Here’s a scenario that’s easy to get into and hard to get out of.
You set up Cloudflare Zero Trust for a client. You create a Gateway IP list — a named list of allowed IP addresses that an Access policy uses to control who can reach the client’s internal tools. You add the office IP, a couple of remote worker addresses, and move on. A few months later, someone opens a ticket. They can’t reach the application. You dig in and find that someone updated the IP list directly on the Cloudflare dashboard while troubleshooting something else, and the change wasn’t documented anywhere.
This isn’t a Cloudflare-specific problem. It’s the problem of infrastructure state that lives in a vendor dashboard and nowhere else — no audit trail, no canonical record, no clear ownership. When things break, the first question is always “what changed?” and the answer is usually “nobody’s sure.”
Weavestream’s Cloudflare Zero Trust Lists integration is a direct solution to this: instead of the Cloudflare dashboard being the source of truth for your IP lists, Weavestream is.
How the Integration Works
The Cloudflare Zero Trust Lists integration in Weavestream is push-based. You configure it once with your Cloudflare account ID and an API token scoped to Zero Trust Edit access, and Weavestream imports the current state of your IP lists as a starting point. From that moment, any change you make in Weavestream — adding an IP, removing an IP, editing a description — is pushed to Cloudflare immediately.
You’re not scheduling syncs or waiting for a batch job. Add an IP in Weavestream, and it’s live in your Cloudflare Access policy within seconds.
A single integration can manage multiple lists. If you have one list for each client’s office network, another for a shared VPN egress, and a third for a partner network, they all live under one integration in Weavestream.
Drift Detection and Self-Healing
The more interesting part is what happens when someone bypasses Weavestream and edits the list directly on the Cloudflare dashboard.
Weavestream runs a periodic drift sweep against every registered list. It compares what Cloudflare has against what Weavestream has. If they diverge — an entry was added or removed outside of Weavestream — it automatically re-pushes the correct entries to restore sync.
The list status shows In sync or Drift detected at a glance. You can also trigger an immediate check rather than waiting for the next scheduled sweep. If the correction fails (a temporary API error, say), the status stays at Drift detected and the error detail is shown, so nothing fails silently.
The design philosophy here is deliberate: Weavestream is the source of truth, and deviations are not accepted. Any out-of-band edit to Cloudflare will be silently reverted. If you want to make a change, you make it in Weavestream, where it’s logged and tracked.
The Audit Trail
Every IP entry change — add, edit, remove — is recorded in Weavestream’s audit log with the actor, timestamp, and IP address. This is the same append-only audit log that captures every other change in the platform.
For MSPs with clients in regulated industries, this matters. When an auditor asks who added a specific IP to the allowlist and when, you have an answer. When a technician who left the company last quarter is suspected of making a change, you can check. The Cloudflare dashboard’s built-in audit history is limited and not always retained long enough for compliance purposes. Weavestream’s audit log is indefinite and queryable alongside everything else in the platform.
Why This Belongs in Your Documentation Platform
The argument for managing Cloudflare Zero Trust IP lists in Weavestream rather than directly in Cloudflare comes down to the same argument for centralised IT documentation in general: vendor dashboards are excellent operational tools and poor long-term records.
Most MSPs running Zero Trust at any scale are managing lists for multiple clients. Doing that across multiple Cloudflare accounts, through the Cloudflare dashboard, with no common audit trail and no connection to the rest of the client’s network documentation is workable until something goes wrong. Then it’s the kind of work that takes hours.
Weavestream connects the IP list to the rest of the picture. You can see the Cloudflare integration alongside the client’s IPAM subnets, their firewall asset records, and their domain monitoring entries. The IP you’re allowing through Zero Trust is probably documented somewhere else in that client’s workspace. Now the two are in the same platform, managed with the same access controls and audit trail.
Setting It Up
The integration requires a Cloudflare API token with the Zero Trust: Edit permission. Create it under Profile → API Tokens → Create Custom Token in the Cloudflare dashboard.
In Weavestream, go to Admin → Integrations → New Integration, select Cloudflare Zero Trust Lists, and enter your Account ID and API token. Click Test Connection to confirm the credentials work and see how many Gateway lists are accessible.
After saving the integration, open it and click Link Cloudflare List to register the specific list or lists you want Weavestream to manage. Weavestream imports the current entries from Cloudflare as a starting state. From that point, the list belongs to Weavestream.
You can register multiple lists — one per client, one per use case — under a single integration. The integration detail page shows each list’s sync status and lets you manage entries directly.
A Note on Scope
The integration manages Zero Trust Access Control Lists — the named IP lists under Zero Trust → Reusable Components → Lists. It does not manage the WAF Rules Lists found under Account → Configurations → Lists, which are a separate Cloudflare product. Make sure you’re in the Zero Trust section when creating the lists you want to connect.
Removing the integration from Weavestream removes Weavestream’s local copy only. The Cloudflare list and its entries are not deleted. This means you can safely experiment with the integration setup without risk to your client’s live Cloudflare policy.
Weavestream is a free, self-hosted, open-source IT documentation platform for MSPs and IT teams. It runs on Docker and Postgres, and includes asset management, a credential vault, IPAM, domain and SSL monitoring, a client portal, audit logging, and more. Find out more at weavestream.io.