Add Cloudflare IPs Amazon EC2 Security Group
If you are utilizing Cloudflare as your DNS/CDN provider for your website and you are utilizing an Amazon EC2 instance as your host, let’s take a quick look at the topic – how to add cloudflare ips amazon EC2 security Group. You want to do this to protect your origin server from being directly accessible to the Internet. In this way, only cloudflare servers will be able to directly access your web host which greatly improves your security posture.
Add Cloudflare IPs Amazon EC2 Security Group
First things first, you can find the current list of cloudflare IPs via the page found here: https://www.cloudflare.com/ips/
Now that we have the list of IPs that should be added to the ACL listing in our Amazon EC2 security group, let’s take a look at how to add them in. To see which security groups you are using, go to the EC2 Dashboard and then Instances. Right click on your EC2 instance and select networking >> change security groups. This will show you which security groups you are using by the check marks by them.
Now, after you figure out the security groups in use, you can edit the security group. Go to Network & Security >> Security Groups. This will display a table of the security groups that have been created.
To edit, all you do is click on the security group. Then the table at the bottom will have (4) tabs – Description, Inbound, Outbound, Tags. We are concerned with restricted Inbound traffic, so click the Inbound tab and then Edit.
This brings up the Edit inbound rules table. Here you can click the Add Rule button at the bottom which makes a new row in the table for your configuration. Make sure you specify HTTP for the Type and Custom IP for the Source. Then you simply add the Cloudflare IP addresses. You can then remove the Any Source and 0.0.0.0/0 which will restrict any web traffic except that coming from Cloudflare.
Final thoughts
Hopefully the above information will help any who might be struggling with how to add Cloudflare IPs to Amazon EC2 security groups. The process is fairly straightforward and the main challenge is finding where to add the IPs and how to see which security groups are in use. Hopefully, this post makes that a bit clearer.
These IPs change over time. Is there a good way to automate a script to do this?