Skip to content
Cloudflare Docs

Configure Cloudflare source IPs

You can configure the source IP address range used by Cloudflare whenever a Cloudflare service, such as Cloudflare Load Balancing, sends traffic to a Cloudflare One private network. This address range is referred to as the Proxy Source IP Prefix (or cloudflare_source subnet type in the API).

  • IPv4 traffic is sourced from 100.64.0.0/12. This range is configurable.
  • IPv6 traffic is sourced from 2606:4700:cf1:5000::/64. This range is not configurable.

Customers may wish to change the default allocated range to avoid IP conflicts or fit with an existing IP Address Management plan.

You must configure routes in your network so that response traffic for these source ranges is sent back to Cloudflare over your Cloudflare One connections.

Prerequisites

Before you begin, ensure that:

  • You have Cloudflare One Unified Routing. If your account is not yet on Unified Routing, contact your account team to discuss migration and availability.
  • You have Cloudflare One Networks Write permission.
  • Your desired new network range meets the following requirements:
    • Your network must be defined as a single CIDR with a prefix length of /12.
    • Cloudflare One subnets in the same account cannot overlap. Default allocations include:
      • Proxy Source IPs (100.64.0.0/12)
      • Hostname Route Token IPs (100.80.0.0/16)
      • WARP Clients (100.96.0.0/12)
      • Private Load Balancers (100.112.0.0/16)
    • The source subnet cannot match or contain any existing route in your Cloudflare One routing table. The source subnet can be within a supernet route.

Affected Connectors

Except for Cloudflare Tunnel, all Cloudflare One Connectors (network offramps) see the cloudflare_source subnet (default 100.64.0.0/12) as the source of traffic from a Cloudflare service, such as Cloudflare Load Balancing, to a private network.

The following Connectors are affected:

  • GRE
  • IPsec
  • CNI
  • WARP Connector
  • WARP Client

Configure source IPs via API

Currently, you must use the Cloudflare API to configure this setting. To set up your source IPs, send a PATCH request to the Update Cloudflare Source Subnet endpoint with your desired network range. The payload must include the network (your new /12 range), and may include a name and comment.

Example:

Required API token permissions

 At least one of the following token permissions is required:
  • Cloudflare One Networks Write
Update Cloudflare Source Subnet
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/subnets/cloudflare_source/$ADDRESS_FAMILY" \
  --request PATCH \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "comment": "example_comment",
    "name": "IPv4 Cloudflare Source IPs",
    "network": "100.64.0.0/12"
  }'