However, if your EC2 instance accepts connections from all IPs, attackers can bypass Cloudflare and hit your server directly using its public IP address. That defeats the purpose of using Cloudflare.

To prevent this, you should allow only Cloudflare’s IP ranges in your AWS security group. This ensures that only traffic routed through Cloudflare can reach your server, and all other direct connections are denied.

Step 1: Create a New Security Group in AWS

Before you can whitelist Cloudflare IPs, you need to create a new security group that will be used specifically for this purpose. This security group will not allow all inbound traffic like the default one. Instead, you’ll configure it to allow traffic only from Cloudflare’s IP ranges.

Here’s how to create a new security group via the AWS Console:

1. Log in to the AWS Management Console

Go to https://console.aws.amazon.com/ and log in with your credentials.

2. Navigate to EC2 Dashboard

Once logged in, go to the EC2 service. You can find it by searching “EC2” in the top search bar or selecting it from the Services menu.

3. Go to Security Groups

On the left sidebar, under “Network & Security”, click on “Security Groups”.

4. Click on “Create Security Group”

At the top right corner, click the “Create security group” button.

5. Fill in the Security Group Details

Now you’ll be prompted to fill out the following fields:

• Security group name:
  Enter a recognizable name, such as CloudflareOnlyAccess or CF-Whitelist.
• Description:
  Write a brief description, for example: Allow only Cloudflare IPs on ports 80 and 443.
• VPC:
  Your default VPC will be auto-selected here. If your EC2 instance is part of a specific VPC, make sure to choose that one. Otherwise, leave it as is.
• Tags (optional):
  You can add a tag like Name: CloudflareWhitelist to help identify this security group later.

6. Configure Inbound Rules

For now, leave the Inbound rules section empty. You’ll add specific Cloudflare IPs via AWS CLI later.

7. Configure Outbound Rules

By default, AWS allows all outbound traffic from your instance. You can leave this as is unless you have a strict need to control outgoing traffic.

8. Create the Security Group

Scroll down and click the “Create security group” button.

Once created, your new security group will appear in the list. Make sure to note down the Security Group ID (for example, sg-08ea2ffd64093162c). You’ll use this ID when adding IPs using the AWS CLI.

At this point, you’ve successfully created a security group with no inbound rules. This means your server won’t accept any incoming traffic unless explicitly allowed — which is exactly what you want for a locked-down, Cloudflare-only setup.

If all of this feels a bit too technical or you’re worried about making a misstep that could accidentally expose your server or break your site’s availability, you’re not alone. Website security is a complex area that needs careful planning — especially when dealing with firewall rules, CDNs like Cloudflare, and AWS security groups. At SEO Neurons, we offer end-to-end website security solutions to help you lock down your infrastructure, monitor threats, and stay compliant — without the guesswork. So whether you’re just starting or already facing issues, our team can help secure your digital presence effectively.

Step 2: Access AWS CLI Using AWS CloudShell (No Local Setup Required)

Instead of running AWS CLI commands from your local machine or launching a temporary EC2 instance, the easiest and most secure option is to use AWS CloudShell.

CloudShell is a browser-based shell provided by AWS, which comes pre-installed with AWS CLI and is already authenticated with your user’s IAM permissions.

How to Access CloudShell

1. Log in to your AWS Console.
2. On the top-right corner of the dashboard, click the “CloudShell” icon.
3. A terminal window will open at the bottom of your screen. This is a fully managed shell environment with access to AWS CLI.
4. Ensure that the IAM user or role you’re logged in with has the necessary permissions to modify security groups, such as ec2:AuthorizeSecurityGroupIngress.

Now you’re ready to run shell scripts directly in AWS without any local setup.

Step 3: Add Cloudflare IPv4 to Security Group Using AWS CLI

Once CloudShell is open, you can execute the following shell script to whitelist Cloudflare’s IPv4 address ranges.

Replace sg-08ea2ffd64093123c with the ID of the security group you created earlier.

#!/bin/bash

# Download Cloudflare IPv4 address ranges
wget https://www.cloudflare.com/ips-v4 -O cloudflare_ips.txt

# Security Group ID
SG_ID="sg-08ea2ffd64093123c"

# Loop through each IPv4 range and allow ports 80 and 443
while read -r p || [[ -n "$p" ]]; do
  aws ec2 authorize-security-group-ingress \
    --group-id "$SG_ID" \
    --ip-permissions "IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges=[{CidrIp=$p,Description='Cloudflare'}]"

  aws ec2 authorize-security-group-ingress \
    --group-id "$SG_ID" \
    --ip-permissions "IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges=[{CidrIp=$p,Description='Cloudflare'}]"
done < cloudflare_ips.txt

# Cleanup
rm cloudflare_ips.txt

echo "Cloudflare IPv4 IPs have been added to the security group."

How to run the script in CloudShell:

1. Copy the script above into a file:

nano add-cloudflare-ipv4.sh

2. Paste the content, save (Ctrl + O), and exit (Ctrl + X).
3. Make it executable and run:

chmod +x add-cloudflare-ipv4.sh
./add-cloudflare-ipv4.sh

Step 4: Add Cloudflare IPv6 to Security Group Using AWS CLI

If your setup supports IPv6, run the following script the same way to allow Cloudflare’s IPv6 ranges:

#!/bin/bash

# Download Cloudflare IPv6 address ranges
wget https://www.cloudflare.com/ips-v6 -O cloudflare_ips.txt

# Security Group ID
SG_ID="sg-08ea2ffd64093123c"

# Loop through each IPv6 range and allow ports 80 and 443
while read -r p || [[ -n "$p" ]]; do
  aws ec2 authorize-security-group-ingress \
    --group-id "$SG_ID" \
    --ip-permissions "IpProtocol=tcp,FromPort=80,ToPort=80,Ipv6Ranges=[{CidrIpv6=$p,Description='Cloudflare'}]"

  aws ec2 authorize-security-group-ingress \
    --group-id "$SG_ID" \
    --ip-permissions "IpProtocol=tcp,FromPort=443,ToPort=443,Ipv6Ranges=[{CidrIpv6=$p,Description='Cloudflare'}]"
done < cloudflare_ips.txt

# Cleanup
rm cloudflare_ips.txt

echo "Cloudflare IPv6 IPs have been added to the security group."

Run the same steps: create a .sh file in CloudShell, make it executable, and execute it.

This ensures that your EC2 instance accepts traffic only from Cloudflare’s networks, protecting it from direct IP hits.

Step 5: Attach the Security Group to Your EC2 Instance and Remove the Default One

Now that your security group is configured to allow only Cloudflare traffic, it’s time to attach it to your EC2 instance and detach the default security group (which often allows unrestricted access like 0.0.0.0/0).

Steps to Attach the Security Group:

1. Go to the EC2 Dashboard in the AWS Console.
2. Click on Instances from the left sidebar.
3. Select the EC2 instance you want to secure.
4. In the bottom panel, click on the Security tab.
5. Next to “Security groups”, click the edit icon.
6. In the edit screen:
   • Remove the default security group (if it allows 0.0.0.0/0 or wide access).
   • Add the new security group you created for Cloudflare IPs.
7. Click Save to apply changes.

This way, only Cloudflare’s network can reach your server over HTTP (port 80) and HTTPS (port 443), preventing any direct IP access attempts.

Step 6: Verify That Your EC2 Instance Is Now Protected from Direct IP Access

After applying your new security group, it’s essential to verify that everything is working correctly — meaning your EC2 instance is only accessible through Cloudflare and not via direct IP.

1. Confirm Your Website Loads via Domain Name

Visit your website through the domain name (e.g., https://yourdomain.com). If everything is set up properly, your site should load normally.

You can also inspect the response headers in your browser’s developer tools (Network tab). If you see headers like cf-ray or server: cloudflare, it confirms your site is successfully routed through Cloudflare.

2. Try Accessing Directly via Public IP (It Should Fail)

Now, try entering your EC2 instance’s public IP directly in your browser:

http://<your-ec2-ip>

You should get a timeout or connection refused message. That’s perfect — it means your server is no longer accepting direct traffic and is only accessible through Cloudflare.

For more detailed verification, you can run:

curl http://<your-ec2-public-ip>

And then:

curl -I https://yourdomain.com

This will show if the response is coming through Cloudflare (look for server: cloudflare).

3. Double-Check Security Group Rules

Go to EC2 > Security Groups, click on your custom security group, and confirm:

• Only Cloudflare IPs are listed in the Inbound rules
• Ports 80 and 443 are included
• No open access like 0.0.0.0/0 or ::/0 is present

⚠️ Important Note About File Uploads & DNS Proxy Mode

Please note: When using Cloudflare with the proxy mode enabled (orange cloud icon in DNS settings), your website’s traffic is strictly routed through Cloudflare. That’s the whole point of this setup.

However, there is a 100 MB upload limit on Cloudflare’s proxy.

So if you need to upload files larger than 100 MB (such as large backups or videos), you may face issues — uploads can fail or timeout.

To handle this, you can temporarily:

1. Disable Cloudflare proxy for your domain (turn the orange cloud to gray).
2. Add back the default security group that allows open access (e.g., 0.0.0.0/0) just for that time.
3. Complete the upload.
4. Re-enable the Cloudflare proxy.
5. Re-attach the Cloudflare-only security group and remove the open one.

This ensures you stay secure and functional, without permanently exposing your EC2 instance.

The post How to Whitelist Cloudflare IPs in AWS Using AWS CLI appeared first on SEO Neurons.

What is a CDN (Content Delivery Network)?

A Content Delivery Network is a geographically distributed network of servers that deliver web content (like images, JavaScript, CSS, videos) to users based on their location. Instead of fetching data from a single origin server every time, CDNs cache content at multiple edge locations globally and serve it from the nearest one.

This results in:

• Faster page load times
• Reduced latency
• Lower bandwidth consumption
• Better user experience

What is Cloudflare CDN?

Cloudflare is a globally distributed network that offers CDN services along with performance, security, and DDoS protection features. Unlike traditional CDNs, Cloudflare is more than just a cache system — it acts as a reverse proxy between your visitors and your website’s hosting server.

Once you set up Cloudflare, all incoming traffic to your website first passes through Cloudflare’s edge servers. These servers inspect, filter, cache, and optimize content before delivering it to the user. This has two significant benefits:

1. Faster delivery of static and dynamic content
2. Enhanced security and uptime protection

Key Benefits of Using Cloudflare as a CDN + Reverse Proxy

Here are some standout features that make Cloudflare a preferred choice:

• Free Global CDN,
• Smart Caching and Edge Rules,
• Support for HTTP/2 and HTTP/3
• TTL 1.3 – It also provides TTL 1.0 to 1.2, from which you can choose the minimum TTL version,
• Brotli compression,
• Minify CSS, JS, HTML,
• IPv6 Compatibility, and many more.

Cloudflare intelligently distinguishes between static and dynamic content, serving static files from cache and routing dynamic content securely to your server.

Cloudflare also enhances the security of the website by providing

• Free SSL certificate
• It prevents bot attacks,
• DDoS Protection

WordPress hosting providers like Hostinger also use Cloudflare’s CDN.

Is Cloudflare Just for Static Websites?

No. Cloudflare supports both static and dynamic websites. For WordPress and other CMS-based sites, it automatically caches static assets while securely routing dynamic content (like form submissions, login requests) to the origin. This makes it ideal for eCommerce stores, blogs, portfolios, and more.

How to set up Cloudflare CDN for WordPress.

Once you understand how Cloudflare works as a CDN and reverse proxy, the next step is to integrate it with your website. Now we will discuss, the setup process in-depth — from creating a Cloudflare account to configuring DNS, SSL, and performance settings.

Step 1: Create a Cloudflare Account

• Visit Cloudflare sign-up page.
• Provide an Email address and Password(that to be generated)

There will be three options for the Cloudflare service. For the website CDN, you’ve to choose “Protect Internet Presence”. This means you’re providing a security layer to the website.

When you choose “Protect Internet Presence“, you’ll be prompted to add a website.

Enter the website domain URL. You can also add multiple websites.

Step 2: Choose a Cloudflare Plan

Cloudflare offers several plans: Free, Pro, Business, and Enterprise. For most websites — especially blogs, portfolios, and small business sites — the Free Plan is sufficient.

Features included in the Free Plan:

• Global CDN
• Free SSL certificate
• DDoS protection
• Basic page rules
• Caching and performance features

Step 3: DNS Records for the website.

• Cloudflare will begin a DNS scan to import your existing DNS records (A, CNAME, MX, etc.).
• Wait for the scan to complete, then review the DNS records.
• If any important records are missing (like email or subdomains), add them manually.

Tip: Double-check your email records (MX, SPF, DKIM, DMARC) to ensure uninterrupted email delivery.

Cloudflare automatically scans and points to the existing DNS settings of the domain provided.

Step 4: Update Your Domain’s Nameservers

After DNS configuration, Cloudflare will show two nameservers (e.g., sasha.ns.cloudflare.com and max.ns.cloudflare.com). You need to replace your domain registrar’s nameservers with these.

Here’s how to do it on common registrars:

• How do I change nameservers on GoDaddy?
• How to change Nameserver on Namecheap
• How to Change or Update NS Records – Domain.com
• Changing Name Servers of a Domain Name | Bluehost and Bigrock

DNS propagation can take from a few minutes up to 24 hours, though it’s typically faster.

Once updated, Cloudflare will detect the change and activate the website on its network.

Cloudflare Configuration to Protect Your Website.

Once your domain is connected to Cloudflare and the nameservers have propagated successfully, your website starts routing through Cloudflare’s global network. However, this is just the beginning. To unlock the full power of Cloudflare’s performance and security benefits, you must configure several key settings. Below are the essential configurations — explained in detail — that will help protect your website and improve its speed, especially for WordPress-based sites.

1. Configure SSL/TLS Settings for HTTPS Security

SSL (Secure Socket Layer) is crucial for encrypting data between your users and your web server. Cloudflare provides a free SSL certificate that allows you to serve your website securely over HTTPS, even if your hosting provider doesn’t offer one. Proper SSL configuration is essential for user trust, Google SEO rankings, and preventing browser warnings.

How to configure:

• Go to the Cloudflare Dashboard → SSL/TLS → Overview.
• Under “SSL/TLS Encryption Mode,” choose Full (Strict) if your origin server has a valid SSL certificate installed. If not, start with “Flexible” or “Full” (but upgrade to Full Strict as soon as possible).
• Navigate to SSL/TLS → Edge Certificates.
• Enable Always Use HTTPS – this redirects all HTTP traffic to HTTPS automatically.
• Enable Automatic HTTPS Rewrites – helpful if you still have hardcoded HTTP links in your content.
• Scroll down and enable TLS 1.3 – this is the latest encryption protocol that improves speed and security.

Using SSL through Cloudflare not only secures your visitors’ data but also helps your website appear trustworthy and professional. Once enabled, users will see a padlock icon in the browser bar, confirming that your website is protected.

You can also enable the latest TLS 1.3 through the same window(SSL/TLS>Edge Server).

2. Enable Speed Optimization Settings

Cloudflare comes with built-in tools to help reduce your website’s load time. These settings allow you to compress, minify, and accelerate delivery of web assets such as CSS, JavaScript, and HTML. Optimizing your website’s performance not only improves user experience but also impacts SEO ranking and conversion rates.

How to optimize performance:

• Go to Cloudflare Dashboard → Speed → Optimization tab.
• Enable Auto Minify for HTML, CSS, and JavaScript. This removes unnecessary white spaces and comments in your code to reduce file size.
• Turn on Brotli compression – this is a better alternative to Gzip for reducing the size of transferred data.
• (Optional) Enable Rocket Loader – this defers JavaScript loading to improve initial page rendering time. Useful for JavaScript-heavy pages but test for compatibility with plugins.
• For WordPress users: Also consider enabling “Early Hints” if available, which helps preload important assets.

These features can significantly reduce the amount of data that needs to be transmitted and shorten page load times, especially for mobile users or those on slower connections.

3. Adjust Cache Settings for Faster Content Delivery

Caching allows Cloudflare to store a copy of your website’s static content on its global edge servers. This way, repeat visitors or users accessing from different parts of the world receive content from the nearest server, reducing load on your origin server and speeding up delivery. Cloudflare’s caching settings are flexible and easy to manage.

How to configure caching:

• Go to the Caching tab then Configuration.
• Set Caching Level to Standard – this is suitable for most websites.
• Choose Browser Cache TTL to 1 Day or 1 Hour, depending on how frequently your site content changes.
• Enable Always Online – Cloudflare will show a cached version of your site if your origin server is temporarily down.
• Use Page Rules (explained later) to control caching behavior for specific pages (like turning off cache for /wp-admin).
• If your website is dynamic (e.g., eCommerce or member login), configure Cache-Control headers or bypass caching for logged-in users.

When caching is configured correctly, your website becomes more resilient, consumes fewer server resources, and loads faster, which leads to better engagement and reduced bounce rates.

4. Strengthen Security with Firewall Settings

Cloudflare offers robust security options to protect your website from malicious traffic, bots, DDoS attacks, and other threats. These can be managed through the Security and Firewall tabs. Firewall rules help you control who can access your site, from where, and under what conditions.

How to improve security:

• Go to Security then Security Rules (earlier WAF).
• Enable Managed Rulesets, especially the OWASP rules and WordPress-specific protections (for sites built on WordPress).
• Set Security Level to Medium or High. This adjusts sensitivity to suspicious requests.
• Go to Security – Settings – All settings to enable Bot Fight Mode to block or challenge abusive bots.
• Set up custom Firewall Rules to:
  • Block IP ranges from countries where you don’t expect traffic.
  • Rate limit login attempts to prevent brute-force attacks.
  • With custom rules you can block access to xmlrpc.php or wp-login.php for non-admin IPs.
• Monitor Security Events to identify and analyze threats in real time.

Using Cloudflare’s security tools significantly reduces your risk of attacks, unauthorized logins, and bot traffic, thereby maintaining the integrity and uptime of your website.

5. Use Page Rules for Custom Behavior

Page Rules allow you to define how Cloudflare treats specific URLs on your site. This is one of the most powerful features for fine-tuning performance, security, and caching. For example, you might want different rules for your homepage, login page, or content directories.

Helpful page rule examples:

• Force HTTPS on all pages: URL: http://example.com/* → Forward to https://example.com/$1 with 301 redirect.
• Cache everything (including HTML): URL: example.com/static/* → Cache Level: Cache Everything.
• Bypass cache for login: URL: example.com/wp-login.php → Cache Level: Bypass, Security Level: High.
• Disable performance features for admin: URL: example.com/wp-admin/* → Rocket Loader: Off, Cache Level: Bypass.

On the free plan, Cloudflare allows up to 3 page rules per domain. Use them wisely for maximum effect.

Page Rules give you precise control over how Cloudflare handles each section of your website. This flexibility is especially valuable when running dynamic content or platforms like WordPress or WooCommerce.

6. Test and Monitor Your Setup

After configuration, it’s important to test your website thoroughly to ensure everything works correctly — especially after enabling HTTPS and caching. This helps you catch mixed content errors, redirect loops, or compatibility issues early on.

Steps to validate your setup:

• Visit your website using both http:// and https:// — confirm HTTPS is redirecting properly.
• Use tools like:
  • GTmetrix – for page speed analysis.
  • SSL Labs by Qualys – for detailed SSL/TLS inspection.
  • SecurityHeaders.com – to check if your HTTP headers are set correctly.
  • IsItDownRightNow or Uptime Robot – to monitor uptime.
• Cloudflare Dashboard → Analytics tab – monitor traffic, bandwidth savings, threats blocked, and cache ratio.
• Test on both desktop and mobile devices and across multiple browsers.

A properly configured Cloudflare setup should make your website faster, more secure, and more reliable. Testing ensures your changes are having the intended effect and gives you peace of mind that your site is resilient and optimized.

Final Words

You can secure your website by placing Cloudflare between your hosting provider and the end user. Cloudflare provides free CDN, SSL, and many more to boost website speed and security.

These configurations — from SSL encryption to caching, security, and page rules — collectively elevate your website’s speed and protection. Cloudflare offers an incredibly powerful set of tools, even on the free plan, but it’s the proper setup that makes the difference. Whether you’re running a blog, a business site, or an online store, taking time to optimize these settings ensures a smoother experience for your users and peace of mind for you as the site owner.

Let me know if you’d like this guide as a downloadable PDF or formatted for your WordPress blog.

The post How to Set up Cloudflare CDN for a Website or App appeared first on SEO Neurons.