Static anycast IPs

ryan2 · October 21, 2019, 9:29pm

Our customers would like to add outbound rules to our servers, which are abstracted by Cloudflare anycast. All source CF IP’s are published here (https://www.cloudflare.com/ips-v4 ). I cannot find any discussion or publication that documents the destination (anycast) IPs. I do see that the same two IPs are returned when I dig on our CF protected site but we need to know if they are truly static and something we can provide to our customers.

To be more blunt, I see the below two A records for my abstracted hostname. Is it possible that these ips will change? Is there a list of available anycast ips that we can use for outbound FW rules.

$ dig @{{ various-authority }} {{ my-hostname }}
...
;; ANSWER SECTION:
{{ my-hostname }}. 300 IN	A	104.20.54.62
{{ my-hostname }}. 300 IN	A	104.20.55.62

sandro · October 1, 2018, 6:51pm

Yes, it is possible. Should not happen often but there is a chance.

Judge · October 1, 2018, 7:20pm

If you trust your customers to not reveal your origin IP address, you could give it to them to whitelist & put in their HOSTS file so they are just routed around Cloudflare.

system · October 31, 2018, 7:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.