine cable cuts, or congestion. It knows about Autonomous System hops. A path through 3 ASes might traverse 10,000 km of fiber; a 2-AS path might route through congested peering points. The “nearest” Cloudflare data center in BGP terms might be 100ms away in latency terms.
Traffic Engineering: Cloudflare’s Control
Cloudflare manipulates BGP to optimize traffic flow. Techniques include:
AS-Path Prepending: Artificially lengthening AS-path for specific upstreams to discourage their use. If Level3’s path is congested, Cloudflare prepends their AS number multiple times, making alternative paths appear shorter to BGP.
Community Strings: BGP communities—numeric tags attached to routes—signal upstream providers to adjust local preference or apply specific policies. Cloudflare marks routes with communities indicating preferred handling.
DNS Load Balancing: Before BGP even engages, Cloudflare’s DNS returns different IPs based on resolver location, steering traffic toward specific data centers regardless of BGP path selection.
RDP (Rate Limiting and Denial of Service Protection): During attacks, Cloudflare withdraws BGP announcements from affected data centers, scattering attack traffic across their global network to absorb volumetric assaults.
The 2026 Anycast Landscape
Cloudflare’s anycast deployment has evolved dramatically. The 2026 network includes:
Standard Anycast: Traditional anycast where all data centers announce all IP ranges. Traffic flows to the BGP-nearest location.
Geo-Anycast: IP ranges dedicated to specific regions. European users get European IPs, Asian users Asian IPs, even if BGP might prefer a transatlantic path. This ensures data residency compliance and predictable performance.
Elastic Anycast: Dynamic reallocation during incidents. When the London data center floods (literally or figuratively), its IP ranges shift to Manchester and Amsterdam within seconds, transparently to users.
Spectrum Anycast: For non-HTTP protocols—SSH, gaming, custom TCP—Cloudflare uses distinct IP ranges with different routing policies optimized for connection-oriented rather than request-response traffic.
Measuring Anycast: The Network Engineer’s Toolkit
Understanding your traffic’s actual path requires active measurement:
BGP Monitoring
bash
# Query BGP looking glasses for path visibility# Hurricane Electriccurl-s"https://bgp.he.net/net/104.16.0.0/12#_bgp"# RouteViews
telnet route-views.routeviews.org
show ip bgp 104.16.0.0/12
# RIPE RIS
whois -h riswhois.ripe.net 104.16.0.0/12These reveal which AS-paths carry Cloudflare traffic from various vantage points.
Latency Mapping
Python
# Measure actual latency to anycast IPs from diverse locationsimport subprocess
import json
cloudflare_ips =["104.16.0.1","172.64.0.1","162.158.0.1"]for ip in cloudflare_ips:
result = subprocess.run(["ping","-c","10", ip],
capture_output=True,
text=True)# Parse latency statistics# Correlate with BGP path dataFor comprehensive global latency mapping, distributed measurement infrastructure is essential. IPFLY’s residential proxy network provides authentic measurement points from 190+ countries, revealing how anycast routing performs for actual users—not just from network operations centers.
Traceroute Analysis
bash
# Trace the actual pathtraceroute-I104.16.0.1
# TCP traceroute for path MTU discoverytraceroute-T-p443104.16.0.1
# Paris traceroute for load-balanced path detection
paris-traceroute 104.16.0.1Traceroute reveals the physical infrastructure: which IXPs (Internet Exchange Points) your traffic traverses, which submarine cables it rides, where it enters Cloudflare’s network.
Origin Server Implications
Anycast affects origin server communication in subtle ways:
Asymmetric Routing: Your request might enter through London, but Cloudflare’s response exits through Singapore, depending on BGP state at each moment. This complicates stateful firewall rules and complicates troubleshooting.
Source IP Diversity: Even for single-client sessions, Cloudflare might use different source IPs for different requests as traffic shifts between data centers. IP-based rate limiting at origin must account for this.
Geographic Ambiguity: Your origin sees Cloudflare’s connection coming from a specific data center IP, but the actual user might be continents away. Geo-targeting based on Cloudflare IP is unreliable; use CF-IPCountry header instead.
Advanced: BYOIP and Custom Anycast
Enterprise Cloudflare plans support Bring Your Own IP (BYOIP)—advertising your organization’s IP ranges through Cloudflare’s anycast network .
Technical Implementation
- IP Allocation: Customer provides /24 or larger IPv4 block, /48 or larger IPv6 block. Must be provider-independent (PI) space or allocated from RIR with transfer rights.
- Letter of Agency: Legal authorization for Cloudflare to announce the ranges via BGP.
- BGP Announcement: Cloudflare adds routes to their global BGP configuration, propagating to 10,000+ peer networks.
- Traffic Flow: User queries return customer-owned IPs. Traffic routes to Cloudflare’s network, then tunnels to customer origin via GRE, IPsec, or private backbone.
BYOIP Use Cases
- Reputation Management: IPs with established sender reputation for email deliverability
- Compliance: Regulatory requirements for specific address ownership
- Migration: Seamless transition from self-hosted to Cloudflare without IP changes
- Multi-CDN: Same IPs, multiple providers for redundancy
The Future: SRv6 and Programmable Routing
Emerging technologies promise more sophisticated anycast. SRv6 (Segment Routing over IPv6) enables source-routed paths through Cloudflare’s network—traffic engineering at the packet level. P4-programmable switches allow custom routing logic per customer, per application, per packet type.
These advances will make Cloudflare’s IP ranges even more dynamic—same addresses, infinitely flexible paths.
The Living Network
Cloudflare’s IP ranges aren’t static configuration—they’re dynamic, breathing entities shaped by BGP policy, network conditions, and traffic engineering. Understanding this mobility is essential for debugging, optimization, and security.
The network engineer who treats 104.16.0.0/12 as “just an IP range” misses the complexity that makes modern internet infrastructure resilient. The engineer who understands anycast, BGP, and traffic engineering can diagnose the mysterious, optimize the slow, and secure the vulnerable.
Understanding Cloudflare’s anycast dynamics requires measuring from diverse global perspectives—BGP paths, latency, and routing behavior vary dramatically by vantage point. When you need to map how your traffic actually flows, test failover behavior during simulated outages, or validate geographic routing policies, IPFLY’s infrastructure provides the measurement capabilities you need. Our residential proxy network offers 90+ million authentic IPs across 190+ countries for genuine anycast performance analysis. Use static residential proxies for consistent monitoring from specific regions, dynamic rotation for large-scale path diversity analysis, and our data center proxies for high-throughput measurement campaigns. With millisecond-precision timing, 99.9% uptime ensuring continuous monitoring, and 24/7 technical support for complex network investigations, IPFLY enables the global visibility that anycast understanding requires. Don’t guess how your traffic routes—register with IPFLY today and measure the internet as your users experience it.
