Automatic Return Routing (ARR) – Technical Guide for Cloudflare One

Background and Evolution of Return Routing in Cloudflare One The public Internet relies on a one‑to‑one mapping between an IP address and its destination. Anycast extends this idea by announcing the same address from many locations, yet every instance still points to the same service. In private networks, overlapping address ranges are common, especially after mergers, partner connections, or standardized branch deployments. Historically, administrators used Virtual Routing and Forwarding (VRF) or Network Address Translation (NAT) to separate traffic, adding configuration overhead. Cloudflare introduced Automatic Return Routing (ARR) as a zero‑touch method that remembers the originating tunnel for each flow, allowing return traffic to be sent back without consulting a routing table. Implementation & Best Practices Before diving into configuration details, understand the overall workflow. ARR works by creating a flow record the first time a packet arrives, storing the tunnel that carried it, and then using that record to forward all subsequent packets in the flow, both forward and reverse. The process consists of four phases: ingress detection, flow matching, state recording, and symmetric return. Each phase must be verified before moving to the next to ensure reliable operation. Ingress Detection When a packet reaches the Cloudflare edge, the system identifies the incoming connection (IPsec, GRE, or Network Interconnect). This step is crucial because the tunnel ID becomes the key identifier for the flow. Flow Matching and State Recording The Virtual Network checks whether an existing flow matches the packets five‑tuple (source IP, destination IP, source port, destination port, protocol). If a match exists, the packet follows the stored path. If not, a new flow record is created, capturing the tunnel ID along with any security services (Gateway, DLP, Firewall) that will process the traffic. This state lives in memory for the duration of the conversation. Symmetric Return Handling When the destination sends a response, ARR looks up the flow record, retrieves the original tunnel ID, and forwards the packet directly back through that tunnel. No routing table lookup is performed, eliminating ambiguity caused by overlapping source IPs. Operational Checklist Key takeaways: - Verify tunnel health before enabling ARR. - Monitor flow table size to prevent memory pressure. - Use consistent naming for tunnels to simplify troubleshooting. - Apply rate limits on flow creation to avoid abuse. Example Configuration Steps 1. Enable ARR in the Cloudflare One dashboard for the desired network. 2. Define tunnels for each site or partner connection. 3. Assign security policies (e.g., DLP rules) that will apply to traffic flowing through each tunnel. 4. Validate flow creation by sending test traffic from each site and confirming that return packets arrive on the same tunnel. 5. Monitor logs for flow mismatches adjust tunnel identifiers if conflicts appear. Integration with Existing Systems ARR can coexist with traditional routing for non‑overlapping networks. For environments that still require VRF or NAT, limit those mechanisms to traffic that does not pass through Cloudflare One. This hybrid approach reduces configuration load while preserving compatibility. Related Practices - Regularly audit IP address plans across merged entities to identify overlap early. - Use automated inventory tools to keep tunnel metadata up‑to‑date. Further Reading For a deeper look at managing complex flow state, see the discussion on GitHub sub‑issues and workflow design. Additionally, the architecture of large‑scale payment orchestration on AWS provides insight into handling high‑volume stateful traffic, as described in this guide. External Reference The principle of anycast and its impact on address uniqueness is explained in the Wikipedia article on Anycast.