← Back
Cloudflare
Cloudflare introduces Automatic Return Routing to resolve overlapping IP addresses
Cloudflare · featureapiplatformrelease · blog.cloudflare.com ↗

Solving the IP Overlap Problem

Enterprise networks frequently encounter IP address conflicts, particularly in three common scenarios: mergers and acquisitions where both companies use identical private IP ranges (like 10.0.1.0/24 for core services), extranets connecting partners using their own internal IP schemes, and cookie-cutter deployments where SaaS providers replicate identical IP architecture across multiple branches.

The core problem emerges when traffic from duplicate IP addresses reaches Cloudflare's edge. Traditional routing tables cannot distinguish between identical source IPs from different sites, making return traffic routing non-deterministic—packets may be sent to the wrong destination with no way for the routing table to know the difference.

How Automatic Return Routing Works

ARR shifts intelligence from stateless routing tables to stateful flow tracking. Rather than asking "Where does this IP live?" the system asks "Where did this specific conversation originate?" by remembering which tunnel or connection initiated each traffic flow.

The mechanism works in three steps:

  • Ingress: Traffic arrives at Cloudflare's edge from a specific tunnel connection (IPsec, GRE, or Network Interconnect)
  • Flow Matching: The Virtual Network inspects packet headers to match against existing flows
  • Return Routing: Return traffic is sent back through the same tunnel that initiated the conversation, without consulting a routing table

Key Benefits

This approach eliminates the need for traditional workarounds:

  • No NAT overhead: Removes complex Network Address Translation mapping and administrative burden for each new site or partner
  • No VRF complexity: Eliminates the need for Virtual Routing and Forwarding virtual routing tables and brittle cross-VRF route leaking configurations
  • Zero-touch operation: Reduces administrative overhead while maintaining complete traffic isolation

ARR is currently available in Closed Beta for Cloudflare One customers managing overlapping private networks through Magic WAN and related enterprise connectivity services.