Cloudflare has rolled out a new feature for Magic Transit customers aimed at stopping a tricky and increasingly common class of distributed denial-of-service attacks: DDoS floods targeting UDP-based Layer 7 traffic, especially when the protocol is specialized or doesn’t match typical mitigation patterns.
Called Programmable Flow Protection, the capability is launching in closed beta and is available as an add-on for Magic Transit deployments using either Bring Your Own IP (BYOIP) or Cloudflare-leased IP address space. The focus is clear: give organizations more control when their UDP applications require protocol-aware handling that generic filters can’t easily cover.
Why this matters for UDP services like gaming, VoIP, telecom, and streaming
UDP powers many latency-sensitive services, but it also creates challenges during attacks because it doesn’t behave like TCP, and many UDP applications implement their own logic at higher layers. That’s exactly where Layer 7 UDP DDoS attacks can get painful—attack traffic can look “valid enough” to slip past blunt protections, especially when a business relies on custom or industry-specific UDP protocols.
Cloudflare says Programmable Flow Protection is designed for environments such as gaming platforms, financial services, VoIP, telecom networks, and streaming workloads—anywhere specialized UDP traffic is essential and uptime is non-negotiable. The feature is being positioned alongside other higher-tier protections available for Magic Transit, including Advanced TCP Protection and Advanced DNS Protection.
Customers can upload custom packet logic written in C
The standout piece is customization. With Programmable Flow Protection, customers can write their own stateful packet-processing logic in C and upload it to Cloudflare. Cloudflare then validates the program, compiles it, and deploys it across its global network as an eBPF program running in user space.
In practical terms, this lets operators apply protocol-aware inspection to UDP application traffic. Instead of relying only on broad heuristics, teams can define what “legitimate” looks like for their specific protocol, then allow or block packets accordingly. That custom logic is especially useful for specialized UDP applications where small details—handshake patterns, payload structure, or expected packet behavior—can separate real users from attack traffic.
Built on Flowtrackd and managed through the API
Cloudflare notes that the system is built on Flowtrackd, its stateful mitigation platform. It supports both asymmetric and symmetric network topologies, but there’s an important limitation to understand: it only inspects ingress traffic.
Configuration and ongoing management are handled via Cloudflare’s API. The available endpoints cover key operational tasks such as uploading programs, creating and managing rules, listing existing configurations, and deleting configurations when they’re no longer needed. For teams used to automation and infrastructure-as-code workflows, API-driven control is a practical fit for fast iteration during active attack scenarios.
An expansion of Magic Transit’s DDoS protection for modern networks
Magic Transit is Cloudflare’s network-layer security and performance offering for on-premises, cloud-hosted, and hybrid environments, providing DDoS protection and traffic handling at the IP layer. By adding Programmable Flow Protection, Cloudflare is extending Magic Transit beyond standard network-layer mitigation toward something more adaptable for organizations running UDP-based services that don’t fit neatly into one-size-fits-all defenses.
For now, there’s no announced general availability date. According to Cloudflare’s documentation, Programmable Flow Protection remains in closed beta, signaling that Cloudflare is likely gathering feedback and tuning the experience before a wider rollout.
