Skip to content

IP Access rules

Use IP Access rules to allowlist, block, and challenge traffic based on the visitor’s IP address, country, or Autonomous System Number (ASN).

IP Access rules are commonly used to block or challenge suspected malicious traffic. Another common use of IP Access rules is to allow services that regularly access your site, such as APIs, crawlers, and payment providers.

Recommendation: Use WAF custom rules instead

Cloudflare recommends that you create WAF custom rules instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking):

  • For IP-based blocking, use an IP list in the custom rule expression.
  • For geoblocking, use fields such as AS Num, Country, and Continent in the custom rule expression.

Availability

IP Access rules are available to all customers.

Each Cloudflare account can have a maximum of 50,000 rules. If you are an Enterprise customer and need more rules, contact your account team.

Block by country is only available on the Enterprise plan. Other customers may perform country blocking using WAF custom rules.

Final remarks

  • By design, IP Access rules configured to Allow traffic do not show up in Security Events.

  • Requests containing certain attack patterns in the User-Agent field are checked before being processed by the general firewall pipeline. Therefore, such requests are blocked before any allowlist logic takes place. When this occurs, security events downloaded from the API show rule_id as security_level and action as drop.

  • Cloudflare supports use of fail2ban to block IPs on your server. However, to prevent fail2ban from inadvertently blocking Cloudflare IPs and causing errors for some visitors, ensure you restore original visitor IP in your origin server logs. For details, refer to Restoring original visitor IPs.

To learn more about protection options provided by Cloudflare to protect your website against malicious traffic and bad actors, refer to Secure your website.