How do I restrict traffic to only come from Cloudflare IPs?

Last updated: April 14, 2025

Context

When deploying applications, you may want to ensure that all external traffic comes through Cloudflare for security purposes. While this can be implemented at the application level using custom headers and authentication, it can also be controlled at the infrastructure level using Porter's ingress annotations.

Answer

You can restrict the source IP ranges for incoming traffic using the NGINX ingress annotation feature in Porter. Here's how to implement it:

  1. Navigate to your application settings in the Porter dashboard

  2. Locate the Ingress annotations section

  3. Add the following annotation: 

    nginx.ingress.kubernetes.io/whitelist-source-range: CLOUDFLARE_IP_RANGES

Replace CLOUDFLARE_IP_RANGES with Cloudflare's IP ranges. Multiple IP ranges should be separated by commas.

You can find Cloudflare's current IP ranges in their official documentation or via their API.

Source: Kubernetes NGINX Ingress Controller Documentation