Cloudflare Technical Presentation

March 2019 - Dubai

// What is Cloudflare?
 Cloudflare’s global, growing Anycast network

15% 10M
Global HTTP
Internet requests Requests/second

25 Tbps
Network capacity
165+ 185+
Data centers Internet
globally Exchanges
Cloudflare 101
AWS
Americas

Consumers

GCP
Europe

Consumers

Consumers
Asia
Every data center performs every task

Scalable global network with a

modern, unified architecture
across all datacenters

Integrated stack of
security, performance
and reliability services
Rate
DNS DDoS TLS Firewall CDN WAF Argo
Limiting

Cloudflare Data Center

Rapid onboarding,
easy configurations

Origin Server
Cloudflare solves today’s internet challenges.

CDN Web DDoS SSL DNS Anycast Threat Enterprise

optimization network analytics logs

Mobile WAN WAF Rate Load Always Apps Traffic

optimization optimization limiting balancing online platform monitoring

Edge Apps
PLATFORM compute platform

Scalable ● Modern, unified architecture ● Easy onboarding, fine-grain control

An integrated solution with lower TCO
Each Cloudflare Point of Presence runs an integrated stack of
easy-to-use security, performance and reliability services

Argo
Rate Smart Load Origin
DNS DDoS SSL/TLS Firewall CDN WAF Routing Balancing
Server
Limiting
Cloudflare Security
DDoS Protection
Our enterprise-class DDoS protection
network has 20 times more capacity than
the largest DDoS attack ever recorded.
Operating at the network edge, it protects
against all forms of DDoS attacks.
WAF
Our web application firewall benefits from
the collective intelligence of our entire
network. When we identify a new threat
from one website, we can automatically
block it from the other 4,000,000 websites
on our network.
SSL
HTTPS is a must-have for modern
websites, and Cloudflare makes it easy to
configure SSL. No need to worry about
installation issues, expiring certificates, or
optimizing your SSL settings.
Secure Registrar
Registering your domain through
Cloudflare is the most secure way to
protect your trademark from
domain hijacking.
Dedicated SSL Certificates
With a few clicks within the
Cloudflare dashboard, you can easily
and quickly issue new certificates,
securely generate private keys and
more.
Other:
● Keyless SSL
● DNSSEC
● Rate Limiting
● Custom firewall rules
● Authentication on the EDGE
● and more...
Cloudflare Security: Life of a Request
Features: Performance
SSL CDN
Modern SSL isn’t just for security—it can Moving content physically closer to visitors with
actually improve the performance of your our CDN is one of easiest way to improve the
website by leveraging features like OCSP performance of your website and reduce load
stapling, session resumption, HTTP/2, and TLS on your web servers.
1.3.
Dedicated SSL Certificates
Website Optimization With a few clicks within the CloudFlare
Cloudflare lets you automatically enable the
dashboard, you can easily and quickly issue
latest in web technologies. Our web
new certificates, securely generate private keys
optimization features cover everything from
and more.
mobile image optimization to aggressive GZIP
and HTTP/2.
Other:
DNS ● Websockets
● Railgun
Cloudflare is one of the fastest managed DNS
● HTTP/2
providers in the world. The same 100 data ● Mirage
center network that powers our CDN ● Mobile Optimization
dramatically speeds up domain resolution for ● Page Rules
your website’s visitors. ● and more...
Cloudflare Web Performance
Load Balancing
CDN/Caching Reduce latency by
Global Network Reduce travel distance routing requests to the
DNS for content by serving nearest origin server
151+ data centers with an Fast resolution of through geo-steering
Railgun
Anycast network brings from Cloudflare’s Accelerate dynamic
DNS lookups makes data centers instead of
content to users anywhere response times faster content by compressing
origin servers origin payloads

Origin Server
Webpage

China Network Web Standards Argo

Support for web standards such Web Content Accelerate delivery along
Deliver content directly
from China-based servers as TLS 1.3, cache control, IPv6, Optimization Cloudflare’s network
to customers and HTTP/2 improves Faster delivery by through connection keep-alives and
performance by compressing reducing payload route optimization
data, reducing connection sizes of images
times, and giving control over
caching content
Features: Reliability
DNS
Cloudflare’s DNS service is powered by the
same 100 data center network that powers
our DDoS and CDN services. This not only
improves DNS resolution times, but also
makes DNS-related attacks and outages a
thing of the past.
Predictable Bandwidth Costs
We believe that you should never be surprised
by your monthly bill. Our flat-rate pricing
structure makes your CDN and DDoS
bandwidth expenses predictable.

Other:
China Network
● IPv6
Cloudflare’s China service optimizes Internet
● Always Online
connections in mainland China, dramatically
● Virtual DNS
improving the viewing experience for visitors
● and more...
in China.
 Ba Lo
la ad
nc
in
g

Cloudflare Load Balancing

• Health checks with fast failover
• Global and local load balancing Configuration made simple
• Weight load balancing • Easy configuration through Cloudflare’s
• Session-Affinity dashboard, or automation through a powerful
Origin Pool
Americas API

DDoS Resilient Service

American • Anycast network that is 10X bigger than the
Consumers
Origin Pool
largest DDoS attack ever recorded ensures
Europe traffic continues to be routed even under
European
stress
Consumers

Global DNS Network

Asian Origin Pool
• Health checks from each of Cloudflare’s
Consumers Asia datacenters enables fast failover unbound by
DNS propagation delays

More information
https://www.cloudflare.com/load-balancing/
Features: Insight
Other:
Enterprise Logs ● Analytics
For enterprise customers, we can provide ● Apps
consolidated logs from around the world. ● and more...
These are very rich, containing detailed
information about every request and
response.

Threats
When we identify requests that are threats,
we log them and block them. That means we
not only protect your site, but also provide
insight into the malicious activity we’re seeing.
Cloudflare Workers
The Network is the

ComputerTM
Improved Security Posture
Apply custom security rules and filtering logic.

Users HTTP in, HTTP out, arbitrary code in between. Origin / APIs

Increased User Personalization Reduced Infrastructure Costs

Respond dynamically with code on the edge. Shift more request handling to the edge.
The story so far...

Infrastructure Platform Function

On premise
(IaaS) (PaaS) (FaaS)

$ / machine $ / hour $ / request

Use cases today

1 2 3 4

Microservice Built on
Basic Routing / Advanced Routing /
Cloudflare
Header Modification Rewrites / Caching
By building a service on
Let’s them swap to and Even more effective use
Cloudflare Workers (e.g.
benefit from Cloudflare of the cache to improve
a full auth service) orgs Multiple Serverless
where they might not user experience and
get to improve dev Microservices or
have been able to further reduce costs and
velocity with quick Apps not necessarily
before. operational overhead.
deploys / isolated logic. Tied to Core CF
By using Workers,
Set Custom TTLs or Authorization / Application Built on customers benefit from
Cache Keys Authentication top of Cache the developer
Let’s them more By checking for things Cache heavy productivity gains and
effectively use the cache like existence of a cookie applications become platform speed of
to improve user or header Cloudflare can much simpler to serverless.
experience and reduce respond faster to architect and maintain
costs. unauthed users making becoming
things faster and
reducing load.
Cloudflare Stream
● All-in-one solution: No integration work necessary, allowing you to focus
on creating the best video experience, not managing different services for
each of those solutions.

● Focus on speed: Eliminates buffering and makes video instant

How It Works

1. Upload a video to Cloudflare

2. Cloudflare stores the video, encodes it to different codecs and
stores the newly encoded versions
3. Cloudflare provides an embed code which includes the Cloudflare
video player
4. Cloudflare uses adaptive streaming to fetch the best quality video
for that network connection and device
5. The video “just works” - looks great and loads quickly on any
device type and network connection
 Cloudflare Argo Tunnels
● Argo establishes an encrypted tunnel to the
Cloudflare edge without needing to open ports in the
firewall or have a public IP.

● Applications protected by Cloudflare Tunnel receive

all of the security and performance benefits of
Cloudflare without direct exposure to the internet.

How It Works
1 Install the Cloudflare 2 The Cloudflare Warp 3 All requests sent to the 4 Requests then route 5 Cloudflare connects
Warp daemon on a daemon establishes a application first pass over optimized transit back to the server over
server that is either persistent encrypted through the Cloudflare using Argo Smart the tunnel, even while
NAT’ed or behind a virtual tunnel with the data center closest to Routing to the the server remains
firewall and does not nearest Cloudflare data the visitor Cloudflare data center hidden
have a public IP address center connected to the tunnel
Cloudflare SSL for SaaS
Branded Visitor Experiences Rapid SSL Deployments
Full brand recognition for end users through a Cloudflare immediately transmits new certificate
1. Purchases requests, propagating them to the edge and
CNAME’d vanity URL.
SSL certificate bringing HTTPS online in less than 2 minutes on
from authority average.

SSL SSL

3. Automatically 2. Provisions and SaaS

Customer Branded renews certificates manages certificate Provider
Domain for customer vanity for customer vanity
domains domains

Secure and Performant Website

Secure the transmission of visitor data over HTTPS
and offer end users the performance benefits of the
HTTP/2 protocol, only available with SSL.
Automated Lifecycle Management
🔒 https://support.customer.com Cloudflare manages the entire SSL lifecycle for both SaaS
providers and end users, requiring no ongoing effort by
either party.
Cloudflare Spectrum
Proxy non-HTTP/S TCP traffic through Cloudflare

SFTP
1 Mitigate DDoS for TCP Protocols and Ports
SMTP Cloudflare Spectrum proxies all non-HTTPS TCP traffic through
SSH the same 120+ cloudflare data centers, ensuring protection
against DDoS attacks targeting layers 3 and 4 across open
ports.

SFTP
Encrypted
TCP Traffic SMTP 2
SSH
Client
Encrypt Non-HTTP/S TCP Traffic
Cloudflare Spectrum encrypts non-HTTP/S TCP traffic with
Universal SSL to protect against snooping of data in transit.

SFTP
10.0.0.1
SMTP
3
IP SSH
10.0.0.1
Client Block Traffic by IP or IP Range
Spectrum integrates with Cloudflare’s IP Firewall so that traffic
from specific IP or IP ranges can be dropped at the edge
 Configuring Cloudflare

Initial Network Testing & DNS Support &

Provisioning Configuration Changes Operations
1 2 1 N
hour hours week A

Customer & Cloudflare: Customer & Cloudflare:   Cloudflare: Customer & Cloudflare:
● Orientation and ● Training session and ● Confirm proper setup ● Quarterly account
Introduction overview of all reviews
features Customer & Cloudflare:
Customer: ● Configure test Customer:
● Create CloudFlare Customer: environment ● Setup custom error
account ● Configure original ● Perform testing pages
● Import SSL visitor IP address ● Review contact and
certificates ● Ensure Cloudflare is Customer: escalation procedures
● Import DNS zone not rate limited or ● Enable Cloudflare DNS
data blocked ● Enable Cloudflare
HTTP proxy
Operation, Support & SLA
24/7/365 Support
We hope you never run into issues with
Cloudflare, but incase you do, our 24/7/365
email and emergency phone support hotline
is here to help.
Named Technical Resources
For assistance with on-boarding, optimization,
and technical support, our Enterprise
customers receive named solutions and
success engineers.
Role-based Account Access
For assistance with on-boarding,
optimization, and technical support, our
Enterprise customers receive named
solutions and success engineers.
100% Uptime & 25x Enterprise SLA
In the rare event of downtime, Enterprise
customers receive 25x the monthly fee
credited back in proportion to the
respective disruption.
Other:
● PCI Compliance
● Enterprise IP ranges
● and more...
Thank you!