Static anycast IPs


#1

Our customers would like to add outbound rules to our servers, which are abstracted by Cloudflare anycast. All source CF IP’s are published here (https://www.cloudflare.com/ips-v4 ). I cannot find any discussion or publication that documents the destination (anycast) IPs. I do see that the same two IPs are returned when I dig on our CF protected site but we need to know if they are truly static and something we can provide to our customers.

To be more blunt, I see the below two A records for my abstracted hostname. Is it possible that these ips will change? Is there a list of available anycast ips that we can use for outbound FW rules.

$ dig @{{ various-authority }} {{ my-hostname }}
...
;; ANSWER SECTION:
{{ my-hostname }}. 300 IN	A	104.20.54.62
{{ my-hostname }}. 300 IN	A	104.20.55.62

#2

Yes, it is possible. Should not happen often but there is a chance.


#3

If you trust your customers to not reveal your origin IP address, you could give it to them to whitelist & put in their HOSTS file so they are just routed around Cloudflare.