Cloud Flare Public IP Range

Hi, Im new to CloudFlare and it’s capabilities. Could someone let me know if it is common to have your origin web services sit behind a firewall while blocking access from the whole internet and only whitelisting the Cloud Flare Public IP range for inbound access ? https://www.cloudflare.com/ips/

Assuming off curse you use Cloud Flare services !

Thanks

Yes, it is common, in fact it is the recommended approach.

1 Like

Ah thank you for rapid response. Not sure if I need to start a new thread or ask this here, but here goes.

Does this imply that the people who implement using this approach tend to have less edge protection. I.e. An option is to have all this hosted on-prem. Say F5 GTM for DNS/DDos and some kind of WAF appliance . Also if we have a Disaster Recovery Site, can we use any of Cloud Flares Services to flip between our Data centre (either manually or automatically) ?

Cheers

Why would you think so? If you block everything but Cloudflare, it wont affect the connection from Cloudflare. Non-Cloudflare connections wont work any more however and that is what you want to achieve, is it not?

Yes absolutely that would be our plan. So if the customer says ‘the F5s and the WAFs are way to expensive’ I want to be able to turn around and suggest offloading those features exclusively to cloud flare.

Thanks

I am not familiar with F5, so I am afraid I cant comment on that, but as far as address restrictions are concerned, you should be fine to limit it to Cloudflare unless you need direct access for some other reason.

Hi, my bad I can see how you read this. “Does this imply that the people who implement using this approach…” What I meant was; people who use cloud flare may end up using less on-prem security hardware simply because they have offloaded this layer to CF.

Thanks

That depends what that on-premise security layer exactly does. If it is based on the client’s IP address you might experience some issues, as all requests will come from the same Cloudflare address blocks mentioned on the site. Some security software could consider that a concerted attack.

That’s good point you have made regarding the ‘attacks’. My thinking is this:

CF DDOS >>CF WAF >> OnPrem Router >> OnPrem Firewall >> OnPrem NLBs >> WebPool.

In the above instance the ‘OnPrem Firewall’ is a traditional layer 3 firewall with no ‘NextGen’ capabilities which looks at incoming IPs. I may have got the CF Services in the wrong order…!

Thanks Sandro!