Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cannot add specific Cloudflare IP range to Lightsail instance

0

I have a Lightsail instance that I restrict to Cloudflare IPv4 and v6 ranges (under the "Networking" tab). There is one range, 104.24.0.0/14, that I cannot add to the IPv4 firewall. I've tried both with CIDR notation and "dash" notation, but it does not show up in the list of rules after clicking Save. All of the other ranges get added successfully. Is there a reason why Lightsail would not accept this range?

Thanks, Mike

Topics
Compute
Tags
Amazon Lightsail
Language
English
asked 15 days ago38 views
3 Answers
1

You're encountering a limitation with Amazon Lightsail's firewall configuration. Lightsail has specific limits on firewall rules that might be affecting your ability to add the 104.24.0.0/14 CIDR range.

Each Lightsail instance has two firewalls - one for IPv4 and one for IPv6. The limit for adding source IP addresses is 30 at a time using the console, or up to 60 using the API, AWS CLI, or SDK. This limit applies separately to IPv4 and IPv6 rules.

There are a few possible reasons why the specific CIDR range isn't being added:

  1. You may have reached the maximum number of firewall rules (60) for your instance.
  2. The specific CIDR range might be too large or not properly formatted.
  3. There could be an issue with how Lightsail processes this particular range.

To troubleshoot this issue:

  • Try adding the range using the AWS CLI or SDK instead of the console, as this allows for up to 60 rules instead of 30.
  • Consider breaking down the large CIDR range into smaller subnets if possible.
  • Check if you've reached the quota for firewall rules in your account for that AWS Region.

If you continue to experience issues, you might need to contact AWS Support, as there could be an account-specific limitation or a technical issue with that particular CIDR range.
Sources
Lightsail Firewall Limit - Cloudfront | AWS re:Post
Lightsail IP/Port Quota Increase | AWS re:Post
PortInfo - Amazon Lightsail

answered 15 days ago
AWS
EXPERT
reviewed 15 days ago
0

I was able to verify that the range is, in fact, assigned to the instance by using the get-instance command in CloudShell. The issue appears to be that the Lightsail web dashboard is only displaying 14 of the 15 IPv4 ranges I've added.

answered 15 days ago
0

When you create a new firewall rule with a CIDR range that overlaps with an existing rule's CIDR range, Lightsail automatically consolidates the overlapping ranges into a single, unified CIDR range.

For example, if you have an existing rule with CIDR range 172.16.10.0/24 (172.16.10.0 to 172.16.10.255) and add a new rule with 172.16.8.0/22 (172.16.8.0 to 172.16.11.255), the overlapping ranges will be merged into a single CIDR range (172.16.8.0 to 172.16.11.255).

AWS
answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content