Understanding Cloudflare Zone Lockdown

Learn how to restrict URL access to trusted IP ranges for a Cloudflare-protected website using Zone Lockdown.


Zone Lockdown specifies a list of one or more IP addresses, CIDR ranges, or networks that are the only IPs allowed to access a domain, subdomain, or URL.  Zone Lockdown allows multiple destinations in a single rule as well as IPv4 and IPv6 addresses.  IP addresses not specified in the Zone Lockdown rule are denied access to the specified resources.

The maximum amount of rules allowed per account is based on plan type:

  • Free: 0
  • Pro: 3
  • Business: 10
  • Enterprise: 200

Configure Zone Lockdown rules via the Tools tab of the Cloudflare Firewall app.  Alternatively, configure Zone Lockdown via the API. The example below demonstrates using Zone Lockdown to restrict access to users connecting from your company’s headquarters and branch offices:

screenshot of the 'create a zone lockdown rule' modal used to configure a rule in the Cloudflare dashboard

The above example would not protect an internal wiki located on a different directory path such as example.com/internal/wiki.

For multiple overlapping Zone Lockdown rules, set a Priority under Advanced Options of the Zone Lockdown configuration. The lower the number, the higher the priority. Higher priority rules take precedence.  For example, a rule for example.com/admin/api/ requires a different priority than a similar rule for example.com/admin/ if each rule contains a different set of allowed IP addresses.

A visitor from an unauthorized IP observes the following error when Zone Lockdown is enabled:

screenshot of an error 1106 screen showing the status access denied due to a banned IP address

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.