I understand CDN IPs are shared, but I do not find info about their stability.
My client’s provider want to filter outbound connections by IP, so, can I trust the anycast IP the service uses won’t change, or must I whitelist the whole Cloudflare address space ?
They are pretty stable but there is no guarantee AFAIK.
You cant use the IP address itself however anyhow. You will always have to go through a hostname which will resolve to whichever IP address it currently has assigned to.
However considering you were referring to outbound connections, these will never have a Cloudflare IP address but always your own.
The outbound connection of the user device connects TO Cloudflare, and it’s the destination address which is filtered.
You should whitelist the whole Cloudflare address space:
For best practices try implementing Authenticated Origin Pulls:
https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls
So far mostly 104.16.0.0/12 and 2606:4700::/32 addresses have been assigned as far as I can tell, so if you want to be on the safe side you might want to whitelist that range.
Ok, thanks (If I cannot whitelist a single IP, I should whitelist all of them, not only a subset of them)
This topic was automatically closed after 31 days. New replies are no longer allowed.