Cloudflare Docs
WAF
Edit this page on GitHub
Set theme to dark (⇧+D)

Cloudflare Zone Lockdown

Zone Lockdown specifies a list of one or more IP addresses, CIDR ranges, or networks that are the only IPs allowed to access a domain, subdomain, or URL. You can configure multiple destinations, including IPv4/IPv6 addresses, in a single Zone Lockdown rule.

All IP addresses not specified in the Zone Lockdown rule will not have access to the specified resources. Requests from those IP addresses will receive an Access Denied response.

​​ Availability

Cloudflare Zone Lockdown is available on paid plans. The number of available Zone Lockdown rules depends on your Cloudflare plan.

FreeProBusinessEnterprise

Availability

NoYesYesYes

Number of rules

0310200

​​ Create a Zone Lockdown rule

  1. Log in to the Cloudflare dashboard and select your account and domain.

  2. Go to Security > WAF, and select the Tools tab.

  3. Under Zone Lockdown, select Create lockdown rule

  4. Enter a descriptive name for the rule in Name.

  5. For URLs, enter the domains, subdomains, or URLs you wish to protect from unauthorized IPs. You can use wildcards such as *. Enter one item per line.

  6. For IP Range, enter one or more allowed IPv4/IPv6 addresses or CIDR ranges, one per line. Only these IP addresses and ranges will be able to access the resources you entered in URLs.

  7. (Optional) If you are creating a Zone Lockdown rule that overlaps with an existing rule, expand Advanced Options and enter a priority for the rule in Priority. The lower the number, the higher the priority. Higher priority rules take precedence.

  8. Select Save and Deploy lockdown rule.

Issue a POST request for the Create a Zone Lockdown rule operation.

For example:

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/lockdowns" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"description": "Block all traffic to staging and wiki unless it comes from HQ or branch offices",
"urls": [
"staging.example.com/*",
"example.com/wiki/*"
],
"configurations": [
{
"target": "ip_range",
"value": "192.0.2.0/24"
},
{
"target": "ip_range",
"value": "2001:DB8::/64"
},
{
"target": "ip",
"value": "203.0.133.1"
}
]
}'

​​ Example rule

The following example rule will only allow visitors connecting from a company’s headquarters or branch offices to access the staging environment and the wiki:

  • Name:

    Block all traffic to staging and wiki unless it comes from HQ or branch offices
  • URLs:

    staging.example.com/*
    example.com/wiki/*
  • IP Range:

    192.0.2.0/24
    2001:DB8::/64
    203.0.133.1

This example would not protect an internal wiki located on a different directory path such as example.com/internal/wiki.

​​ Access denied example

A visitor from an unauthorized IP will get the following error when there is a match for a Zone Lockdown rule:

Example of Error 1106 (access denied) received by a user accessing the zone from an unauthorized IP address