Architecture Comparison
1 Current: Ingress Only (Asymmetric)
Problem: Traffic enters via Cloudflare but exits via ISP. Stateful firewalls may drop return traffic due to asymmetric paths.
2 Proposed: Ingress + Egress (Symmetric via GRE)
Solution: All traffic flows through Cloudflare bidirectionally via redundant GRE tunnels. Stateful firewalls work correctly with symmetric paths. 2 tunnels per site for high availability.
Fujifilm Multi-Site Topology
4 Sites × 2 GRE Tunnels = 8 Redundant Connections to Cloudflare
Upgrade Path: Enable Egress on Existing GRE Tunnels
Your existing 8 GRE tunnels (2 per site) are already configured for ingress traffic. Adding Egress enables bidirectional traffic flow through these same tunnels — no new infrastructure required.
Key Benefits for Fujifilm
Stateful Firewall Compatibility
Enable symmetric routing where traffic enters and exits through the same interface. Critical for enterprise firewalls that track connection state.
Reduce ISP Transit Costs
Route both ingress and egress traffic through your existing GRE tunnels. Consolidate bandwidth through Cloudflare and reduce ISP dependency.
Complete Traffic Visibility
Gain full visibility into egress traffic patterns. Monitor, analyze, and optimize outbound traffic flows through Cloudflare's dashboard.
Cloudflare IP Leasing
Don't own a /24? Lease IP addresses directly from Cloudflare. Perfect for expanding network presence without acquiring new IP blocks.
Cloud IP Delegation
Carve up your /24 prefix and delegate IPs to public cloud environments like Azure and AWS while maintaining unified protection.
Simplified Architecture
Single provider for all network traffic. Reduce complexity, vendor management overhead, and operational burden.
Real-World Scenarios for Fujifilm
Scenario 1: Firewall State Table Issues
❌ Without Egress
Fujifilm's Palo Alto firewall sees incoming traffic from Cloudflare IPs, but return traffic exits via ISP with different source. Firewall drops packets as "out of state" causing intermittent connectivity issues.
✓ With Egress
All traffic flows symmetrically through Cloudflare. Firewall correctly tracks connection state. No dropped packets, no workarounds needed, full security policy enforcement.
Scenario 2: Transit Cost Optimization
❌ Without Egress
Fujifilm pays Cloudflare for ingress protection AND pays ISP for all egress bandwidth. Dual costs, no leverage for negotiation, separate billing relationships.
✓ With Egress via GRE
Consolidate all traffic through your existing GRE tunnels (2 per site). Reduce ISP transit dependency. Single relationship with Cloudflare, predictable pricing across all 4 sites.
Scenario 3: Hybrid Cloud Deployment
❌ Without Egress
Fujifilm wants to deploy workloads in AWS/Azure using their own IP space. Without egress, cloud instances can't properly route return traffic through Cloudflare protection.
✓ With Egress
Delegate portions of your /24 to Azure or AWS. Cloud workloads route egress through Cloudflare. Unified protection across on-prem and cloud, consistent security posture.
Scenario 4: Security & Compliance Visibility
❌ Without Egress
Compliance team asks: "What data is leaving our network?" Egress traffic bypasses Cloudflare, no centralized logging, blind spot in security monitoring.
✓ With Egress
Complete visibility of all egress traffic in Cloudflare dashboard. Detailed analytics, flow logs, anomaly detection. Meet compliance requirements with comprehensive audit trails.