I am trying out Zero trust for my small business as we need a little extra security, and would like to allowlist a few of our systems to only allow the cloudflare zero trust IP (More to enforce users signing in than anything else as I cant find another way of making them sign into warp / zero trust).
I noticed when I browse google for “What is my IP” while connected to zero trust I get the below IP:
However that IP is not listed in the cloudflare owned IP ranges in the official cloudflare list of cloudflare IP’s (It wont let me include a link). Is there a list of IP ranges to allowlist for zero trust gateway?
That IP is owned by Cloudflare, but is not used in as part of it’s proxy services as documented here:
Unless you’re using dedicated egress IPs that range is shared and there’s no guarantee the user / visitor is signed into your teams client.
You can force users to log into warp by using Cloudflare Access to expose applications, use Cloudflare tunnels to expose applications and/or use a managed deployment to force the Client on.
We only use Microsoft 365 and a couple of applications we dont manage, like I said we are a small business. I am not bothered if those IP’s are shared, the purpose is to force my few users to use the cloudflare app. You said that IP is not used for proxy, why am I seeing it when I type “What is my IP” into google if it is not used? Surely it must be used.
My original question is how do I know the IP ranges used so I can allowlist down to them? That was not answered…
The documented IP addresses are for Cloudflare’s core web client proxying services. The warp / zero trust IPs are not included in that range because it would represent a security risk to allow end user access to an origin server protected by Cloudflare.
I am not aware of a list but a google search returns some strategies for parsing the complete list of Cloudflare IPs
Thank you. So it is impossible to use the likes of IP whitelists on SAAS sites to enforce warp /zero trust without some level of risk of the IP’s not being accurate? Such a shame however thanks for your answer
Origin IP where anyone can exploit it for $0 isn’t a security layer. You can open a support ticket to see if they have a specific range, but it isn’t anything resembling zero trust.
I am not trying to get the security you are describing, I am simply trying to get the DNS / HTTPS filtering security for our people who are out of the office and was comparing this to the likes of Cisco Umbrella etc (prefer Cloudflare as I used to work on it during my network engineer days)
You can now pay for one or more dedicated egress IPs from Cloudflare on an enterprise plan. Cloudflare also supports Tenant control: Tenant control · Cloudflare Zero Trust docs