Hello Cloudflare Community,
We’ve established an architecture where traffic flows from Cloudflare to our ALB (Application Load Balancer), then to our application. In this setup:
- All DNS entries in Cloudflare are proxied.
- We use FULL encryption mode.
- Our ALB security group only allows traffic from Cloudflare’s IP range.
Concern: Even with these measures, it seems feasible for someone to use another Cloudflare account to access our ALB, as they share the same IP range. This poses a potential risk: if someone sets up a Cloudflare account, points it to our ALB, and disables Cloudflare’s protective features, they could potentially launch a DDoS attack on their Cloudflare account, indirectly impacting our services.
Question: Is there a way to enforce our ALB to accept connections solely from our specific Cloudflare account, thereby mitigating this indirect attack vector?
Any insights or suggestions on enhancing our security in this scenario would be greatly appreciated.