HomeManaged AWS PlatformAWS ConsultancyAbout

Combining Security Groups IP ranges with Cloudflare

Why IP Whitelist Security Groups Don't Work Behind Cloudflare Anymore

When it comes to securing applications hosted on AWS, many rely on security groups and IP whitelists. However, if your setup involves Cloudflare, this approach might not work as expected anymore. The reason? IP whitelisting doesn't mesh well with the way Cloudflare operates. In this blog, we’ll explore why IP whitelist security groups fall short behind Cloudflare, why IP-based security is outdated, and what modern alternatives you should consider. Whether you’re dealing with Cloudflare AWS security group whitelist configurations or exploring new security models, we’ve got you covered.

Cloudflare's Role: Hiding Your Real IP

When you put your application behind Cloudflare, you're using their network as a shield. Cloudflare's servers sit between your users and your application. They handle things like DDoS protection, caching, and SSL termination. From your app's perspective, every incoming request comes from a Cloudflare IP, not the original user.

That's great for security and performance, but it throws a wrench into IP whitelisting. You're no longer dealing with the end-user's IP address. Instead, all your traffic seems to originate from Cloudflare's IP ranges. If you're still relying on whitelists for specific IPs, this setup will break almost immediately.

The Problem with Whitelisting Cloudflare IPs

So, you might think: "No problem, I'll just whitelist Cloudflare's IP ranges." While that technically works, it introduces a ton of complexity:

  1. Cloudflare's IPs Change: Cloudflare periodically updates their IP ranges. Every time they add or remove an IP, you'll need to update your security groups. Forget to do this, and you'll block legitimate traffic.
  2. Increased Management Overhead: Keeping your IP whitelist synced with Cloudflare's changes is a chore. You'll need a script or process to stay up to date, and any gaps could lead to downtime.
  3. Lack of Granularity: When you whitelist all of Cloudflare's IPs, you're essentially saying, "I trust anything coming through Cloudflare." That's not always ideal if you want finer control over who accesses your service.

IP Rotation: A Modern Pain Point

Even if you're not behind Cloudflare, IP whitelists have a fundamental flaw in today's internet: IPs are no longer static. With ISPs, VPNs, and mobile networks constantly rotating IP addresses, you'll find yourself playing a frustrating game of "whitelist whack-a-mole."

Users' IPs change, and suddenly, they're locked out. Or worse, someone's IP gets reassigned to a malicious actor, and you've accidentally given them access.

The Smarter Alternative: Embrace Identity-Based Access

Instead of clinging to IP whitelists, it's time to shift to more modern and robust solutions. Here are a few:

  1. Cloudflare Access: Think of this as a VPN replacement. Cloudflare Access authenticates users at the edge using their identity (like Google Workspace or Okta credentials) before they even reach your application. No need to worry about IPs at all.
  2. Private Keys and Certificates: For server-to-server communication, consider using mutual TLS or API tokens. These methods verify identity based on cryptographic credentials rather than IP addresses.
  3. Zero Trust Security: Adopt a zero-trust model where every request is verified based on user identity, device posture, and other contextual factors. It's a more holistic approach than trusting an IP.

Pro Tips for Securing Applications Behind Cloudflare

  1. Use the X-Cloudflare-Token Header: In Cloudflare, you can configure a custom X-Cloudflare-Token header to be sent with requests. Add this token to the target group of your load balancer, ensuring that only traffic from Cloudflare's network can reach your application. This disables attackers from bypassing Cloudflare entirely.
  2. Zero Trust + Email Verification: With Cloudflare's Zero Trust security, you can add an extra layer of security by requiring users to provide their email address and enter a code emailed to them. This ensures that even if someone accesses your service through Cloudflare, they still need to prove their identity.
  3. Internal Load Balancer with Argo Tunnel: You can make your load balancer internal and expose it only through Argo Tunnel instances running on AWS Fargate. This guarantees that all traffic comes exclusively from the Cloudflare network, eliminating the risk of direct access.
  4. Use AWS Prefix Lists: If you're still set on whitelisting IPs, switch to AWS Prefix Lists. This allows you to manage all IPs in a single place, simplifying updates and reducing the chances of mistakes.

Additional Reading

Looking to further optimize your AWS setup? Check out our blog post on getting a cheap VPN into your AWS VPC and worldwide performance improvement through Cloudflare Tunnels.

The Bottom Line

IP whitelists were great in their time, but they've become a relic in the era of dynamic IPs and cloud services. When you're behind Cloudflare, they're downright impractical. By switching to identity-based access controls, adopting Zero Trust models, and implementing Cloudflare-specific solutions like Argo Tunnels or custom headers, you'll save yourself the hassle of constant whitelist updates and improve your overall security posture.

The internet has moved on from static IPs. Maybe it's time your security practices did too.

Overwhelmed by AWS?

Struggling with infrastructure? We streamline your setup, strengthen security & optimize cloud costs so you can build great products.

Related AWS troubleshooting blogs

Looking for more interesting AWS blog posts?

Debugging unexpected issues with Terraform

Since Terraform is relatively new software, you might need to fix issues in a undocumented way. You can spend hours debugging internal providers this way but there are a couple of ways that can help y ...

Read more

AWS EventBridge cron expressions are weird

They have some specifics to them that are unexpected if you have been working with regular crontabs for some time.

Read more

Cross account AWS KMS keys

Let’s say you have a IAM role in account 12345678 and it needs kms:Decrypt access to an key in another account 987654321, you need to keep the following Policy Evaluation Diagram in mind:

Read more

How to solve 'Inaccessible-encryption-credentials' in AWS RDS

When your KMS key has been deactivated due to your AWS account being locked you might run into the issue that your database won't start, this blog post contains the solution.

Read more