From 870f0c6026168d5bc73904ef070f3365a46d2b62 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 9 Apr 2026 10:38:16 +0100
Subject: [PATCH 1/2] [Spectrum, WAF] Add limitation
---
src/content/docs/spectrum/reference/limitations.mdx | 7 ++++++-
src/content/docs/waf/tools/ip-access-rules/create.mdx | 7 ++++---
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/content/docs/spectrum/reference/limitations.mdx b/src/content/docs/spectrum/reference/limitations.mdx
index b7a15ef58a64092..375ad0ba291df7b 100644
--- a/src/content/docs/spectrum/reference/limitations.mdx
+++ b/src/content/docs/spectrum/reference/limitations.mdx
@@ -2,7 +2,6 @@
pcx_content_type: reference
title: Limitations
weight: 0
-
---
The following limitations apply to different protocols supported by Spectrum.
@@ -45,3 +44,9 @@ By default, Spectrum is configured to listen on all ports, which can raise conce
When a TCP handshake is initiated to any port for a Spectrum IP, the handshake will always be completed. If there is a Spectrum application configured for the port, the connection will be proxied to origin. If no application is configured, the connection is immediately terminated and no origin connection will be opened.
Spectrum will only ever proxy traffic to an origin if there is a Spectrum application configured for that port.
+
+## IP access control
+
+Currently, [custom rules](/waf/custom-rules/) do not work with Spectrum applications. Use [IP Access rules](/waf/tools/ip-access-rules/) to allowlist, block, and challenge traffic for Spectrum applications based on the request's IP address, Autonomous System Number (ASN), or country.
+
+Refer to [Configuration options](/spectrum/reference/configuration-options/#ip-access-rules) for more information.
diff --git a/src/content/docs/waf/tools/ip-access-rules/create.mdx b/src/content/docs/waf/tools/ip-access-rules/create.mdx
index 5f80ff482140fbb..63b327cff51eb60 100644
--- a/src/content/docs/waf/tools/ip-access-rules/create.mdx
+++ b/src/content/docs/waf/tools/ip-access-rules/create.mdx
@@ -8,14 +8,15 @@ sidebar:
import { TabItem, Tabs, Steps, DashButton } from "~/components";
-:::caution[Recommendation: Use custom rules instead]
-Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking).
+:::tip
+Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking).
+However, currently custom rules do not work with [Spectrum applications](/spectrum/).
:::
:::note
-IP Access Rules are only available in the new security dashboard if you have configured at least one IP access rule. Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of IP Access Rules.
+IP Access Rules are only available in the new security dashboard if you have configured at least one IP access rule.
:::
From 605974dbc6a989ac77a76957ebcfbe13970997b2 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 9 Apr 2026 14:30:09 +0100
Subject: [PATCH 2/2] Undo change to aside
---
src/content/docs/waf/tools/ip-access-rules/create.mdx | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/content/docs/waf/tools/ip-access-rules/create.mdx b/src/content/docs/waf/tools/ip-access-rules/create.mdx
index 63b327cff51eb60..ab51cd1652f083f 100644
--- a/src/content/docs/waf/tools/ip-access-rules/create.mdx
+++ b/src/content/docs/waf/tools/ip-access-rules/create.mdx
@@ -8,9 +8,8 @@ sidebar:
import { TabItem, Tabs, Steps, DashButton } from "~/components";
-:::tip
-Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking).
-However, currently custom rules do not work with [Spectrum applications](/spectrum/).
+:::tip[Recommendation: Use custom rules instead]
+Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking).
:::