Zero Trust Locations and Multiple IP Addresses for location

Stratosphere · October 21, 2022, 11:18pm

Hi, I have found various comments around dynamic IP addresses and the Gateways locations. I haven’t found one about pooled IP addresses and what to do about that.

My scenario -
I utilize Azure services as well as many hundreds of private endpoints within Azure. To make those private endpoints work I need to make DNS queries happen within Azure. Then from my office locations I need to forward my DNS requests for conditional forwarding to my setup in Azure. I also have an internal AD domain that doesn’t have domain controllers in the office and all those forwarding rules go to my Azure network as well. I also have a VDI setup in Azure that I would like to use as a location. In Azure I have the Azure firewall deployed and by the nature of the firewall using load balancers under the covers there are SNAT limits. This means the firewall uses a pool of public IP addresses for dynamic NAT going to Cloudflare. I have 0 control over pinning DNS queries from the Azure DNS servers to what IP it needs to use in Cloudflare to build a location for it.

As I’m testing the free version, it looks like I can only specify the IP by the Cloudflare page picking for me. If I go to the paid version I can specify a location, but is it 1 IP per location? Or can I have a pool of IP’s per location?

cscharff · October 22, 2022, 2:40am

This sounds like a question best posed to the Cloudflare sales team.

matthew5943 · October 24, 2022, 1:46pm

If I go to the paid version I can specify a location, but is it 1 IP per location?

With the ‘Zero Trust Standard’ paid plan, you can use the https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/locations API to add multiple network CIDRs to one location. Though I noticed the web interface has fewer options.

GET https://api.cloudflare.com/client/v4/accounts/abc****123/gateway/locations will return something like the JSON below, and it can be modified with the POST and PATCH as documented (though the documentation does not mention all the details, like the network ID field).

{
  result: [
    {
      id: "abc***********123",
      name: "Location A",
      networks: [
        {"network":"123.45.67.89/32","id":"abcdef0123456789abcdef0123456789"},
        {"network":"45.67.89.12/32","id":"abcdef0123456789abcdef0123456789"},
      ],
      policy_ids: [],
      ip: "2a06:***********",
      doh_subdomain: "***********",
      anonymized_logs_enabled: false,        
      ipv4_destination: null,
      ipv4_destination_backup: null,
      client_default: false,
      ecs_support: false,
      created_at: "2022-06-07T09:28:46Z",    
      updated_at: "2022-10-24T13:32:52Z"     
    },
    {
      id: "def***********345",
      name: "Location B",
      networks: [
        {"network":"123.45.67.89/32","id":"abcdef0123456789abcdef0123456789"}
      ],
      policy_ids: [],
      ip: "2a06:***********",
      doh_subdomain: "***********",
      anonymized_logs_enabled: false,
      ipv4_destination: null,
      ipv4_destination_backup: null,
      client_default: false,
      ecs_support: false,
      created_at: "2022-10-03T12:45:49Z",
      updated_at: "2022-10-03T12:45:49Z"
    }
  ],
  success: true,
  errors: [],
  messages: []
}

Stratosphere · October 24, 2022, 3:51pm

Cool. Thank you for the help. I will see if I can try that.

v1110 · June 1, 2023, 2:31pm

My code to update Cloudflare Zero Trust Dynamic IP using dyname-ip-hostname+curl+php, I hope it help you guys, thanks!

#######PHP CODE to update CloudFlare Zero Trust Dynamic IP  using curl+php #####

<?php
/*
Code Author: Vitor Magalhães
how setup
firts thing to configure is get the proper respose for this curl command, WITH IT YOU WILL GET THE ID OF THE LOCATION
CURL COMMAND 1:  

curl --request GET \
  --url https://api.cloudflare.com/client/v4/accounts/PUT-HERE-THE-API-TOKEN/gateway/locations \ // put your Cloudflare API token here (this one CAN BE FOUND on zero trust dashboard URL) exemple: (https://one.dash.cloudflare.com/WILL-BE-HERE/gateway/locations )
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Key: ' \    // PUT HERE Your Cloudflare global API AUTH key here, find it in PROFILE -> dashboard
  --header 'X-Auth-Email: [email protected]' // put your email here

*/

// This is to use without dynamic ip hostname
// $ip = $_SERVER['REMOTE_ADDR'];

//This is to use with dynamic ip hostname

$ip = gethostbyname("YOUR.DYNAMIC-IP-HOSNAME.COM");

//CLOUDFLARE CONFIG DATA
        $email = "[email protected]"; # Cloudflare account email address here
        $API_TOKEN = "UPDATE WITH YOUR API TOKEN"; # Cloudflare API token here (this one CAN BE FOUND on zero trust dashboard URL) exemple: (https://one.dash.cloudflare.com/WILL-BE-HERE/gateway/locations )
        $AUTH_KEY = "UPDATE WITH YOUR auth TOKEN"; # Your Cloudflare global API AUTH key here, find it in PROFILE -> dashboard
        $LOCATION_ID =  "UPDATE WITH YOUR id"; # THIS id CAN BE FOUND in the return of the CURL COMMAND 1, it will located inside the id value above name value
		$LOCATION_NAME =  "UPDATE WITH YOUR location name"; # The Cloudflare ZT Gateway location name CAN BE FOUND in the return of the CURL COMMAND 1, it will located inside the name value
    
   
    


$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,
'https://api.cloudflare.com/client/v4/accounts/' . $API_TOKEN . '/gateway/locations/' . $LOCATION_ID);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');

curl_setopt($ch, CURLOPT_POSTFIELDS, "{\n  \"client_default\": false,\n  \"ecs_support\": false,\n  \"name\": \"Kids\",\n  \"networks\":[{\"network\":
\"".$ip."/32\"}]\n}");

$headers = array();
$headers[] = 'Content-Type: application/json';
$headers[] = 'X-Auth-Key: ' . $AUTH_KEY;
$headers[] = 'X-Auth-Email: ' . $email;
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$result = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error:' . curl_error($ch);
}
curl_close($ch);
echo $ip . " SUCCESS UPDATED!"
?>