If you're using Cloudflare's Load Balancing to load-balance across multiple origin servers or data centers, you will have configured a Monitor to actively check the availability of those servers over HTTP(S).
In order to prevent these checks from failing, and also to secure your infrastructure against spoofed checks from bad actors, we recommend the following:
- Only accepting connections to those hosts from Cloudflare's IP ranges in your firewall or web-server.
- Rejecting HTTP requests with Cloudflare's User-Agent (see below) that don't come from these ranges.
- Ensuring that your firewall or web-server is not blocking or rate-limiting our monitoring checks.
Our Monitors will have a HTTP User-Agent of
"Mozilla/5.0 (compatible; Cloudflare-Traffic-Manager/1.0; +https://www.cloudflare.com/traffic-manager/; pool-id: $poolid)".
The "$poolid" contains the first 16 characters of the Load Balancing Pool we're performing health checks against.
Note: that our monitoring checks may come from multiple Cloudflare locations—giving us granularity into how we failover to your healthy origin servers.