Skip to content

DdosAllowlistEntry

Source: src/Cloudflare/DdosProtection/AllowlistEntry.ts

An Advanced TCP Protection allowlist entry (Magic Transit).

Traffic from an allowlisted prefix bypasses Advanced TCP Protection entirely. An entry’s identity is its prefix — only comment and enabled are mutable in place; changing the prefix triggers a replacement.

Requires the Magic Transit / Advanced TCP Protection entitlement; on accounts without it every API call fails with the typed AdvancedTcpProtectionNotEntitled error.

Safety: allowlist entries carry no ownership markers. When there is no prior state, read scans for an existing entry with the same prefix and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Creating an allowlist entry

Section titled “Creating an allowlist entry”

Allowlist a trusted prefix

const entry = yield* Cloudflare.DdosAllowlistEntry("OfficeEgress", {
  prefix: "192.0.2.0/24",
  enabled: true,
});

Staged entry with an explicit comment

// `enabled: false` keeps the entry inert until you flip it on.
yield* Cloudflare.DdosAllowlistEntry("PartnerRange", {
  prefix: "198.51.100.0/24",
  comment: "partner NAT range — enable during migration",
  enabled: false,
});