API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
DDoS Protection
DDoS Protection
Chosen image
Home/DDoS Protection/Secure Transit/Configure infrastructure for Secure Transit

Configure your infrastructure for Secure Transit

Secure Transit protects on-premises, hybrid, and cloud-based networks from DDoS attacks while optimizing network performance by accelerating traffic delivery. This feature is available to all Gcore DDoS Protection customers.

To enable Secure Transit, follow the configuration steps outlined below.

Step 1. Provide information about your network infrastructure

To properly configure DDoS protection and traffic routing, we need details about your network setup and traffic patterns. Complete and submit the DDoS Protection questionnaire as described in our guide on activating DDoS protection.

Step 2. Verify router compatibility

For Secure Transit to function optimally, the routers at your tunnel endpoints must meet the following specifications:

  • Support anycast tunneling to efficiently route traffic from Gcore’s network to your origin
  • Allow configuration of multiple tunnels per internet service provider (ISP)
  • Support maximum segment size (MSS) clamping to prevent fragmentation of larger packets and optimize data transmission through the tunnel

Step 3. Verify IRR entries

If you are using an IP address provided by Gcore, you can skip this step.

Your Internet Routing Registry (IRR) entries must match the corresponding origin autonomous system numbers (ASNs). This ensures accurate and secure traffic routing.

To verify the authenticity of your IP address prefixes, use Resource Public Key Infrastructure (RPKI), a security framework that cryptographically links route prefixes to an autonomous system. This validation ensures routing information integrity before passing data to your routers.

To check your prefixes, use any RPKI validation tool or a validation portal provided by your ISP.

Step 4. Set maximum segment size (MSS)

Since Secure Transit encapsulates original data packets with additional headers, these headers increase packet size. To prevent fragmentation, adjust the Maximum Transmission Unit (MTU) and Maximum Segment Size (MSS) settings accordingly.

Recommended MSS clamping settings:

  • GRE tunnels handling off-ramp traffic: Set TCP MSS to 1432 bytes.
  • Clearing the "Don’t Fragment" (DF) bit: If you cannot set MSS below 1500 bytes, clearing the DF flag in the IP header allows larger packets to be fragmented and reassembled after decapsulation. In most environments, this does not significantly impact traffic throughput.

Step 5. Adjust MSS values for a router

This configuration depends on the actual provider of your router. Here are the instructions for some common network providers:

Step 6. Configure tunnels

To establish a secure connection between Gcore’s network and your infrastructure, configure tunnels on both the Gcore side and your router. Follow the instructions in the Set Up a GRE Tunnel with Gcore guide.

Step 7. Advertise prefixes

After submitting your DDoS Protection Questionnaire, we will process and announce your prefixes through the Gcore network using Border Gateway Protocol (BGP). Once completed, all incoming traffic will be routed through Secure Transit for DDoS protection before reaching your infrastructure.

Was this article helpful?

Not a Gcore user yet?

Explore our DDoS protection for servers

Go to the product page