FAQ: Changes to Cloudflare Infrastructure IPs

You should have received an email from Cloudflare detailing some IP changes, if you have you may have some questions! A lot of the questions here are similar, so hopefully this FAQ can help answer yours!

In a hurry and want to know if this affects you? If this is all new to you, then the answer is most likely “no”.

The email you will have received:

[Action May Be Required] Changes to Cloudflare Infrastructure IPs Listed on cloudflare.com/IPs

Cloudflare is making infrastructure changes to simplify customer configuration, and reduce the number of IPv4 addresses that could potentially interact with your origin on Cloudflare’s behalf.

If your security model relies on allowing a list of trusted Cloudflare IPs from cloudflare.com/ips (or via API) on your origin, please make the following changes to your allow list by May 7, 2021 . This change is safe to make today.

Remove:
104.16.0.0/12

Add:
104.16.0.0/13
104.24.0.0/14

This change delists the 104.28.0.0/14 prefix, which is no longer in use by Cloudflare infrastructure. These addresses will be repurposed for use with our Gateway and WARP (secure web gateway and VPN) products, and may carry traffic from untrusted sources in the future.

Cloudflare does not recommend enforcing security policy at origins solely by trusting IP addresses. Argo Tunnels and Authenticated Origin Pulls provide more secure and specific ways to secure origin connections from Cloudflare.

If you have further questions, please visit the Cloudflare Community

If you had this and followed the last point to come here with any questions, then welcome!

The Basics

Let’s break this email down and look at it section by section.

Cloudflare is making infrastructure changes to simplify customer configuration, and reduce the number of IPv4 addresses that could potentially interact with your origin on Cloudflare’s behalf.

The way Cloudflare works is by sitting in front of your website, so anyone visiting your site goes through Cloudflare and is passed on to your site. This means that when Cloudflare requests resources from your site to serve to a visitor, the server that your website is on sees the request coming from Cloudflare. It will see this in the form of an IP Address, essentially identifiers so as to know where to send the data to. Cloudflare has a list of the addresses it uses, and there are going to be some slight changes to this, that’s what the email is talling you about.

If your security model relies on allowing a list of trusted Cloudflare IPs from cloudflare.com/ips (or via API) on your origin, please make the following changes to your allow list by May 7, 2021 . This change is safe to make today.

We’ll come on to whether this applies to you later, but this gives a date by which any necessary changes should be made (around 1 month notice). You can make the changes any time between now and that date.

Remove:
104.16.0.0/12

Add:
104.16.0.0/13
104.24.0.0/14

This change delists the 104.28.0.0/14 prefix, which is no longer in use by Cloudflare infrastructure. These addresses will be repurposed for use with our Gateway and WARP (secure web gateway and VPN) products, and may carry traffic from untrusted sources in the future.

These are the changes that will be made to the list. If you don’t make any changes, you will not block any extra traffic, but may receive some unwanted traffic.

Cloudflare does not recommend enforcing security policy at origins solely by trusting IP addresses. Argo Tunnels and Authenticated Origin Pulls provide more secure and specific ways to secure origin connections from Cloudflare.

This details some alternative features that you can use instead of IP blocking to secure you origin from direct connections and where you can read more about them.

FAQs

Does this apply to me?

Unless you know what it means, probably not! If you have never configured your server to only accept or allow all connections from Cloudflare IPs, you won’t need to change anything. If you have ever added Cloudflare’s IPs to an allow list, you should update this.

Why has the main list been updated, but the text files, API, Terraform etc. not?

These lists are being updated, and will be done before the change happens! If the list you use still hasn’t been updated in a few days, feel free to come back and let us know!

13 Likes