Data localization IP addreses location issue

Hi,

we are trying out the data localization feature within Cloudflare to route traffic to servers within a region
we can see that when we change the region within the CF DNS the IP address change accordingly

But when we check the location of the IP using online tools everything seems to show as US only

I suppose it’s due to the anycast network

How we can verify that the data is processed within the same geographic region as we set in the DNS

we have paranoid customers who check the IP and report that we are using the wrong DC to process the request

How we can prove that the data is stored and processed within the same region only by CF?

Anycast and Geolocation does not go hand in hand.

IP addresses does only have one single location assigned in such IP location databases, and as such, it would be quite impossible for IP space that is running anycast - running in dozens to hundreds of locations worldwide, to be showing any sort of useful location information ever.

On top of that it does also depend on the individual IP location database, and how they do things.

For IP space that is running anycast, I wouldn’t expect any other location than the headquarters of the company holding the IP space, which would be United States (US) in your situation, because that’s where Cloudflare has it’s headquarters.

Depending on how far you would go, you could try showing them a screenshot from your Cloudflare Dashboard or similar, that includes the indication of where the location-specific service is?

But even if you did that, they could still claim that it isn’t true, because the IP address still shows United States (US)?

1 Like

Thanks, @DarkDeviL for the reply

yes, they could say that. especially customers from government agencies are very paranoid about this
we might have to spend a lot of time making them understand the technical details

is there any documentation about this from Cloudflare end
so that we can share it with our customers?

A visit to example.com/cdn-cgi/trace (your domain name’s Cloudflare trace link), it will show the Cloudflare server location.

2 Likes

That’s nice
Just to confirm

colo=ICN (Incheon South Korea)

This is the location identifier, right?

Yes, that’s correct.

The Data Localization Suite still ingests traffic to the nearest PoP to an end user. From there some basic attack mitigation is applied, before the request is tunnelled back inside your metadata boundary for further processing.

Looking at the address in Whois is not going to say anything about the location that a packet on the Internet has followed. Most addresses assigned to Cloudflare have the address as “101 Townsend Street”, and I am pretty certain that none of your traffic passes through that office on its way between user and Origin.

You cannot. Cloudflare could lie. Despite the third party certifications and compliance reports they publish (available on your dashboard) you have to trust the statements that are made by Cloudflare to be true. Can you prove to me that all AWS resources I deploy in us-east-1 are actually in North Virginia, and not in a secret NSA facility in Utah?

3 Likes

@michael
certainly, we can’t prove if AWS processes within North Virginia or somewhere
but from the IP, we could at least see it is located within the country.

like if i have a service in eu-central-1 or ap-south-1 when we look at load balancer IP
it shows to be within the region
but on Cloudflare even after setting the region, IP is always showing to be US for most of the regions except the EU region which causes a lot of confusion to our customers

Unfortunately as of now, we have to disable the Cloudflare proxy and expose the real AWS IP
for those customers which defeats the purpose of using Cloudflare and is a potential threat to our origin.

I do understand it’s side effects of having an anycast network
but I wish Cloudflare had documentation or wording regarding this issue so we could easily convince our customers