Ensuring Exclusive Cloudflare to ALB Connection Security

Hello Cloudflare Community,

We’ve established an architecture where traffic flows from Cloudflare to our ALB (Application Load Balancer), then to our application. In this setup:

  • All DNS entries in Cloudflare are proxied.
  • We use FULL encryption mode.
  • Our ALB security group only allows traffic from Cloudflare’s IP range.

Concern: Even with these measures, it seems feasible for someone to use another Cloudflare account to access our ALB, as they share the same IP range. This poses a potential risk: if someone sets up a Cloudflare account, points it to our ALB, and disables Cloudflare’s protective features, they could potentially launch a DDoS attack on their Cloudflare account, indirectly impacting our services.

Question: Is there a way to enforce our ALB to accept connections solely from our specific Cloudflare account, thereby mitigating this indirect attack vector?

Any insights or suggestions on enhancing our security in this scenario would be greatly appreciated.

Does ALB let you specific a client certificate to validate incoming requests?

If so,

Though note that you will need to upload a custom certificate to fully ensure that no other customers can just do the same.

1 Like

I saw that but it talking about nginx… but my current configuration is CF=>ALB=>NGINX

That’s why @erisa-cf asked this…

What/whose load balancer are you using?

1 Like

I am using aws (ALB)

Not my area, but looks possible…

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.