Configure Cloudflare source IPs
Traffic that originates from a Cloudflare service, such as Cloudflare Load Balancing, to a private network uses a source IP address from a Cloudflare-allocated network range by default. This range is referred to as the cloudflare_source subnet:
- IPv4 traffic is sourced from
100.64.0.0/12. This range is configurable. - IPv6 traffic is sourced from
2606:4700:cf1:5000::/64. This range is not configurable.
Customers using Cloudflare products, such as Load Balancing, with their private network offramps can configure which IP address range Cloudflare uses for all traffic sent to the private network. This allows customers to reliably and securely route their trusted traffic flows after Cloudflare has enforced application and user security rules.
You must configure routes in your network so that response traffic for these source ranges is sent back to Cloudflare over your Cloudflare One connections.
Before you begin, ensure that:
- You have Cloudflare One Networks Write permission.
- Your desired new network range meets the following requirements:
- It must be defined as a single CIDR with a prefix length of
/12. - Cloudflare One subnets in the same account cannot overlap. For example, the default source range used by WARP Clients (
100.96.0.0/12) and the destination range used by Private Load Balancers (100.112.0.0/16). - The source subnet cannot match or contain any existing route in your Cloudflare One routing table. The source subnet can be within a supernet route.
- It must be defined as a single CIDR with a prefix length of
Except for Cloudflare Tunnel, all Cloudflare One Connectors (network offramps) see the cloudflare_source subnet (default 100.64.0.0/12) as the source of traffic from a Cloudflare service, such as Cloudflare Load Balancing, to a private network.
The following Connectors are affected:
- GRE
- IPsec
- CNI
- WARP Connector
- WARP Client
Currently, you must use the Cloudflare API to configure this setting. To set up your source IPs, send a PATCH request to the Update Cloudflare Source Subnet endpoint with your desired network range. The payload must include the network (your new /12 range), and may include a name and comment.
Example:
Required API token permissions
At least one of the following token permissions
is required:
Cloudflare One Networks Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/subnets/cloudflare_source/$ADDRESS_FAMILY" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "comment": "example_comment", "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12" }'Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark