FYI, IP access rules don't count towards the 5 custom rules limit, but the more generous 50k limit.
With fail2ban, you can setup IP access rules via the cftoken-action quite easily.
Security --> WAF --> Tools to access the IP rules in the dashboard. https://developers.cloudflare.com/waf/tools/ip-access-rules/
Hijacking: With the above solution, it's also super easy to install modpacks and I would recommend Modrinth as both the modded Minecraft launcher and mod-shareplace.
https://docker-minecraft-server.readthedocs.io/en/latest/mods-and-plugins/
Went the same route last year and had no issues.
Wir sind daher in der Familie dazu übergegangen, dass wir uns zwar nichts mehr schenken, aber jeder etwas zum Essen/Trinken beisteuert. Gastgeber kümmert sich um Hauptgang und Vorspeise und jemand anderes bringt die Nachspeise mit und noch jemand anderes bringt vielleicht einen netten Wein mit.
Von meiner Seite gibt es dieses Jahr Plätzchen: Kakao-Schoko-Kekse, gefüllte Brombeer-Engelsaugen und Kokos-Makronen :)
WAF custom rules are more flexible, of course, and from a business perspective, I can understand why they would recommend that option instead.
I currently filter on an nginx access log file among other filters (sshd, bot-search, bad-requests) and let fail2ban execute the ban/unban action itself.
From a quick search, it should be possible to handle bans/unbans externally, if that's what you're after.