自動リターンルーティングがIPアドレス重複を解決する仕組み
Cloudflareは、企業ネットワークのIP重複問題に対応するため、ルーティングテーブルに依存しない自動戻りルーティング(ARR)機能をCloudflare Oneで提供開始した。
キーポイント
IP重複の根本的な課題
M&A、エクストラネット接続、標準化された支店構成などにより、企業ネットワーク間でIPアドレスが重複することは一般的であり、従来のルーティングテーブルでは戻りパケットの宛先を特定できないという構造的な問題を抱えている。
ARRの技術的アプローチ
Automatic Return Routing(ARR)は、ネットワークアドレス変換(NAT)や複雑なVRF設定を必要とせず、パケットの発生源に基づいてトラフィックを正しくルーティングする仕組みを提供し、重複するネットワーク間の共存を可能にする。
Cloudflare Oneへの統合
この機能はCloudflare Oneのエントプライズ向け接続クラウドとしての展開の一環としてClosed Betaで提供されており、管理者の運用負荷(toil)を軽減することを目的としている。
従来の解決策の課題
VRFやNATといった従来の手法は機能するものの、スケーラビリティの低下や運用負荷(管理オーバーヘッド)という重大な課題を抱えている。
ARRの仕組み:ステートフルトラッキング
ARRはルーティングテーブルに依存せず、フローの初期化時に使用されたトンネル情報を記憶する「ステートフルトラッキング」により、帰還トラフィックを正しいサイトへ自動ルーティングする。
対称性のある返送とメモリ状態の活用
着信する戻りトラフィックは、宛先IPアドレスの重複を考慮せず、メモリ内の既存フロー状態に基づいてプロキシ処理されます。これにより、ルーティングテーブルを参照する必要がなくなり、 originating tunnel を直接特定してパケットを返送します。
ゼロタッチルーティングの実現
すべてのフローの発信元トンネルを記憶することで、ARRはゼロタッチルーティングを可能にします。クライアントからインターネットへのトラフィックのみを対象とする場合、戻りルートの設定が不要になり、新規拠点や「コーヒーショップネットワーク」の展開時の作業負荷を削減します。
影響分析・編集コメントを表示
影響分析
本記事は、大規模な企業ネットワーク統合やマルチテナント環境におけるインフラ運用のボトルネックを解消する実用的なソリューションを示している。技術的にはルーティングテーブルの限界を超えたアプローチであり、インフラストラクチャ管理者にとって運用負荷を大幅に削減する可能性がある。ただし、これは特定のクラウドプロバイダーの製品機能であり、業界全体を揺るがす規格変更ではないため、中程度の重要性を持つ。
編集コメント
インフラエンジニアにとってIP重複は長年の頭痛の種であり、NATやVRFといった複雑な設定から解放されるARRは実用性が高い。ただし、これはCloudflare固有の機能であり、汎用的なプロトコル標準化とは異なる点に注意が必要だ。

トンネルまたはインターコネクトで有効化されると、既存のフローに一致するすべてのトラフィックは、ルーティングテーブルを参照することなく、発生元の接続に戻ってルーティングされます。
ARRの活用
エンタープライズアーキテクトにとって、ARRはIPアドレス競合という継続的な課題を回避するためのツールです。買収した企業の統合であれ、パートナーのオンボーディングであれ、目標はネットワークを意識させず、インフラ作業ではなくアプリケーションに集中できるようにすることです。
現在、ARRはクローズドベータ版で、当社のセキュアウェブゲートウェイ(Secure Web Gateway)経由でインターネットにアクセスする際のIPアドレス重複をサポートしています。私たちは既にこの機能を拡張中であり、プライベートデータセンターアクセスのサポート、ミッドフローフェイルオーバー(フローをプライマリオンプランプに関連付け、そのフローがバックアップオンプランプにフェイルオーバーした場合もシームレスに検出)の追加、そして最も複雑なグローバル展開であってもIP重複を問題にしないために必要なアーキテクチャ機能へのさらなる投資を進めています。
まだCloudflare Oneをお使いでないですか?無料プランと従量課金プランで、ユーザーとネットワークの保護と接続を今すぐ開始できます。IPsecとプライベートインターコネクトによる包括的なプライベートWAN接続については、ぜひお問い合わせください。
原文を表示
The public Internet relies on a fundamental principle of predictable routing: a single IP address points to a logically unique destination. Even in an Anycast architecture like Cloudflare’s, where one IP is announced from hundreds of locations, every instance of that IP represents the same service. The routing table always knows exactly where a packet is intended to go.
This principle holds up because global addressing authorities assign IP space to organizations to prevent duplication or conflict. When everyone adheres to a single, authoritative registry, a routing table functions as a source of absolute truth.
On the public Internet, an IP address is like a unique, globally registered national identity card. In private networks, an IP is just a name like “John Smith”, which is perfectly fine until you have three of them in the same room trying to talk to the same person.
As we expand Cloudflare One to become the connectivity cloud for enterprise backbones, we’ve entered the messy reality of private IP address space. There are good reasons why duplication arises, and enterprises need solutions to handle these conflicts.
Today, we are introducing Automatic Return Routing (ARR) in Closed Beta. ARR is an optional tool for Cloudflare One customers that gives you the flexibility to route traffic back to where it originated, without requiring an IP route in a routing table. This capability allows overlapping networks to coexist without a single line of Network Address Translation (NAT) or complex Virtual Routing and Forwarding (VRF) configuration.
The ambiguity problem
In enterprise networking, IP overlap is a fact of life. We see it in three common scenarios that traditionally cause toil for admins:
Mergers & acquisitions: Two companies merge, and both use 10.0.1.0/24 for their core services.
Extranets: Partners, vendors or customers securely connect to your network using their own internal IP schemes, leading to unavoidable conflicts.
Cookie-cutter architectures: SaaS providers or retail brands use identical IP space for every branch to simplify deployment and operation.
The problem arises when these sites try to talk to the Internet or a data center through Cloudflare. If two different sites send traffic from the same source IP, the return packet hits an architectural wall. The administrator has to make a decision on how to route the traffic based on the ambiguous destination. If the administrator puts both routes into the routing table, it will be non-deterministic as to which path is taken: the correct path or the incorrect path. From the perspective of a standard routing table, there is no way to distinguish between two identical paths.
image
This diagram shows two branches (Site A and Site B) both using 10.0.1.0/24. They send packets to Cloudflare. The return packet from the Internet reaches the Cloudflare edge, and this return traffic is sometimes sent to the wrong site because the routing table has two identical egress options.
Why traditional fixes fail
There are numerous ways to resolve this ambiguity, and we are committed to solving them in the easiest way for our customers to manage. The traditional “industry standard” fixes are functional, but they introduce significant administrative overhead and complexity that we are committed to eliminating:
Virtual Routing and Forwarding (VRF): This involves creating "virtual" routing tables to keep traffic isolated. While effective for separation, it adds administrative overhead. Managing cross-VRF communication (route leaking) is brittle and complex at scale.
Network Address Translation (NAT): You can NAT each overlapping subnet from an unmanaged IP space to a managed IP range that is unique in your network. This approach works well, but the mapping is administrative toil for each new site or partner.
Typically, the use case we hear from customers is an overlapping network needing to access the Internet or a private data center. How do we solve this without administrative overhead?
Introducing Automatic Return Routing (ARR)
We developed ARR as a "zero-touch" solution to this problem. ARR moves the intelligence from the routing table to stateful tracking.
So what is stateful tracking?
In traditional networking, a router is "forgetful" (aka “stateless”). It treats every single packet like a total stranger. Even if it just saw a packet from the exact same source going to the exact same destination a millisecond ago, it has to look at its routing table all over again to decide where to send the next one.
With stateful tracking, the system has a memory. It recognizes when a series of packets are all part of the same “flow” (that is, a network conversation between two endpoints), and remembers key information about that flow until it finishes. With ARR, we remember one extra piece of information when initializing the flow: the specific tunnel that initiated it. This allows us to send return traffic back to that same tunnel, without ever consulting a routing table!
Instead of asking the network, "Where does this IP live?" ARR asks, "Where did this specific conversation originate?"
The Logic:
Ingress: A packet arrives at the Cloudflare edge from a site via a specific connection, i.e. an IPsec tunnel, GRE tunnel, or Network Interconnect.
Flow Matching: The Cloudflare Virtual Network first checks (by header inspection) whether that packet matches an existing flow.
Proxying: If the packet matches, that's great! All of the decisions about this traffic have already been made and stored in our memory. All we need to do is pass that packet along already-established paths.
Flow Setup: If it doesn’t match an existing flow, we decide which parts of the Cloudflare One stack to pass it through (e.g. Gateway, DLP, Firewall), as well as its ultimate destination. We store all of this state in memory. With ARR, this is when we record which tunnel initiated the flow.
Symmetric Return: When return traffic arrives from the destination, the Cloudflare Virtual Network uses its existing in-memory state to proxy the traffic. Crucially, it does this without needing to examine the traffic’s destination IP, which could very well be reused across different sites. This completely bypasses the need to consult a routing table. We see the originating tunnel in the flow state and deliver the packet directly back to it.
image
Example of overlapping source IPs tracked by in-memory flow state, tagged with source onramp to inform return routing decision.
By remembering the originating tunnel for every flow, ARR facilitates zero-touch routing. If your site traffic is only client-to-Internet, there is no need to configure return routes at all, reducing toil when deploying new branch sites or “Coffee Shop Networking.”
Built on Unified Routing
To make ARR a reality at Cloudflare scale, we plugged into another initiative we have been working on: Unified Routing.
Historically, Cloudflare Zero Trust (users/proxies) and Cloudflare WAN (network-layer/sites) lived at different levels of the system. Cloudflare WAN relied on kernel primitives (Linux network namespaces, routes, eBPF, etc). Zero Trust lived in userspace, where proxies could perform deep inspection and application-level security. This "split-brain" approach often required complex logic to move traffic between component services, and some of this complexity became product limitations that customers might notice.
image
image
With our new Unified Routing mode, we have moved the initial routing decision from our network-layer data plane into our existing Zero Trust userspace routing logic, the same hardened software used by Cloudflare One Clients and Cloudflare Tunnel in our Zero Trust solution. This change has many benefits to how we enable our customers to use their private networks with products across the Cloudflare platform, as it fixes long-standing interoperability problems between Cloudflare WAN and Zero Trust. Unified Routing means you can use Cloudflare Mesh, Cloudflare Tunnel, and IPsec/GRE on-ramps together in the same account without a single conflict.
image
In September 2025, we deployed Unified Routing mode internally for all Cloudflare employees and sites. We saw immediate 3-5x performance improvements for Cloudflare One Clients, as you can see in the graph above.
When designing ARR, we knew that we needed to move away from kernel-based routing and build on our new Unified Routing framework.
When Unified Routing is enabled, all Cloudflare WAN traffic flows through Apollo, our Zero Trust hub. Unlike the Linux kernel's standard routing table, our userspace data plane is fully programmable. We can attach metadata, like the originating Tunnel ID, directly to a flow entry in Apollo.
Each packet is tracked by flow from the moment it hits our edge, and we no longer need to make independent, per-packet routing decisions. Instead, we can make consistent, session-aware decisions for the lifetime of the flow.
ARR is straightforward to enable on a per tunnel or interconnect basis:
image
Once enabled for a tunnel or interconnect, any traffic that matches an existing flow is routed back to the connection where it originated, without consulting the routing table.
Putting ARR to work
For the enterprise architect, ARR is a tool to bypass the persistent friction of IP address conflicts. Whether integrating an acquisition or onboarding a partner, the goal is to make the network invisible, so you can focus on the applications, not the plumbing.
Today, ARR is in closed beta and supports overlapping IP addresses accessing the Internet via our Secure Web Gateway. We are already extending this to support private data center access, adding mid-flow failover (pinning the flow to a primary onramp, and seamlessly detecting when that flow fails over to a backup onramp), and further investing in the architectural capabilities needed to make IP overlap a non-issue for even the most complex global deployments.
Not using Cloudflare One yet? Start now with our Free and Pay-as-you-go plans to protect and connect your users and networks, and contact us for comprehensive private WAN connectivity via IPsec and private interconnect.
関連記事
今日のまとめ
AI日報で今日の重要ニュースをまとめ読み