WAF+Anti DDOS - static IP or dynamic?

Hi helpful folks! Can I check if the IP address to the WAF+AntiDDOS static or dynamic? If it is static, how does it scale to handle load? If it is dynamic, how does security people whitelist it without the IP (apparently I was told they cannot whitelist base on domain name)?

Which IP address?

To the WAF

That doesnt make much sense. Are you referring to the IP address of Cloudflare’s proxy? These are obviously static. Well, semi-static as they do change occasionally, but this is where DNS comes in. Cloudflare automatically adjusts all proxied records when the addresses change.

Sorry not sure if I am not clear enough?

Say I have something like that:

Internet > WAF + AntiDDos Cloudflare > AWS ALB > WebApps on Elastic Beanstalk.

And my organisation Intranet > Firewall > Internet.

For my machines within the Intranet to reach the WebApps, I need to open firewall to whitelist the IP address of WAF (the first point of entry).

Please refer to my previous response.

Yes that is precisely the issue. I was told by my security team that they cannot whitelist by domain name e.g. waf123.Cloudflare.com but then the IP address always changes. Anyone has such issues before? Pardon me if it is a stupid question, I’m new.

There is no waf123.Cloudflare.com, it always is your actual domain name.

Again, the addresses are pretty static but you dont have a guarantee for that and they can change at any time. So if you can only whitelist IP addresses your best bet is to whitelist your current addresses and update that should they change.

Ah… I thought it is like CDN when the traffic shows it comes from CDN.XXXX.com rather than the actually my.domainname.com. That means the A or cname? records points to the WAF rather than the ALB directly.

Means need a script to check for change in the ip addresses and then update the firewall accordingly… hmmm… that means site will go down momentarily until firewall rules are updated.

Pretty much that.

Strictly speaking Cloudflare is not a CDN, but a proxy instead. Yes, automating the update might be a good approach.

1 Like

Thanks. I wonder if I can ask Cloudflare to limit and only use a small range of static ip addresses? I am just worried that even with automated scripts to check periodically, there will still be down time before the addresses are updated.

You can open a support ticket, but I honestly doubt it. These changes are done automatically. Maybe, maybe if you are are on an Enterprise plan.

Yes. If we were to engage Cloudflare, we would be on enterprise. I just want to verify a few things before I make a proposal to use it in my solution. It was just that the Sec guys are insisting that I have to give them static addresses when I thought they could do with just domain names.

Thanks sandro by the way :slight_smile:

With Enterprise a lot more is possible than what is for commoners :slight_smile:

I’d drop them a message or call -> https://www.cloudflare.com/plans/enterprise/contact/

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.