Zero Trust Locations and Multiple IP Addresses for location

Hi, I have found various comments around dynamic IP addresses and the Gateways locations. I haven’t found one about pooled IP addresses and what to do about that.

My scenario -
I utilize Azure services as well as many hundreds of private endpoints within Azure. To make those private endpoints work I need to make DNS queries happen within Azure. Then from my office locations I need to forward my DNS requests for conditional forwarding to my setup in Azure. I also have an internal AD domain that doesn’t have domain controllers in the office and all those forwarding rules go to my Azure network as well. I also have a VDI setup in Azure that I would like to use as a location. In Azure I have the Azure firewall deployed and by the nature of the firewall using load balancers under the covers there are SNAT limits. This means the firewall uses a pool of public IP addresses for dynamic NAT going to Cloudflare. I have 0 control over pinning DNS queries from the Azure DNS servers to what IP it needs to use in Cloudflare to build a location for it.

As I’m testing the free version, it looks like I can only specify the IP by the Cloudflare page picking for me. If I go to the paid version I can specify a location, but is it 1 IP per location? Or can I have a pool of IP’s per location?

This sounds like a question best posed to the Cloudflare sales team.

If I go to the paid version I can specify a location, but is it 1 IP per location?

With the ‘Zero Trust Standard’ paid plan, you can use the https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/locations API to add multiple network CIDRs to one location. Though I noticed the web interface has fewer options.

GET https://api.cloudflare.com/client/v4/accounts/abc****123/gateway/locations will return something like the JSON below, and it can be modified with the POST and PATCH as documented (though the documentation does not mention all the details, like the network ID field).

{
  result: [
    {
      id: "abc***********123",
      name: "Location A",
      networks: [
        {"network":"123.45.67.89/32","id":"abcdef0123456789abcdef0123456789"},
        {"network":"45.67.89.12/32","id":"abcdef0123456789abcdef0123456789"},
      ],
      policy_ids: [],
      ip: "2a06:***********",
      doh_subdomain: "***********",
      anonymized_logs_enabled: false,        
      ipv4_destination: null,
      ipv4_destination_backup: null,
      client_default: false,
      ecs_support: false,
      created_at: "2022-06-07T09:28:46Z",    
      updated_at: "2022-10-24T13:32:52Z"     
    },
    {
      id: "def***********345",
      name: "Location B",
      networks: [
        {"network":"123.45.67.89/32","id":"abcdef0123456789abcdef0123456789"}
      ],
      policy_ids: [],
      ip: "2a06:***********",
      doh_subdomain: "***********",
      anonymized_logs_enabled: false,
      ipv4_destination: null,
      ipv4_destination_backup: null,
      client_default: false,
      ecs_support: false,
      created_at: "2022-10-03T12:45:49Z",
      updated_at: "2022-10-03T12:45:49Z"
    }
  ],
  success: true,
  errors: [],
  messages: []
}

Cool. Thank you for the help. I will see if I can try that.