Skip to content

MagicSiteAcl

Source: src/Cloudflare/MagicTransit/SiteAcl.ts

An ACL between two LANs of a Magic WAN site — allows traffic between LAN segments behind a Magic WAN Connector (all inter-LAN traffic is denied by default).

Requires a Magic WAN subscription — accounts without it receive a typed MagicWanUnauthorized error (Cloudflare code 1025).

siteId is create-only — changing it triggers a replacement. Everything else is updated in place.

Creating an ACL

Section titled “Creating an ACL”

Allow TCP between two LANs

yield* Cloudflare.MagicSiteAcl("lan-to-lan", {
  siteId: site.siteId,
  name: "office-to-lab",
  lan1: { lanId: officeLan.lanId, ports: [443] },
  lan2: { lanId: labLan.lanId },
  protocols: ["tcp"],
});

Unidirectional ACL forwarded locally

yield* Cloudflare.MagicSiteAcl("one-way", {
  siteId: site.siteId,
  name: "sensors-to-collector",
  lan1: { lanId: sensorsLan.lanId },
  lan2: { lanId: collectorLan.lanId, ports: [9000] },
  unidirectional: true,
  forwardLocally: true,
});