Configuring IP Access Rules

Learn to utilize IP Access Rules to restrict, challenge, or whitelist traffic to your site.


IP Access Rules are commonly used to block or challenge suspected malicious traffic.  Another common use of IP Access Rules is to whitelist services that regularly access your site (APIs, crawlers, payment providers, etc).  IP Access Rules allow whitelist, block, and challenge actions for traffic based on the visitor's IP address, country, or AS number.

There are four configurable actions for an IP Access Rule:

  • Whitelist: Excludes visitors from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by Cloudflare's default security features. Whitelist takes precedence over block.

Whitelisting a country code does not bypass Cloudflare's WAF.

Requests containing certain attack patterns in the User-Agent field are checked before being processed by the general firewall pipeline. Therefore, such requests are blocked before any whitelisting logic takes place. Firewall events downloaded from the API show rule_id as security_level and action as drop when this behavior occurs.

  • JavaScript Challenge: Presents the I'm Under Attack Mode interstitial page to visitors. Requires a visitor's browser or client to support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors.
  • Challenge: Requires the visitor to complete a CAPTCHA before visiting your site. Prevents bots from accessing the site.
  • Block: Prevents a visitor from visiting your site.

Add an IP Access Rule

To create an IP Access Rule, follow these steps:

  1. Log in to your Cloudflare account.
  2. Select your domain.
  3. Click the Firewall app.
  4. Click on the Tools tab.
  5. Under IP Access Rules, enter the following details:
  6. Enter the Value as an IP, IP range, or two-letter country code.
  7. Select an Action.
  8. Select whether the rule applies to This website or All websites in the account.
  9. (Optional) add a Note (i.e. Payment Gateway).
  10. Click Add.

Also, you can programmatically block or trust IPs via the Cloudflare API. Cloudflare supports use of fail2ban to block IPs on your server. However, to prevent fail2ban from inadvertently blocking Cloudflare IPs and causing errors for some visitors, ensure you restore original visitor IP in your origin server logs. 

Types of Access Rules

There are several types of Access Rules:

Type Example Value
IPv4 address
IPv4 /24 range
IPv4 /16 range
IPv6 address 2001:db8::
IPv6 address range 2001:db8::/48, 2001:db8::/64
Country (by name or code) US, germany, tor, CN
Autonomous System Number (ASN) AS13335

IPs globally whitelisted by Cloudflare override a Country block via IP Access Rules but not a Country block via Firewall Rules.

Address range examples

CIDR Start of range (example) End of range (example) Number of addresses
/64 2001:db8:: 2001:db8:0000:0000:ffff:ffff:ffff:ffff 18,446,744,073,709,551,616
/48 2001:db8:: 2001:db8:0000:ffff:ffff:ffff:ffff:ffff 1,208,925,819,614,629,174,706,176
/32 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 79,228,162,514,264,337,593,543,950,336
/24 256
/16 65,536

IP Access Rule limits

Accounts are limited to a maximum of 50,000 rules. Enterprise customers can request increased rule limits via their Account Team.

Two-letter country codes

Below is a full list of the two letter country codes in ISO 3166-1 Alpha 2 format needed to create Access Rules for the IP Firewall:

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk