r/CloudFlare: Zero trust dynamic ip

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/wr3hpl/zero_trust_dynamic_up/

Question

I’m looking at using zero trust for authentication. I want to allow if on the premise without going through the authentication. How do I auto update to allow the dynamic ip of the premises?

Answer

I dont see a way to make this work. If you have dual stack and a static IPv6 prefix, you could filter with IPv6. A better way to achieve this, instead of filtering by IP and opening your services to attacks if someone is able to utilize your company network, is to deploy the WARP client and activate the option to utilize the WARP client authentication. That way all company clients dont get an auth prompt but everyone else on this world will. And you dont have a dependency on your OnPrem network and its security.

Comment 1 on Answer

Wouldn’t this mean that every computer / device on the network that needs access would have to download the warp client?

My response to comment 1

Yes, you would have to deploy the client to all the affected workstations.