Do we need to whitelist ALL CloudFlare IP addresses, IPv4 & ipv6?

My website is currently running behind an AWS ELB. In order to prevent people from hitting the website directly and circumventing Cloudflare’s security features, we are blocking all HTTP/HTTPS traffic from all IPs with the exception of Cloudflare’s IP ranges.

We are currently allowlisting all the IP ranges found on IP Ranges. Between ipv4 and ipv6 it’s 21 ranges in total.

The problem arises in our use of AWS’s ELB. In order to allowlist Cloudflare’s IP ranges, we need to add 21 rules to our Network Access Control List (NACL). This is a bit frustrating because AWS limits your total number for NACL rules. In fact, AWS only allows you to add 20 rules by default. You have to contact support and make your case for them to lift the number of rules to 40, at which point they will not raise them any higher. Additionally, they warn that having so many rules may negatively impact network performance.

So my question to you is, is there a way to limit the number of needed rules. Is it possible to restrict Cloudflare to only use ipv6 when hitting our ELB? That alone would eliminate 14 rules!

Thoughts? Ideas?

I’ve wondered the same thing, but I think the answer is “Yes, you need both.” From my server logs, it looks like I’m getting IPv4 and IPv6 hits. So if a visitor is using IPv4, Cloudflare hits your site with IPv4.

1 Like

To help clear up any confusion, speaking with support, you don’t need to worry about IPv6 IP’s needing to be whitelisted if there are no IPv6 domains in your Cloudflare DNS.

“you don’t have any IP6 addresses in your config…so we won’t contact your origin over ip6”

Same question, still no answer. Should I add ipv6 to the origin server’s whitelist if it doesn’t support ipv6?

That’s not the same situation. The OP has a server with IPv4 and IPv6. Since that post, I’ve moved my servers to IPv6-only and no longer need to whitelist IPv4.

So if you server doesn’t support IPv6, you don’t need to whitelist IPv6. Cloudflare wouldn’t even know how to connect to your server with IPv6 if your DNS records here don’t have any AAAA records.