Automatic Return Routing (ARR) in Cloudflare One

Automatic Return Routing (ARR) is a zero‑touch feature in Cloudflare One that resolves overlapping private IP address conflicts without relying on traditional routing tables. By tracking the originating tunnel for each network flow, ARR ensures return traffic follows the correct path, eliminating the need for NAT, VRF, or manual route configuration.

Why Overlapping IP Addresses Occur in Enterprise Networks

Enterprises frequently encounter duplicate private address spaces when they merge with another company, connect external partners, or adopt standardized subnet layouts across many sites. In a merger, each organization may already use 10.0.0.0/8 ranges for internal services. Extranets often bring vendor networks that reuse the same subnets, and SaaS providers may deploy identical address blocks to simplify provisioning. These overlaps create ambiguity when traffic must traverse a shared backbone.

Limitations of Traditional Solutions: NAT and VRF

Network Address Translation rewrites source addresses to unique values, but each new site requires a custom translation rule, increasing operational load. Virtual Routing and Forwarding creates separate routing tables per site, yet administrators must manage inter‑VRF leakage and maintain consistent policies across tables. Both approaches add layers of configuration that can introduce errors and hinder rapid expansion.

Stateful Flow Tracking: The Core of ARR

ARR replaces the stateless decision model with a memory‑based approach. When a packet arrives, the system records the originating tunnel identifier along with the five‑tuple that defines the flow. This state persists for the lifetime of the conversation, allowing subsequent packets to be matched against the stored entry instead of consulting a static routing table.

How ARR Processes Inbound Traffic

Upon ingress, the Cloudflare edge receives a packet from a specific connection type such as an IPsec tunnel, GRE tunnel, or Network Interconnect. The platform first checks whether the packet belongs to an existing flow. If a match exists, the packet follows the already‑determined path through any enabled services like DLP or firewall. If no match is found, ARR evaluates the required services, determines the destination, and creates a new flow record that includes the tunnel reference.

ARRs Symmetric Return Path Mechanism

When the remote endpoint replies, ARR consults the in‑memory flow record, extracts the stored tunnel identifier, and forwards the response directly back through that tunnel. Because the decision is based on the original conversation rather than the destination address, the system avoids the ambiguity caused by identical source IPs across sites. No additional routing entries are needed.

Benefits of Deploying ARR in Cloudflare One

ARR delivers a zero‑touch experience: new branch locations can connect without configuring NAT or VRF rules. Administrators gain predictable traffic flow, reduced manual effort, and faster rollout of network extensions. The approach also scales with Cloudflares global edge network, maintaining consistent performance while simplifying the management of overlapping private address spaces.