Note that when allowlisting Cloudflare IPs as a defense mechanism, it's also important to make sure your web server only responds to requests whose `Host` header actually specifies a host in your domain. Otherwise, an attacker can set up their own Cloudflare account and configure your origin IP as their own origin IP, and thus cause requests to be sent to your origin from Cloudflare -- but the `Host` header will identify the attacker's domain.

But I definitely would recommend Cloudflare Tunnel or Authenticated Origin Pulls (with per-zone certificates) instead of allowlisting IPs.

(Disclosure: I work for Cloudflare.)