How can I identify/whitelist/block Cloudinary's remote image and video fetch

Cloudinary's remote fetch capability allows you to deliver images and videos stored on external servers directly through the Cloudinary CDN — without needing to upload them to your Cloudinary account first. Understanding when and how Cloudinary fetches remote assets is important if you need to configure your origin server's firewall, whitelist or block Cloudinary's requests, or troubleshoot unexpected traffic.

When does Cloudinary fetch remote assets?

Cloudinary fetches content from a remote URL in the following scenarios:

• Fetch delivery type: When you use the fetch delivery type in a Cloudinary URL (e.g. https://res.cloudinary.com/<cloud_name>/image/fetch/<remote_url>), Cloudinary retrieves the image or video from the specified origin URL and serves it through its CDN. Subsequent requests are served from cache until the asset expires.
• Auto-upload (mapped folders): When you configure an auto-upload mapping, Cloudinary fetches assets from your origin server the first time they are requested via the mapped Cloudinary URL. The asset is then stored in your Cloudinary account for future delivery.
• Cache refresh or expiry: When a previously fetched asset's cache expires or is explicitly invalidated, Cloudinary will re-fetch the asset from the origin to serve an updated version.

In all of these cases, the outbound HTTP request originates from Cloudinary's infrastructure and reaches your origin server or the specified remote URL.

Identifying Cloudinary fetch requests

All remote fetch requests made by Cloudinary include the following User-Agent header, which you can use to identify, whitelist, or block them on your origin server:

Mozilla/5.0 (compatible; Cloudinary/1.0)

You can configure your web server, CDN, or firewall rules to look for this User-Agent string to distinguish Cloudinary fetch traffic from regular end-user traffic. This is especially useful if you want to:

• Whitelist Cloudinary: Allow requests with this User-Agent to bypass rate limiting, authentication walls, or geo-restrictions on your origin.
• Block Cloudinary: Deny access to assets on your origin that you do not want Cloudinary to fetch or cache.
• Monitor fetch activity: Filter your server access logs for this User-Agent to audit which assets Cloudinary is retrieving and how frequently.

Dedicated IP addresses for fetchers (Enterprise plans)

By default, Cloudinary's fetch requests originate from a shared pool of IP addresses used across the platform. For most use cases, identifying requests by User-Agent is sufficient.

However, if your origin server requires IP-based allowlisting — for example, due to strict firewall policies or compliance requirements — Cloudinary offers the option to assign dedicated IP addresses to your account's fetch infrastructure. This allows you to whitelist a fixed, predictable set of IPs that all outbound fetch requests from your Cloudinary account will use.

Dedicated fetch IP addresses are available exclusively on Enterprise plans. If you are on an Enterprise plan and would like to enable this feature, or if you would like to learn more about upgrading, please contact Cloudinary Support. Our team will work with you to configure dedicated IPs for your account.

Need help?

If you have questions about configuring your firewall, identifying fetch traffic, or enabling dedicated IP addresses for your account, open a support ticket and our team will be happy to assist.