Retrict AWS ALB Requests from My Cloudlfare Account

Have been trying to find the best way to make sure that the Application behind my AWS Application Load Balancer (ALB) can only take traffic that has been routed via a Cloudflare-proxied DNS name.

I have read through some previous suggestions and seems like adding Cloudflare’s IP on the ALB inbound security group is one way. But doesn’t this mean that someone else with a Cloudflare account could potentially still send traffic to my AWS ALB.

Is there a better way to do this?

Requirement is basically Cloudflare proxied DNS record in my Cloudflare account should be the only thing that can send traffic to the AWS ALB.

As long as you only point hostnames that are proxied, to your load balancer, than traffic for those proxied hostnames will always go over Cloudflare and then to your aws instance. You should then lockdown aws to any other ip addresses that are not trusted.

See: Protect your origin server · Cloudflare Fundamentals docs and Allow Cloudflare IP addresses · Cloudflare Fundamentals docs

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.