Building a private Anycast edge from scratch
Why some of our clients run their own ASN, IP blocks, and edge — the trade-offs vs Cloudflare, and how the math actually works.
By AnySec Engineering
Who needs this
If you are running a SaaS product on Cloudflare and shipping 99% of your traffic through their edge, do not build a private Anycast network. The marginal benefit doesn't justify the operational complexity. Cloudflare is genuinely one of the best products in our industry, and we use it for our own marketing site.
The clients we deploy private Anycast for typically share one of these characteristics:
- High geopolitical risk: Operating in markets where dependency on a US-headquartered provider is a strategic liability — for example, a regulated business with significant non-Western customer bases.
- Account-status risk: Their business model is legally permitted but contested by the major providers' terms of service. Gaming and gambling operators see this acutely.
- High customer-data sensitivity: They cannot accept a hyperscaler being in the TLS-terminated data path.
- Scale economics: At sustained multi-Gbps egress, hyperscaler edge pricing crosses a threshold where rolling your own becomes substantially cheaper.
If none of those apply, stick with Cloudflare. The rest of this article assumes one or more do.
What "private Anycast" means in practice
Private Anycast means owning the four things that make global Anycast work as a network primitive:
1. Your own Autonomous System Number (ASN)
Issued by a Regional Internet Registry (RIPE for EU, ARIN for North America, APNIC for APAC, LACNIC for South America, AFRINIC for Africa). Annual fee — currently around €1,400/year at RIPE for a normal-size ASN. Your name (or your holding entity's name) is on the registration. You announce routes; you carry the responsibility for them.
2. Your own IP blocks
IPv4 is now a secondary market — expect to pay €30–€55 per IPv4 address. A /22 (1,024 addresses) runs €40K–€55K capital outlay. IPv6 is plentiful: a /48 IPv6 block from RIPE costs essentially nothing as part of your annual ASN membership and gives you 1.2 × 10²⁴ addresses, more than you'll ever need.
If you don't own the IPs, you don't have leverage. Transit providers can stop announcing them, regulators can lean on whoever does own them, and you're back to depending on someone else's good behaviour.
3. BGP peering at multiple PoPs
Either via Internet Exchange Points (IXPs) or commercial transit providers, ideally both. The major IXPs (DE-CIX Frankfurt, AMS-IX Amsterdam, LINX London, JPNAP Tokyo, Equinix Singapore) give you direct peering with hundreds of networks at a flat monthly cost.
A small deployment looks like:
- Frankfurt: DE-CIX + a Tier-1 transit
- Amsterdam: AMS-IX + a Tier-1 transit
- Singapore: Equinix SG + a regional transit
- One US PoP, usually Equinix DC or LAX
That's four PoPs with ~8 BGP sessions, plenty of redundancy.
4. Traffic engineering, health checks, and failover
The boring part. BGP gives you reachability; traffic engineering is what makes one PoP take more load when another is under attack, what fails clients over when a transit provider has a bad day, what biases your routing so that Frankfurt customers don't get routed through São Paulo.
Standard stack: Bird/FRR for BGP, a health-check daemon that withdraws routes when local services fail, a route reflector if you have more than a handful of PoPs.
A real deployment we did
A licensed European gaming operator had been through two account-status reviews at major US-based edge providers in 18 months. Each one was resolved without consequence, but each one represented a risk of being interrupted at zero notice. They asked us to build them an independent edge.
The engagement ran 19 days from kickoff to traffic-cutover. Six PoPs:
| PoP | IX | Why |
|---|---|---|
| Amsterdam | AMS-IX | Continental Europe gateway |
| Frankfurt | DE-CIX | DACH market + redundancy to AMS |
| London | LINX | UK regulatory zone |
| Singapore | Equinix SG | SEA traffic |
| Tokyo | JPNAP | NE Asia |
| São Paulo | IX.br | LatAm |
The operator's existing hardware (8 × edge servers) was redeployed across the new PoPs. They bought a /23 IPv4 block on the secondary market (€32K), and got an IPv6 /48 from RIPE alongside their new ASN.
Outcome at 12 months:
- Zero account-status incidents.
- Monthly edge spend reduced by 41% compared to their previous hyperscaler line items.
- 99.97% uptime measured by independent synthetic monitoring.
- Two production-impacting incidents, both resolved within the operator's SLA — one a BGP fat-finger at their secondary transit, one a fibre cut between FRA and AMS.
Where it costs more than people expect
Operations. Once you own the ASN and the boxes, you own the incidents.
- BGP misconfigurations are now your problem. Announce the wrong prefix, get an angry email from Hurricane Electric.
- Hardware refresh cycles are now your problem. Plan 5-year capex.
- Peering relationships are now your problem. Building peering across IXPs is partly a technical job and partly a relationship job.
- Regulatory questions arrive at your door, not your provider's door. This is mostly an upside — you control the response — but it is a workload.
Most clients pair the setup engagement with an ongoing operations retainer for the first 6–12 months. Some take over operations after a 90-day transition. Both work.
The honest comparison
| Cloudflare-class provider | Private Anycast | |
|---|---|---|
| Setup time | Hours | 2–4 weeks |
| Annual baseline cost | Lower at small scale | Lower at large scale (>~2 Gbps sustained) |
| Operational burden | Outsourced | Yours, or retained to us |
| Account-status risk | Real | Zero |
| Customisation | Limited to product feature set | Total |
| Out-of-the-box DDoS mitigation | World-class | Strong, but a smaller absorber |
| Out-of-the-box WAF | Excellent | Bring your own (we recommend a managed open-source stack) |
| TLS termination control | Provider | You |
| Routing transparency | Mostly opaque | Total |
| Vendor lock-in | High | None |
If you are unsure which side of the threshold you sit on, book a call — we'll tell you on the call whether building this makes sense for you. We've turned down clients who would have been better off staying on Cloudflare.
What this looks like in your monthly P&L
Rough numbers, sustained 3 Gbps egress, mostly HTTPS:
- Cloudflare Enterprise: ~€8K–€18K/month depending on add-ons and commit.
- AWS CloudFront: ~€12K–€20K/month at standard egress pricing.
- Private Anycast across 6 PoPs: ~€4K–€7K/month operational (transit + IXP fees + colocation), plus amortised €60K–€80K capex for hardware + IPv4.
At 3 Gbps the math starts to break even within 12–18 months. At 10 Gbps it's overwhelming. Below 1 Gbps, Cloudflare wins on TCO.
If you want a no-nonsense assessment of whether private Anycast makes sense for your traffic profile, book a 30-minute scoping call. We'll be straight with you about the trade-offs. If Cloudflare is the right call for you, we'll say so.