Skip to content

TcpFlowProtectionRule

Source: src/Cloudflare/DdosProtection/TcpFlowProtectionRule.ts

An Advanced TCP Protection out-of-state TCP flow rule (Magic Transit).

Rules tune how Cloudflare mitigates out-of-state TCP packet floods (ACK, RST, …) on Magic Transit prefixes, per scope (global, a region, or a data center). The rule’s identity is its scope + name pair — only mode and the sensitivities are mutable in place.

Requires the Magic Transit / Advanced TCP Protection entitlement; on accounts without it every API call fails with the typed AdvancedTcpProtectionNotEntitled error.

Safety: rules carry no ownership markers. When there is no prior state, read scans for an existing rule with the same scope + name and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Creating a rule

Section titled “Creating a rule”

Global TCP flow protection in monitoring mode

const rule = yield* Cloudflare.TcpFlowProtectionRule("GlobalFlow", {
  scope: "global",
  mode: "monitoring",
  burstSensitivity: "medium",
  rateSensitivity: "medium",
});

Region-scoped rule

yield* Cloudflare.TcpFlowProtectionRule("WeurFlow", {
  scope: "region",
  name: "WEUR",
  mode: "enabled",
  burstSensitivity: "high",
  rateSensitivity: "low",
});