AWS ALB allow traffic only from specific Cloudflare account

We are using the following architecture:
Cloudflare → ALB → App

All the DNS entries in Cloudflare are proxied and we are using the FULL encryption mode.
We have configured the ALB security group to allow traffic only from the Cloudflare IP address range.

However, it is still possible to access our ALB from another Cloudflare account (same IP address range).
Is there a way to enforce the ALB to accept only connections from our Cloudflare account?

You could apply a transform rule for your app’s domain/hostname that adds a header. Something like
Then update your ALB listener with the following:
Default Rule (lowest order):
Redirect to your org home page (Redirect to URL)
New Rule (higher than the default rule):
Condition: if HTTP Header “cloudflare-zone-id” value is “you-domain-zone-id”
Then forward to your target group

This will send all traffic hitting your ALB to your home page by default, unless it passed through the Cloudflare transform rule to get that “cloudflare-zone-id” header.

I have not done this, and I have not tested it but I don’t see why it wouldn’t work.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.