When you use Cloudflare to protect your website or application, it acts as a reverse proxy. All user traffic passes through Cloudflare before reaching your AWS EC2 instance. This setup protects your origin server from threats like DDoS attacks, malicious bots, and direct IP scanning.
However, if your EC2 instance accepts connections from all IPs, attackers can bypass Cloudflare and hit your server directly using its public IP address. That defeats the purpose of using Cloudflare.
To prevent this, you should allow only Cloudflare’s IP ranges in your AWS security group. This ensures that only traffic routed through Cloudflare can reach your server, and all other direct connections are denied.
Step 1: Create a New Security Group in AWS
Before you can whitelist Cloudflare IPs, you need to create a new security group that will be used specifically for this purpose. This security group will not allow all inbound traffic like the default one. Instead, you’ll configure it to allow traffic only from Cloudflare’s IP ranges.
Here’s how to create a new security group via the AWS Console:
1. Log in to the AWS Management Console
Go to https://console.aws.amazon.com/ and log in with your credentials.
2. Navigate to EC2 Dashboard
Once logged in, go to the EC2 service. You can find it by searching “EC2” in the top search bar or selecting it from the Services menu.
3. Go to Security Groups
On the left sidebar, under “Network & Security”, click on “Security Groups”.
4. Click on “Create Security Group”
At the top right corner, click the “Create security group” button.
5. Fill in the Security Group Details
Now you’ll be prompted to fill out the following fields:
- Security group name:
Enter a recognizable name, such asCloudflareOnlyAccessorCF-Whitelist. - Description:
Write a brief description, for example:Allow only Cloudflare IPs on ports 80 and 443. - VPC:
Your default VPC will be auto-selected here. If your EC2 instance is part of a specific VPC, make sure to choose that one. Otherwise, leave it as is. - Tags (optional):
You can add a tag likeName: CloudflareWhitelistto help identify this security group later.
6. Configure Inbound Rules
For now, leave the Inbound rules section empty. You’ll add specific Cloudflare IPs via AWS CLI later.
7. Configure Outbound Rules
By default, AWS allows all outbound traffic from your instance. You can leave this as is unless you have a strict need to control outgoing traffic.
8. Create the Security Group
Scroll down and click the “Create security group” button.
Once created, your new security group will appear in the list. Make sure to note down the Security Group ID (for example, sg-08ea2ffd64093162c). You’ll use this ID when adding IPs using the AWS CLI.
At this point, you’ve successfully created a security group with no inbound rules. This means your server won’t accept any incoming traffic unless explicitly allowed — which is exactly what you want for a locked-down, Cloudflare-only setup.
If all of this feels a bit too technical or you’re worried about making a misstep that could accidentally expose your server or break your site’s availability, you’re not alone. Website security is a complex area that needs careful planning — especially when dealing with firewall rules, CDNs like Cloudflare, and AWS security groups. At SEO Neurons, we offer end-to-end website security solutions to help you lock down your infrastructure, monitor threats, and stay compliant — without the guesswork. So whether you’re just starting or already facing issues, our team can help secure your digital presence effectively.
Step 2: Access AWS CLI Using AWS CloudShell (No Local Setup Required)
Instead of running AWS CLI commands from your local machine or launching a temporary EC2 instance, the easiest and most secure option is to use AWS CloudShell.
CloudShell is a browser-based shell provided by AWS, which comes pre-installed with AWS CLI and is already authenticated with your user’s IAM permissions.
How to Access CloudShell
- Log in to your AWS Console.
- On the top-right corner of the dashboard, click the “CloudShell” icon.
- A terminal window will open at the bottom of your screen. This is a fully managed shell environment with access to AWS CLI.
- Ensure that the IAM user or role you’re logged in with has the necessary permissions to modify security groups, such as
ec2:AuthorizeSecurityGroupIngress.
Now you’re ready to run shell scripts directly in AWS without any local setup.
Step 3: Add Cloudflare IPv4 to Security Group Using AWS CLI
Once CloudShell is open, you can execute the following shell script to whitelist Cloudflare’s IPv4 address ranges.
Replace sg-08ea2ffd64093123c with the ID of the security group you created earlier.
#!/bin/bash
# Download Cloudflare IPv4 address ranges
wget https://www.cloudflare.com/ips-v4 -O cloudflare_ips.txt
# Security Group ID
SG_ID="sg-08ea2ffd64093123c"
# Loop through each IPv4 range and allow ports 80 and 443
while read -r p || [[ -n "$p" ]]; do
aws ec2 authorize-security-group-ingress \
--group-id "$SG_ID" \
--ip-permissions "IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges=[{CidrIp=$p,Description='Cloudflare'}]"
aws ec2 authorize-security-group-ingress \
--group-id "$SG_ID" \
--ip-permissions "IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges=[{CidrIp=$p,Description='Cloudflare'}]"
done < cloudflare_ips.txt
# Cleanup
rm cloudflare_ips.txt
echo "Cloudflare IPv4 IPs have been added to the security group."
How to run the script in CloudShell:
- Copy the script above into a file:
nano add-cloudflare-ipv4.sh
- Paste the content, save (
Ctrl + O), and exit (Ctrl + X). - Make it executable and run:
chmod +x add-cloudflare-ipv4.sh
./add-cloudflare-ipv4.sh
Step 4: Add Cloudflare IPv6 to Security Group Using AWS CLI
If your setup supports IPv6, run the following script the same way to allow Cloudflare’s IPv6 ranges:
#!/bin/bash
# Download Cloudflare IPv6 address ranges
wget https://www.cloudflare.com/ips-v6 -O cloudflare_ips.txt
# Security Group ID
SG_ID="sg-08ea2ffd64093123c"
# Loop through each IPv6 range and allow ports 80 and 443
while read -r p || [[ -n "$p" ]]; do
aws ec2 authorize-security-group-ingress \
--group-id "$SG_ID" \
--ip-permissions "IpProtocol=tcp,FromPort=80,ToPort=80,Ipv6Ranges=[{CidrIpv6=$p,Description='Cloudflare'}]"
aws ec2 authorize-security-group-ingress \
--group-id "$SG_ID" \
--ip-permissions "IpProtocol=tcp,FromPort=443,ToPort=443,Ipv6Ranges=[{CidrIpv6=$p,Description='Cloudflare'}]"
done < cloudflare_ips.txt
# Cleanup
rm cloudflare_ips.txt
echo "Cloudflare IPv6 IPs have been added to the security group."
Run the same steps: create a .sh file in CloudShell, make it executable, and execute it.
This ensures that your EC2 instance accepts traffic only from Cloudflare’s networks, protecting it from direct IP hits.
Step 5: Attach the Security Group to Your EC2 Instance and Remove the Default One
Now that your security group is configured to allow only Cloudflare traffic, it’s time to attach it to your EC2 instance and detach the default security group (which often allows unrestricted access like 0.0.0.0/0).
Steps to Attach the Security Group:
- Go to the EC2 Dashboard in the AWS Console.
- Click on Instances from the left sidebar.
- Select the EC2 instance you want to secure.
- In the bottom panel, click on the Security tab.
- Next to “Security groups”, click the edit icon.
- In the edit screen:
- Remove the default security group (if it allows 0.0.0.0/0 or wide access).
- Add the new security group you created for Cloudflare IPs.
- Click Save to apply changes.
This way, only Cloudflare’s network can reach your server over HTTP (port 80) and HTTPS (port 443), preventing any direct IP access attempts.
Step 6: Verify That Your EC2 Instance Is Now Protected from Direct IP Access
After applying your new security group, it’s essential to verify that everything is working correctly — meaning your EC2 instance is only accessible through Cloudflare and not via direct IP.
1. Confirm Your Website Loads via Domain Name
Visit your website through the domain name (e.g., https://yourdomain.com). If everything is set up properly, your site should load normally.
You can also inspect the response headers in your browser’s developer tools (Network tab). If you see headers like cf-ray or server: cloudflare, it confirms your site is successfully routed through Cloudflare.
2. Try Accessing Directly via Public IP (It Should Fail)
Now, try entering your EC2 instance’s public IP directly in your browser:
http://<your-ec2-ip>You should get a timeout or connection refused message. That’s perfect — it means your server is no longer accepting direct traffic and is only accessible through Cloudflare.
For more detailed verification, you can run:
curl http://<your-ec2-public-ip>And then:
curl -I https://yourdomain.comThis will show if the response is coming through Cloudflare (look for server: cloudflare).
3. Double-Check Security Group Rules
Go to EC2 > Security Groups, click on your custom security group, and confirm:
- Only Cloudflare IPs are listed in the Inbound rules
- Ports 80 and 443 are included
- No open access like
0.0.0.0/0or::/0is present
⚠️ Important Note About File Uploads & DNS Proxy Mode
Please note: When using Cloudflare with the proxy mode enabled (orange cloud icon in DNS settings), your website’s traffic is strictly routed through Cloudflare. That’s the whole point of this setup.
However, there is a 100 MB upload limit on Cloudflare’s proxy.
So if you need to upload files larger than 100 MB (such as large backups or videos), you may face issues — uploads can fail or timeout.
To handle this, you can temporarily:
- Disable Cloudflare proxy for your domain (turn the orange cloud to gray).
- Add back the default security group that allows open access (e.g., 0.0.0.0/0) just for that time.
- Complete the upload.
- Re-enable the Cloudflare proxy.
- Re-attach the Cloudflare-only security group and remove the open one.
This ensures you stay secure and functional, without permanently exposing your EC2 instance.
