Can I configure a whitelist for a NodeBalancer public IP?

I currently have cloudflare set up to pass traffic from my domain to my NodeBalancer IP. I'm still able to bypass cloudflare and load my site if I use the public ip. Is there a method to establish a whitelist for incoming connections? (e.g. iptables or something equivalent that can be used with a nodebalancer)

3 Replies

Hey @aphares - you can absolutely use iptables to do this by configuring your backend nodes to only accept connections from Cloudflare. Someone asked a similar question on the Cloudflare forums, and here was the solution:

You’d need to configure your load balancer to only accept connections from Cloudflare addresses and drop everything else.

The good news is that Cloudflare has a guide on how to set this up using iptables: Allowing Cloudflare IP addresses

You could also do this using the X-Forwarded-For header with your webserver; this is a pretty common webserver configuration method for load balancing solutions. I'm not sure which webserver you're using, but NGINX has a pretty good guide on how to configure the header: https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

Thank you for the reply - I can look into incorporating that into my project. In the future, would the cloud firewall also be a solution? (https://www.linode.com/products/cloud-firewall/)

While the person in the Cloudflare forums suggested only allowing connections to your NodeBalancer from CloudFlare resolved their issue, this isn't something that is achievable at the moment. NodeBalancers are open to all connections and those connections cannot be limited by Cloud Firewalls or iptables rules.

I was, however, able to limit connections to my public IP address using iptables while still allowing connections to my NodeBalancer through CloudFlare DNS by specifying the virtual IP interface:

iptables -A INPUT -j DROP -p tcp --destination-port 80 -i eth0 -d <my.public.ip.address>

It's important to note that NodeBalancer connections are made to the backend nodes over the private network. As mentioned in the Client's IP Pass-through guide:

"When a NodeBalancer routes traffic to a backend node, the originating IP address becomes the NodeBalancer’s private IP address."

With that in mind, I attempted to work through the process of limiting the allowed connections on the backend nodes to only CloudFlare IPs. As expected, connections began to timeout when I added the rule to block other IP addresses.

My suggestion would be to reconfigure your site so that it's no longer serving to your public IP or use HAProxy as a load balancer to allow for a bit more configuration options.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct