This project creates Lambda function that automatically create or update AWS resource with Cloudflare service's IP v4 ranges from the ip-ranges.json file, then update your custom VPC prefix list.
- EventBridge to execute an Lambda function daily
- Lambda function to fetch Cloudflare IPs from API and update the managed prefix list.
+-----------------+
| Lambda |
| Execution Role |
+--------+--------+
|
| +-------------------+
+-----------------------+ +--------+--------+ | |
|EventBridge +--->+ Lambda function +----+--->+AWS VPC Prefix List|
|e.g.,cron(0 0 * * ? *) | +--------+--------+ | |
+-----------------------+ | +-------------------+
|
(WIP) v
+--------+--------+
| CloudWatch Logs |
+-----------------+
It supports to create or update the following resource:
- VPC Prefix List
- Cloudformation or CDK
We welcome your PR.
These are the overall steps to deploy:
- Create the following IAM Role for Lambda.
- e.g.)
lambda-update-cloudflare-managedprefixlist
- e.g.)
- Remember the name of IAM role
(Please confirm and correct me!)
ToDo: changing it more strict only to allow modifying to the specific prefix (PR is welcome!)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeTags",
"ec2:DescribeManagedPrefixLists"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:GetManagedPrefixListEntries",
"ec2:ModifyManagedPrefixList",
"ec2:CreateTags"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
- Create an empty managed VPC prefix list in your desired region
- Predfix list name: e.g..)
cloudflare-ips - Max entries: As of July 2023, Cloudflare has 15 IP range items. Set to 100 if possible, otherwise set it 30.
- Predfix list name: e.g..)
- Copy and memo the prefix list ID (e.g.,
pl-XXXXXXXXXXXXXXXXXXX)
Create a Lambda funciton
- Function Name: anything (e.g.,
UpdateCloudflarePrefixListIps) - Runtime:
Python 3.10 - Architecture: either x86_64 or arm64 (I've tested with x86_64)
- Permmission:
Use an existing roleand select what you previously made
You don't need to turn on any additional Advanced settings
- Download the copy of
lambda/update_cloudflare_ip_ranges.py - Change
BASE_REGIONto your region - Change
PREFIX_IDto your prefix ID
- Copy and paste via Lambda dashboard or create a zip file to upload to Lambda
- Test run the code to check if the list is updated
- Go back to your lambda function
- In Function overview, click
Add trigger - Select
EventBridge (CloudWatch Events) - For Rule, select
Create a new rule - Name
Rule nameaccordingly (e.g.,daily-lambda-update-clouflare-ip) - Add
Descriptionaccordingly (e.g.,Run Cloudflare IP managed prefix list update daily) - For Rule type, select
Scehdule expression - Set the schedule accordingly
- To run at every day at 0am (UTC):
cron(0 0 * * ? *) - Cloudflare rarely update their IPv4 range. So I would say to update daily.
- If you experience error, Cloudflare may update IP range a lot, if so, you must run Lambda immediately
- To run at every day at 0am (UTC):
- Assign the managed prefix list to your EC2 or ALB 80 and 443 HTTP(S) ports security groups.
- Make sure that you are not seeing any error message
Done!
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.
GitHub @katzueno Macareux Digital, Inc.
- Initial release of working copy but not fully tested