Static anycast IPs

ryan2 · 2018-10-01 18:45:49 UTC

Our customers would like to add outbound rules to our servers, which are abstracted by Cloudflare anycast. All source CF IP’s are published here (https://www.cloudflare.com/ips-v4 ). I cannot find any discussion or publication that documents the destination (anycast) IPs. I do see that the same two IPs are returned when I dig on our CF protected site but we need to know if they are truly static and something we can provide to our customers.

To be more blunt, I see the below two A records for my abstracted hostname. Is it possible that these ips will change? Is there a list of available anycast ips that we can use for outbound FW rules.

$ dig @{{ various-authority }} {{ my-hostname }}
...
;; ANSWER SECTION:
{{ my-hostname }}. 300 IN	A	104.20.54.62
{{ my-hostname }}. 300 IN	A	104.20.55.62

sandro · 2018-10-01 18:51:27 UTC

Yes, it is possible. Should not happen often but there is a chance.

Judge · 2018-10-01 19:20:23 UTC

If you trust your customers to not reveal your origin IP address, you could give it to them to whitelist & put in their HOSTS file so they are just routed around Cloudflare.