Egress policies
When your users connect to the Internet through Cloudflare Gateway, by default their traffic is assigned a source IP address that is shared across all Cloudflare WARP users. Enterprise users can purchase dedicated egress IPs to ensure that egress traffic from your organization is assigned a unique, static IP. These source IPs are dedicated to your account and can be used within allowlists on upstream services.
Egress policies allow you to control which dedicated egress IP is used and when, based on attributes such as identity, IP address, and geolocation. Traffic that does not match an egress policy will default to using the most performant dedicated egress IP.
Cloudflare does not publish WARP egress IP ranges. WARP egress IPs are not documented at Cloudflare's IP Ranges ↗. To obtain a dedicated WARP egress IP, contact your account team.
When using either the default Cloudflare egress IPs or any dedicated egress IPs, Gateway traffic that does not match an egress policy will egress from the closest Cloudflare data center with a default Gateway egress IP. If there are two data centers of equal distance from the user, Gateway will split the traffic between the two data centers, and the load balancer will retain the same user selection and egress IP regardless of data center.
To control whether only IPv4 or IPv6 is used to egress, ensure you are filtering DNS traffic, then create a DNS policy to block AAAA or A records.
The following egress policy configures all traffic destined for a third-party network to use a static source IP:
| Policy name | Selector | Operator | Value | Egress method |
|---|---|---|---|---|
| Access third-party provider | Destination IP | is | 198.51.100.158 | Dedicated Cloudflare egress IPs |
| Primary IPv4 address | IPv6 address |
|---|---|
203.0.113.88 | 2001:db8::/32 |
For the best performance, we recommend creating a catch-all policy to route all other users through the default Zero Trust IP range:
| Policy name | Selector | Operator | Value | Egress method |
|---|---|---|---|---|
| Default egress policy | Protocol | in | All options (Protocol) | Cloudflare default egress method |
Since Gateway policies evaluate from top to bottom in the UI, be sure to place the catch-all policy at the bottom of the list. If you do not include a catch-all policy, all other traffic will attempt to use the closest dedicated egress IP location. To control which egress IP Gateway uses, create an egress policy.
Choose one of the following options for your egress policy:
-
Use default Cloudflare egress method uses the default source IP range shared across all Zero Trust accounts. Ensures the most performant Internet experience as user traffic egresses from the nearest Cloudflare data center.
-
Use dedicated egress IPs (Cloudflare or BYOIP) uses the primary IPv4 address and IPv6 range selected in the dropdown menus. You can optionally specify a secondary IPv4 address in a different data center. If the primary data center goes down, Gateway will egress from the secondary data center to avoid traffic drops during reroutes. There is no need for a secondary IPv6 because IPv6 traffic can egress from any Cloudflare data center. Dedicated egress IPs can be provided by either Cloudflare or BYOIP. To learn more about IPv4 and IPv6 egress behavior, refer to Egress locations.
Gateway matches egress traffic against the following selectors, or criteria:
You can apply egress policies to a growing list of popular web applications. Refer to Application and app types for more information.
| UI name | API example | Evaluation phase |
|---|---|---|
| Application | any(app.ids[*] in {505}) | Before DNS resolution |
This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to Selector prerequisites.
Applications within a specific security category as categorized by Cloudflare Radar.
| UI name | API example |
|---|---|
| Content Categories | any(net.fqdn.content_category[*] in {1}) |
This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to Selector prerequisites.
The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the Value field:
| Continent | Code |
|---|---|
| Africa | AF |
| Antarctica | AN |
| Asia | AS |
| Europe | EU |
| North America | NA |
| Oceania | OC |
| South America | SA |
| Tor network | T1 |
| UI name | API example |
|---|---|
| Destination Continent IP Geolocation | net.dst.geo.continent == "EU" |
The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its ISO 3166-1 Alpha 2 code ↗ in the Value field.
| UI name | API example |
|---|---|
| Destination Country IP Geolocation | net.dst.geo.country == "RU" |
The IP address of the request's target.
| UI name | API example |
|---|---|
| Destination IP | any(net.dst.ip[*] in {10.0.0.0/8}) |
The port number of the request's target.
| UI name | API example |
|---|---|
| Destination Port | net.dst.port == 2222 |
With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way.
For more information on device posture checks, refer to Device posture.
| UI name | API example |
|---|---|
| Passed Device Posture Checks | any(device_posture.checks.failed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" |
Use this selector to match against a domain and all subdomains. For example, you can match example.com and its subdomains, such as www.example.com.
| UI name | API example | Evaluation phase |
|---|---|---|
| Domain | any(net.fqdn.domains[*] == "example.com") | Before DNS resolution |
Gateway policies do not support domains with non-Latin characters directly. To use a domain with non-Latin characters, add it to a list.
This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to Selector prerequisites.
Use this selector to match against only the hostname specified. For example, you can match test.example.com but not example.com or www.test.example.com.
| UI name | API example | Evaluation phase |
|---|---|---|
| Host | net.fqdn.host == "example.com" | Before DNS resolution |
Gateway policies do not support hostnames with non-Latin characters directly. To use a hostname with non-Latin characters, add it to a list.
This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to Selector prerequisites.
The protocol used to send the packet.
| UI name | API example |
|---|---|
| Protocol | net.protocol == "tcp" |
The proxy server where your browser forwards HTTP traffic.
| UI name | API example |
|---|---|
| Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" |
The continent of the user making the request.
Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the Value field:
| Continent | Code |
|---|---|
| Africa | AF |
| Antarctica | AN |
| Asia | AS |
| Europe | EU |
| North America | NA |
| Oceania | OC |
| South America | SA |
| Tor network | T1 |
| UI name | API example | Evaluation phase |
|---|---|---|
| Source Continent IP Geolocation | net.src.geo.continent == "North America" | Before DNS resolution |