My website is currently running behind an AWS ELB. In order to prevent people from hitting the website directly and circumventing Cloudflare’s security features, we are blocking all HTTP/HTTPS traffic from all IPs with the exception of Cloudflare’s IP ranges.
We are currently whitelisting all the IP ranges found on https://www.cloudflare.com/ips/. Between ipv4 and ipv6 it’s 21 ranges in total.
The problem arises in our use of AWS’s ELB. In order to whitelist Cloudflare’s IP ranges, we need to add 21 rules to our Network Access Control List (NACL). This is a bit frustrating because AWS limits your total number for NACL rules. In fact, AWS only allows you to add 20 rules by default. You have to contact support and make your case for them to lift the number of rules to 40, at which point they will not raise them any higher. Additionally, they warn that having so many rules may negatively impact network performance.
So my question to you is, is there a way to limit the number of needed rules. Is it possible to restrict Cloudflare to only use ipv6 when hitting our ELB? That alone would eliminate 14 rules!