Change Cloudflare worker IP

It seems that Cloudflare workers all have the same external IP address of 2a06:98c0:3600::103

As in, if I make an external request from within a Cloudflare Worker to say, e.g. https://google.com, google will see the request come from 2a06:98c0:3600::103

However, I have come across a service that has perhaps unintentionally blocked that IP address (Discord).

Are the Cloudflare workers going to rotate their external IP addresses? I suspect that many services like Discord will block it due to high traffic, even if it’s not being used for abuse (where the service may see it as such)

Workers actually use a range of different IP-addresses, based on location and datacenters.

See more here:

About resolving this, contact Discord about it and inform them about Workers.

1 Like

I don’t think that’s true at all, i’ve tested from multiple different data centers and locations over the past month and they all have seem to have 2a06:98c0:3600::103

The reference you linked just lists Cloudflare’s IP ranges

Yes, it’s IP-ranges since they use a lot of IP’s and delegate them dynamically.

I understand how IP ranges work, i’m telling you that for Cloudflare workers, whenever you make a fetch to the internet, it will always have the ip address of 2a06:98c0:3600::103. I am specifically speaking about Workers here

Just tested this again across a few data centers:

SIN 2a06:98c0:3600::103
AMS 2a06:98c0:3600::103
ARN 2a06:98c0:3600::103
FRA 2a06:98c0:3600::103

It’s quite a bit more complex than saying it has a single IP, it doesn’t.

If you make the request to the worker and then it make a sub-request, that sub-request will be made by that worker, but it may be routed inside the CF network based on quite a few parameters, such as latency, packet-loss, location, current load of the node and data-center, availability, current traffic amounts, which plan you’re on and probably more than they share publicly.

In general, if you want to white-list CF, you have to whitelist all of their ranges.

Your IP can be passed to the final fetch.
If you reated worker that fetches icanhazip.com you will see it passing your IP.

Headers:
{“x-forwarded-for”:“2001:8a0:7b7f:XXXX, 172.68.102.144”}
{“cf-connecting-ip”:“2001:8a0:7b7f:XXXX”}

Thanks I have tried doing so, but Discord has intentionally blocked Cloudflare worker’s fetcher IP, as confirmed on Github:

I’d appreciate it if someone from CF could talk to Discord about this, because we really don’t want blocking Workers to become a trend. Especially when the FAAS competition isn’t being blocked at all.

@harris @simon

1 Like

I tried to whitelist CF Worker IP for a Google Cloud API key. According to Google’s error message and logs, the request came from 104.198.211.231, however I don’t see how this IP address falls in the ranges given in https://www.cloudflare.com/ips/. At the time of writing this the IPv4 ranges listed in that page are:
* 173.245.48.0/20
* 103.21.244.0/22
* 103.22.200.0/22
* 103.31.4.0/22
* 141.101.64.0/18
* 108.162.192.0/18
* 190.93.240.0/20
* 188.114.96.0/20
* 197.234.240.0/22
* 198.41.128.0/17
* 162.158.0.0/15
* 104.16.0.0/12
* 172.64.0.0/13
* 131.0.72.0/22

I ended up whitelisting 104.0.0.0/8 (which is unacceptable for me)
I think CF should look into a way we can get an IP range for Workers

Ah I believe you are mistaken 104.198.211.231 is actually a Google IP address, the reason you saw this IP address is because when you are running your worker in the Cloudflare developer tool thing, it is not actually being ran from Cloudflare’s network - they are using Google Cloud themselves.

You should push your code to production and it is likely that you will see the request come from 2a06:98c0:3600::103

1 Like