Cloudflare Gateway IP ranges

Is there a list of IP ranges used by Cloudflare Gateway? We are seeing clients with Gateway with WARP enabled connecting from IP addresses in 8.21.11.0/24, which is not in the ranges on https://www.cloudflare.com/ips-v4.

Hi, I don’t think that url lists IP addresses used for Gateway or WARP. You can get a list of all IPv4 ranges that the main Cloudflare ASN (13335) uses with the following unix command:

whois -h whois.radb.net -- '-i origin AS13335' | grep -Eo "([0-9.]+){4}/[0-9]+" > cloudflare_ranges.txt
2 Likes

Correct, it would be incredibly bad if clients connected from those IP address ranges as those are reserved for the reverse proxy ranges (origin servers behind Cloudflare traditional core services).

Not yet; they do use specific ranges, but the number and scope of ranges is IMO likely to evolve. Is there a specific need you’re trying to address with regard to the connecting IP of a user on the Warp client?

4 Likes

@soldier_21 thanks! Not sure if this is ideal, but at least I have something to use if needed.

@cscharff we use Azure Conditional Access and access from certain countries trigger alerts or are challenged or blocked off. Our users in Taipei are being routed to through HKG when they are connected with Cloudflare Gateway, so I’m thinking about having the IP ranges of the exit nodes added to Conditional Access policies.

Heh… I was going to suggest using Cloudflare Access policies if it was an internal resource control issue since we can support/ require a user be using the Gateway client if you wanted but if you’re already using Azure Conditional Access you probably don’t want to hear ‘use our competing solution instead’ as the workaround. :smiley:

Will talk with the team, when if we publish a range (similar to what you see for the first link you posted) you will probably want to have a PowerShell command / cron job to check the list and make updates to the conditional access policy when/if the list changes.

Not sure what timing on the list will be though TBH.

And I’m sure it’s obvious but if you had a policy which allowed WARP IPs you may want to do something like require 2FA from the user. We have talked about some other strategies to potentially provide signal (or additional headers) on specific forward proxy requests which may also be helpful to identifying that the user behind the request is a user connecting from on of your devices.

2 Likes

@cscharff thanks! It would certainly be great if CF can publish a range so we can update our conditional access policy accordingly.

I actually would love to hear more about using Cloudflare Access. My question about IP ranges actually came from experimenting Cloudflare for Teams to augment Azure Conditional Access.

Second this. Is there any update? Trying to do much the same thing. Push users to Cloudflare client and provide conditional access to certain MS resources based on the IP of the gateway.

It sounds like the recent Infrastructure IP Address update will lead to this, but you may have to wait until May 7th to know for sure.

hi there. any update on the gateway IPs? :slight_smile: