Do we need to whitelist ALL CloudFlare IP addresses, IPv4 & ipv6?


#1

My website is currently running behind an AWS ELB. In order to prevent people from hitting the website directly and circumventing Cloudflare’s security features, we are blocking all HTTP/HTTPS traffic from all IPs with the exception of Cloudflare’s IP ranges.

We are currently whitelisting all the IP ranges found on https://www.cloudflare.com/ips/. Between ipv4 and ipv6 it’s 21 ranges in total.

The problem arises in our use of AWS’s ELB. In order to whitelist Cloudflare’s IP ranges, we need to add 21 rules to our Network Access Control List (NACL). This is a bit frustrating because AWS limits your total number for NACL rules. In fact, AWS only allows you to add 20 rules by default. You have to contact support and make your case for them to lift the number of rules to 40, at which point they will not raise them any higher. Additionally, they warn that having so many rules may negatively impact network performance.

So my question to you is, is there a way to limit the number of needed rules. Is it possible to restrict Cloudflare to only use ipv6 when hitting our ELB? That alone would eliminate 14 rules!

Thoughts? Ideas?


#2

I’ve wondered the same thing, but I think the answer is “Yes, you need both.” From my server logs, it looks like I’m getting IPv4 and IPv6 hits. So if a visitor is using IPv4, Cloudflare hits your site with IPv4.


#3

To help clear up any confusion, speaking with support, you don’t need to worry about IPv6 IP’s needing to be whitelisted if there are no IPv6 domains in your Cloudflare DNS.

“you don’t have any IP6 addresses in your config…so we won’t contact your origin over ip6”