How I Avoided GCP → Cloudflare CDN Peering Charges Using IPv6
If you've been using Google Cloud Platform (GCP) with Cloudflare (CF), you've probably noticed something frustrating:
Traffic sent from GCP to Cloudflare often does not count toward the standard free 200GB outbound quota. Instead, it gets categorized under the CDN peering billing tier, which can become surprisingly expensive. Even worse, the free direct connection can sometimes be painfully slow.
After experimenting with different routing methods, I found a practical workaround that significantly improves speed while avoiding most CDN peering charges.
In this post, I'll explain the setup, how it works, and a few limitations to keep in mind.
The Core Idea
The solution is based on routing traffic over IPv6 through Hurricane Electric (HE Tunnel) instead of relying entirely on standard IPv4 outbound routes.
Current Routing Flow
Inbound Traffic:
User → Cloudflare → HE Tunnel → GCP
Outbound Traffic:
GCP → HE Tunnel → Cloudflare → User
This routing path helps bypass the usual CDN peering billing classification.
Requirements
Before starting, make sure you have:
- A running GCP VM instance
- Debian or Ubuntu installed
- A domain using Cloudflare DNS
- Basic Linux networking knowledge
- Your instance kept online continuously (important for tunnel stability)
Step 1 — Create an HE IPv6 Tunnel
Go to the Hurricane Electric Tunnel Broker website and create a free IPv6 tunnel using your server's public IP.
Once created:
- Assign the provided IPv6 address to your GCP instance
- Configure the tunnel interface
- Test IPv6 connectivity
You can verify everything is working with:
ping6 google.com
If you receive replies, IPv6 is active.
Step 2 — Prioritize IPv6 Traffic
Now configure your system so IPv6 becomes the preferred route for outbound traffic.
On Debian/Ubuntu, you can adjust address selection priorities or use scripts that prefer IPv6 over IPv4.
After configuration, verify with:
curl -6 ifconfig.me
If it returns your IPv6 address, the routing is working correctly.
Step 3 — Block CDN IPv4 Ranges (Optional but Recommended)
To force services toward IPv6 routing, you can block the IPv4 ranges of major CDNs using firewall rules.
This prevents fallback to standard IPv4 paths that may trigger CDN peering billing.
Be careful when applying firewall rules to avoid locking yourself out of the server.
Step 4 — Configure Cloudflare DNS
Inside Cloudflare:
- Enable only the AAAA record
- Turn on the Cloudflare proxy (orange cloud)
Even with only AAAA enabled:
- IPv6 users connect normally
- IPv4 users can still access the site through Cloudflare's dual-stack network
This is one of the key parts that makes the setup practical.
Performance Results
After switching to this routing setup:
- Speed improved noticeably
- CDN peering billing was effectively avoided
- General website access became smoother and more stable
For heavy traffic or bandwidth-intensive applications, the difference can be significant.
Limitations
MTU / Packet Loss
Because traffic passes through the tunnel, you may experience:
- Minor MTU issues
- Small packet loss
In testing, the impact stayed below roughly 2%, which was acceptable for most workloads.
Alternative Option: Tencent Cloud EdgeOne
Another interesting workaround is using Tencent Cloud EdgeOne in front of GCP.
Current testing suggests that traffic routed this way may still count toward the standard free 200GB allowance instead of CDN peering billing.
Results may vary depending on region and routing conditions, but it's definitely worth experimenting with.
Final Thoughts
GCP's CDN peering billing can be frustrating, especially when working with Cloudflare-heavy setups. Using IPv6 tunneling through HE provides a surprisingly effective workaround for many users.
While it isn't a perfect solution, it offers:
- Better routing performance
- Lower bandwidth costs
- More control over traffic paths
If you've tested other methods, routing tricks, or CDN combinations, feel free to share them — there are probably even better optimizations out there.
