Skip to content

Egress policies

When your users connect to the Internet through Cloudflare Gateway, by default their traffic is assigned a source IP address that is shared across all Cloudflare WARP users. Enterprise users can purchase dedicated egress IPs to ensure that egress traffic from your organization is assigned a unique, static IP. These source IPs are dedicated to your account and can be used within allowlists on upstream services.

Egress policies allow you to control which dedicated egress IP is used and when, based on attributes such as identity, IP address, and geolocation. Traffic that does not match an egress policy will default to using the most performant dedicated egress IP.

Force IP version

To control whether only IPv4 or IPv6 is used to egress, ensure you are filtering DNS traffic, then create a DNS policy to block AAAA or A records.

Example policies

The following egress policy configures all traffic destined for a third-party network to use a static source IP:

Policy nameSelectorOperatorValueEgress method
Access third-party providerDestination IPis198.51.100.158Dedicated Cloudflare egress IPs
Primary IPv4 addressIPv6 address
203.0.113.882001:db8::/32

Catch-all policy

For the best performance, we recommend creating a catch-all policy to route all other users through the default Zero Trust IP range:

Policy nameSelectorOperatorValueEgress method
Default egress policyProtocolinAll options (Protocol)Cloudflare default egress method

Since Gateway policies evaluate from top to bottom in the UI, be sure to place the catch-all policy at the bottom of the list. If you do not include a catch-all policy, all other traffic will use the closest dedicated egress IP location.

Egress methods

Choose one of the following options for your egress policy:

  • Default Cloudflare egress: uses the default source IP range shared across all Zero Trust accounts. Ensures the most performant Internet experience as user traffic egresses from the nearest Cloudflare data center.

  • Dedicated Cloudflare egress IPs uses the primary IPv4 address and IPv6 range selected in the dropdown menus. You can optionally specify a secondary IPv4 address in a different data center. If the primary data center goes down, Gateway will egress from the secondary data center to avoid traffic drops during reroutes. There is no need for a secondary IPv6 because IPv6 traffic can egress from any Cloudflare data center. To learn more about IPv4 and IPv6 egress behavior, refer to Egress locations.

Selectors

Gateway matches egress traffic against the following selectors, or criteria:

Destination Continent

The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the Value field:

  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network
UI nameAPI example
Destination Continent IP Geolocationnet.dst.geo.continent == “EU”

Destination Country

The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.

UI nameAPI example
Destination Country IP Geolocationnet.dst.geo.country == “RU”

Destination IP

The IP address of the request’s target.

UI nameAPI example
Destination IPnet.dst.ip == "10.0.0.0/8"

Destination Port

The port number of the request’s target.

UI nameAPI example
Destination Portnet.dst.port == "2222"

Device Posture

With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way.

For more information on device posture checks, refer to Device posture.

UI nameAPI example
Passed Device Posture Checksany(device_posture.checks.failed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})"

Protocol

The protocol used to send the packet.

UI nameAPI example
Protocolnet.protocol == "tcp"

Proxy Endpoint

The proxy server where your browser forwards HTTP traffic.

UI nameAPI example
Proxy Endpointproxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com"

Source Continent

The continent of the user making the request.

Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a continent, enter its two-letter code into the Value field:

ContinentCode
AfricaAF
AntarcticaAN
AsiaAS
EuropeEU
North AmericaNA
OceaniaOC
South AmericaSA
Tor networkT1
UI nameAPI exampleEvaluation phase
Source Continent IP Geolocationnet.src.geo.continent == “North America”Before DNS resolution

Source Country

The country of the user making the request.

Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a country, enter its ISO 3166-1 Alpha-2 code in the Value field.

UI nameAPI exampleEvaluation phase
Source Country IP Geolocationnet.src.geo.country == “RU”Before DNS resolution

Source Internal IP

Use this selector to apply egress policies to a private IP address, assigned by a user’s local network, that requests arrive to Gateway from. This selector will only apply to users connected through a Magic GRE or IPSec tunnel.

UI nameAPI example
Source Internal IPnet.src.internal_src_ip == “192.168.86.0/27”

Source IP

UI nameAPI example
Source IPnet.src.ip == "10.0.0.0/8"

Source Port

UI nameAPI example
Source Portnet.src.port == "2222"

Users

Identity-based selectors include:

  • SAML Attributes
  • User Email
  • User Group Emails
  • User Group IDs
  • User Group Names
  • User Name

To use identity-based selectors, enable Gateway with WARP in the Zero Trust WARP client and enroll your user in your organization. For more information, refer to Identity-based policies.

Virtual Network

Use this selector to match all traffic routed through a specific Tunnel Virtual Network via the WARP client.

UI nameAPI example
Virtual Networknet.vnet_id == “957fc748-591a-e96s-a15d-1j90204a7923”

Comparison operators

Comparison operators are the way Gateway matches traffic to a selector. When you choose a Selector in the dashboard policy builder, the Operator dropdown menu will display the available options for that selector.

OperatorMeaning
isequals the defined value
is notdoes not equal the defined value
inmatches at least one of the defined values
not indoes not match any of the defined values
in listin a pre-defined list of values
not in listnot in a pre-defined list of values
matches regexregex evaluates to true
does not match regexregex evaluates to false
greater thanexceeds the defined number
greater than or equal toexceeds or equals the defined number
less thanbelow the defined number
less than or equal tobelow or equals the defined number

Value

You can input a single value or use regular expressions to specify a range of values.

Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. To evaluate if your regex matches, you can use Rustexp.

Logical operators

To evaluate multiple conditions in an expression, select the And logical operator. These expressions can be compared further with the Or logical operator.

OperatorMeaning
Andmatch all of the conditions in the expression
Ormatch any of the conditions in the expression

The Or operator will only work with conditions in the same expression group. For example, you cannot compare conditions in Traffic with conditions in Identity or Device Posture.