Cloudflare Docs
Learning Paths
Cloudflare Docs
Prevent DDoS attacks (Learning Path)
GitHub icon
Visit Learning Paths on GitHub
Set theme to dark (⇧+D)
  1. Learning Paths
  2. Prevent DDoS attacks
  3. Advanced DDoS protection
  4. Restrict external connections

Restrict external connections

  3 min read

To fully secure your origin, you should limit or restrict external connections to your origin server. These suggestions vary in their level of completeness and complexity and depend on your application and origin setup.

​​ Application layer

Cloudflare Tunnel (HTTP / WebSockets)

Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP address, by creating an outbound-only connections to Cloudflare’s global network.

  • Security: Very secure.
  • Availability: All customers.
  • Challenges: Requires installing the cloudflared daemon on origin server or virtual machine.
HTTP Basic Authentication

Only allow traffic with specific (and secret) HTTP headers.

  • Security: Moderately secure.
  • Availability: All customers.
  • Challenges:
    • Requires more configuration efforts on application- and server-side to accept those headers.
    • Basic authentication is vulnerable to replay attacks. Because basic authentication does not encrypt user credentials, it is important that traffic always be sent over an encrypted SSL session.
  • Process:
    1. Use Transform rules or Workers to add an HTTP Auth Header.
    2. Configure your origin server to restrict access based on the HTTP Auth Header (or perform HTTP Basic Authentication).
JSON Web Tokens (JWT) Validation

Only allow traffic with the appropriate JWT.

​​ Transport Layer

Authenticated Origin Pulls

Authenticated origin pulls help ensure requests to your origin server come from the Cloudflare network.

  • Security: Very secure.
  • Availability: All customers.
  • Challenges:
    • Requires Full or Full (strict) encryption modes.
    • Requires more configuration efforts for application and server, such as uploading a Cloudflare Origin CA certificate and configuring the server to use it.
    • Not scalable for large numbers of origin servers.
Cloudflare Tunnel (SSH / RDP)

Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP address, by creating an outbound-only connections to Cloudflare’s global network.

  • Security: Very secure.
  • Availability: All customers.
  • Challenges: Requires installing the cloudflared daemon on origin server or virtual machine.

​​ Network Layer

Allowlist Cloudflare IP addresses

Explicitly block all traffic that does not come from Cloudflare IP addresses (or the IP addresses of your trusted partners, vendors, or applications).

  • Security: Moderately secure.
  • Availability: All customers.
  • Challenges:
    • Requires allowlisting Cloudflare IP ranges at your origin server.
    • Vulnerable to IP spoofing.
Cloudflare Network Interconnect

Cloudflare Network Interconnect allows you to connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience.

  • Security: Very secure.
  • Availability: Enterprise-only.
  • Challenges
    • Requires some networking knowledge.
    • Only applies to some customer use cases.
Cloudflare Aegis

Cloudflare Aegis prevents external connections by providing dedicated egress IP addresses.

  • Security: Very secure.
  • Availability: Enterprise-only.
  • Challenges: Requires network-level firewall policies.



Previous Finish path >