Access Billing Question

Regarding billing for active users – how is this calculated for IP ranges?

It states that active users is the count of users that have authenticated with any identity provider per month.

Would an IP range count as an identity provider? If so, what happens if you add a range and a user’s IP changes after they authenticate? Would that count as two separate active users?

1 Like

Interesting question :confused: My understanding is that IP range only makes sense if used with bypass rules. Adding an IP range in a Policy Access does not replace the Identity Provider.

I’ve just tested this with a staging site. I created an Access Policy with Include > IP Range, then entered my IP Address. Revoked my existing token, then went to the website. I got the authentication page with Google and Github IdPs.

Then I created another policy with Bypass > IP range, went to the site and was allowed to access the URL without the Access authentication page. Then I deleted this Access Policy, tried again, and was stopped.

And if IP address/range can only be used for Bypass, then the bypassed users would not count toward you quota. Simply because the asset is not being protected by Access for the bypassed IP, as the warning when you create a Bypass Rule makes clear.

Thinking about it, though, if you use IP Addresses other than a personal/home IP address to bypass an Access Policy, what you would do in case an employee leaves your company? Or after you provide the range for outside support staff? Would you want to change your IP address range every time something like this happens?

In any case, it seems Cloudflare needs to make more clear the use of IP range, and reply to your question about pricing. For one thing, the UI should not even allow options like IP range or Everyone for Include in an Access Policy. In my opinion it makes no sense!

EDIT: On a second thought, there’s a scenario where one would want to authorize users but only if accessing from a given IP range, in which case the IP address would act as a second filter. The user would need to pass through IdP to be authenticated, and Cloudflare would also check if user is coming from within the specified IP range. In this case, I’d think that Cloudflare would count users based solely on authenticated users, the IP range being irrelevant as far as billing is concerned. But again, it would be great to hear from Cloudflare itself about this.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.