Zero Trust IP ranges

I am looking all Zero Trust IPs used by Cloudflare in order to allowlist these IPs in our systems.

Some API-based IP info services are flagging Zero Trust IPs as hosting/spam for some reasons, we would like to enforce a policy in our WAF to allowlist all IPs as long as they’re coming from Cloudflare Zero Trust.

I noticed that Cloudflare is providing a list of IPs in use however some IPs are not listed (such as 2a09:bac0::/29) although they belongs to Cloudflare.

Anyone know which IP ranges are in use for ZT?

WARP IPs aren’t in the list otherwise users allowlisting Cloudflare IPs for access to their servers would be bypassed by people using WARP instead.

Cloudflare doesn’t publish a list. Someone may have compiled one somewhere. I’m not sure why you would want to allowlist these IPs any since any WARP user could then get access.

The way to use WARP for secure access to your organisation is to use a tunnel.

Thanks for your reply @sjr, but I think we were not on the same page. We are not using Zero Trust but our end-users are, among many other users using VPN, proxies or direct ISP line. Our WAF is blocklisting suspicious IP addresses and we noticed Zero Trust IPs are sometime blocked although we would like to allowlist them all as we know our customers on Zero Trust are using it to good use.

Hope this is clearer.

Ah, ok.

There’s no Cloudflare list of IPs for WARP/ZT and, as with any VPN-type solution, abusive users can lead to IPs getting a bad reputation. I still wouldn’t assume that those IP address are to be trusted since there’s no guarantee they are your customers.

Thanks for you help @sjr, we’ll end up using an IP to ASN mapper to find which IPs belongs to CF.