The Cloudflare network IP for my domain is blocked in several regions. It affects the whole country of Iraq and the ISP Globe Telecom (AS132199) from Philippines.
What steps have you taken to resolve the issue?
I have already contacted Cloudflare support but they tell me that they have no influence on the blocking of IPs by ISPs or governments. I understand that - but they could assign my website a new IP. I currently have the Cloudflare Pro plan and can also upgrade to the Business plan, however I need a solution to the problem. I am aware that there are many Cloudflare websites sharing the same IPv4 address. Therefore, I hope that Cloudflare can assign a new IP to my website.
Currently my domain points to the following Cloudflare IPs:
104.27.201.89
104.27.202.89
Both are not accessible from the regions/ISPs mentioned.
What are the steps to reproduce the issue?
Access from the mentioned countries and ISPs are answered by directly resetting the connection. It displays ERR_CONNECTION_RESET in the browser. To check that it is an IP block, the following CURL commands will help. With the second command, the connection is forced independently of the DNS entries via a different Cloudflare IP, which works.
Cloudflare has no way to verify which website on the shared IP caused the block, right?
So if they assign a new IP to a site that gets blocked and asks, in the event that this site was the one targetted/blocked then they open themselves up to two things:
The government/ISP thinks that Cloudflare is trying to bypass their restrictions, opening them up to legal issues,
The new IP will just be blocked too, resulting in more angry Cloudflare users caught in the cross fire.
If they repeated IP rerolls, before long every Cloudflare IP would be blocked in every region. And IPs are not cheap.
Governments and ISPs should not be blocking IP addresses, as shared IPs are extremely common. If they do so anyway, this is their failing and not Cloudflare’s.
If a company relies on a website and there is no indication that the website offers illegal or politically questionable content, then Cloudflare should, in my view, make an effort to get the website up and running again. Cloudflare has millions of IP addresses and such IP blocks are isolated cases.
Regardless of whether providers should implement IP blocks or not, I find it questionable that Cloudflare does not offer its paying customers any support in such situations.
Since any such problem seems usually short lived, either the blocking ISP/country removes the IP block when the wider impact becomes apparent (a benefit of the shared space), or Cloudflare takes other actions, such as…
But as @Erisa explained, playing whack-a-mole by allowing customers to hop IP addresses would make the situation worse.
Options for dedicated IP addresses and bringing your own IP addressing are available if you don’t want to use the shared space, but those come with Enterprise pricing.
Thanks for the answer. I understand the problem and I also understand that there are many bad actors who use the Cloudflare network for illegal things. I think it is relatively rare that other customers’ websites are disrupted by IP address blocking. But if it does happen, I would hope that Cloudflare can find a solution by reviewing the website and discussing it with the customer.
I would very much like to upgrade to the Business Plan and also pay Cloudflare for individual Enterprise solutions, but at the moment I don’t have the feeling that the support is in any way interested in solving the problem.
Is there any way to trigger a reassignment of IP pairs? We already had Cloudflare Argo enabled but due to the amount of traffic this would cause a $10k bill. But even then, the two IP addresses have not changed.
The website got a new IP by upgrading from Pro to Business. This solved the issue.
Nevertheless, I find it very sobering that nobody at Cloudflare wants to take care of such problems. As website operators, we use Cloudflare to ensure good availability. If Cloudflare is so uncooperative even with such simple problems, I don’t want to know what would happen if there really were more complex problems…