Dedicated egress IPs

Note

Only available as an add-on to Zero Trust Enterprise plans.

Many third-party services require you to allowlist specific source IP addresses before they accept connections. Dedicated egress IPs are static IP addresses assigned exclusively to your account — no other Cloudflare customer shares them.

Each dedicated egress IP consists of an IPv4 address and an IPv6 range, both tied to a specific Cloudflare data center. Cloudflare provisions your account with at least two dedicated egress IPs in two different cities.

You can request additional dedicated egress IPs at any time. Contact your account team to schedule a service window.

Turn on egress IPs

To start routing traffic through dedicated egress IPs:

1. Contact your account team to obtain a dedicated egress IP.
2. In Cloudflare One ↗, go to Traffic policies > Traffic settings.
3. Turn on Allow Secure Web Gateway to proxy traffic.
4. Select TCP.
5. (Optional) Select UDP. This will allow HTTP/3 traffic to egress with your dedicated IPs.

Dedicated egress IPs are now turned on for all network and HTTP traffic proxied by Gateway. To selectively turn on dedicated egress IPs for a subset of your traffic, refer to egress policies.

Verify egress IPs

To check if your device is using the correct dedicated egress IP:

1. Verify that the device is connected to your Zero Trust organization through the Cloudflare One Client.
2. Determine the source IPv4 address of your device by going to https://ipv4.icanhazip.com/.
3. Determine the source IPv6 address of your device by going to https://ipv6.icanhazip.com/.
4. Verify that the source IPv4 and IPv6 addresses match your dedicated egress IP.

When testing against another origin, you may see either an IPv4 or IPv6 address. Gateway does not control which protocol is used — some origins only support one protocol, and when both are available, the client operating system and browser decide. For example, Windows favors IPv6 by default ↗.

IPs

Bring your own IP address (BYOIP)

If your organization already owns IPv4 or IPv6 addresses from a regional Internet registry, you can use them as dedicated egress IPs instead of Cloudflare-provided addresses. To obtain an IPv6 range, refer to American Registry for Internet Numbers (ARIN) ↗ or Regional Internet Registry for Europe, Middle East and Central Asia (RIPE NCC) ↗.

After you onboard your IP addresses, they appear as options when you create an egress policy and choose Use dedicated egress IPs (Cloudflare or BYOIP) as the egress method. BYOIP dedicated egress IPs do not support IP geolocation.

For more information, refer to Cloudflare BYOIP or contact your account team.

Cloudflare IPs

If you do not have your own authority-provided IPv4 and IPv6 addresses, you can use dedicated egress IPs with a Cloudflare IP address.

You can find your leased Gateway dedicated egress IPs on the dashboard under Address space > Leased IPs ↗.

Limitations

Concurrent connections

Each dedicated egress IP supports up to 40,000 concurrent connections per unique combination of destination IP and destination port. You can configure multiple origins for each combination of dedicated egress IP and source port.

Unsupported traffic

Dedicated egress IPs do not apply to the following traffic types. These connections use the default shared IPs because Cloudflare identifies them by other means (for example, tunnel ID or account context) rather than source IP.

• DNS queries resolved through Gateway
• Private networks connected to Zero Trust via Cloudflare Tunnel
• Traffic destined for private networks connected to Zero Trust via Cloudflare WAN
• ICMP traffic (for example, ping)

Traffic resilience

To improve traffic resilience, assign your dedicated egress IPs to different Cloudflare data center locations. If you have multiple IPs in the same city, choose different data centers within that city. For more information, contact your account team.

When creating egress policies with dedicated egress IPs, you must set a secondary IPv4 address to ensure traffic resilience. You can set the secondary IPv4 address to 0.0.0.0 or a specific Cloudflare location different from your primary IPv4 address. If you set the secondary IPv4 address to 0.0.0.0, Gateway will route traffic to the location closest to the user. If the physical location of your primary IPv4 address is not available, Gateway will route traffic to either the default Cloudflare egress range or the secondary location specified.

Fallback egress IPs

If the location for your primary egress IPs goes down and there is no secondary backup IP address configured in the egress policy, Gateway will not properly route your traffic. Cloudflare recommends you always configure a fallback egress IP for every egress policy.

IP geolocation

Note

IP geolocation will take at least six weeks to update across databases.

Websites and services use third-party IP geolocation databases to determine where a visitor is located. When you turn on dedicated egress IPs, Gateway updates these databases so they associate your new IPs with the correct city. Until the databases finish updating, services like Google Search may show incorrect regional content — for example, directing users in India to the United States landing page.

Your egress traffic geolocates to the city selected in your egress policies. Traffic that does not match an egress policy defaults to the closest dedicated egress location. Create a catch-all egress policy before dedicated egress IPs are assigned to your account to prevent incorrect geolocation while databases update.

To verify that the IP geolocation has updated, check your dedicated egress IP in one of the supported databases:

Supported IP geolocation databases

• Google ↗
• MaxMind GeoIP ↗
• TransUnion Neustar TruValidate IP Intelligence ↗
• Abstract IP Geolocation API ↗
• DB-IP ↗
• Digital Element ↗
• Geo Targetly ↗
• IP-API.com ↗
• IP2Location ↗
• IPinfo.io ↗
• ip2c.org ↗
• ipapi ↗
• ipgeolocation.io ↗
• ipify ↗
• Ipstack ↗

Egress location

Where your users' traffic physically exits the Cloudflare network depends on whether the connection uses IPv4 or IPv6.

Protocol	Destination proxied by Cloudflare	Physical egress location	IP geolocation
IPv4	No	Data center with dedicated egress IP	Matches dedicated egress IP location
IPv4	Yes	Locally connected data center	Matches dedicated egress IP location
IPv6	No	Locally connected data center	Matches dedicated egress IP location
IPv6	Yes	Locally connected data center	Matches dedicated egress IP location

IPv4

IPv4 addresses are scarce, so Cloudflare must physically route IPv4 traffic to the data center where your dedicated address is provisioned. The user connects to the nearest Cloudflare data center, and Cloudflare internally routes the traffic to the dedicated egress location configured in your egress policies. As a result, the data center shown in the user's Cloudflare One Client preferences may differ from the actual egress location.

Performance is better when users visit domains proxied by Cloudflare (orange-clouded domains). In this case, IPv4 traffic physically exits from the most performant data center while still appearing to originate from your dedicated egress location.

For example, assume you have a primary dedicated egress IP in Los Angeles and a secondary dedicated egress IP in New York. A user in Las Vegas would see Las Vegas as their connected data center. If they go to a site not proxied by Cloudflare (gray-clouded), such as espn.com, they will egress from Los Angeles (or whichever city is in the matching egress policy). If they go to an orange-clouded site such as cloudflare.com, they will physically egress from Las Vegas but use Los Angeles as their IP geolocation.

IPv4 and IPv6 behavior

IPv4 addresses are limited, so Cloudflare must physically route traffic to the data center where your dedicated IPv4 address is provisioned. IPv6 has virtually unlimited address space, so Cloudflare can assign IPv6 ranges from all geolocations to every data center. This means IPv6 traffic can egress locally while still appearing to originate from your configured geolocation.

IPv6

Unlike IPv4, IPv6 traffic physically exits from the user's connected data center while still appearing to originate from the dedicated egress IP geolocation. This works because IPv6 has enough address space for Cloudflare to assign IPv6 ranges from all possible geolocations to every data center. Each account receives a /64 IPv6 range.

In the example above, the Las Vegas user would physically egress from Las Vegas but their traffic would IP geolocate to Los Angeles. This means:

Attribute	Value
Physical egress	User's closest Cloudflare data center (Las Vegas)
IP geolocation	Dedicated egress IP location configured in your egress policy (Los Angeles)
Logs	Correct IP geolocation (Los Angeles) even though the physical egress is from a different location (Las Vegas)

Frequently asked questions (FAQ)

Can I provision the same egress IP address to multiple data centers?

No, egress IPs are limited to a single data center.

Can my users in different locations egress from their closest data center via a single egress IP?

No, traffic exits from the data center where the egress IP is provisioned. If your users are spread across multiple regions, reserve multiple egress IPs in different data centers and assign each user group to the closest one.

Can I use dedicated egress IPs with traffic proxied via PAC files?

Yes, your users will egress via their provisioned IP address.

What happens when I use dedicated egress IPs with Cloudflare Browser Isolation?

Your users will connect to the nearest data center, where the remote browser session will load. The remote browser will then egress via the data center with their provisioned egress IP.

Do dedicated egress IPs work on the Cloudflare China Network?

No, Gateway does not support dedicated egress IPs on the China Network.