Using Cloudflare for Public AWS Resources Securely

Using Cloudflare is an easy way to add security and performance improvements without breaking the bank. Plans start for free and provide access to the Cloudflare DNS and CDN https://www.cloudflare.com/plans/application-services/.

You generally attach a security group with inbound rule 0.0.0.0/0 after setting up your public AWS resource. When using Cloudflare, there is a more secure way to set up the security group. We can limit the security group to the Cloudflare IP ranges instead of 0.0.0.0/0. This provides further security by denying direct access and limiting the allowed inbound traffic through Cloudflare only. To support this Cloudflare provides IP ranges here: https://www.cloudflare.com/ips/.

As of today, April 13, 2024, there are 22 total ranges inclusive of IPv4 and IPv6. To help simplify management of this, we can utilize the Cloudflare API to get the most current IP range list. We can also utilize Terraform to automate creating this security group. For those that want a prebuilt Terraform solution, a module for this is available here: https://github.com/joeguaneri/terraform-cloudflare-web-security-group. This module creates HTTP and HTTPS rules for Cloudflare IPv4 and IPv6 ranges.