Product News
<!doctype html> <html lang="en-us" dir="ltr"> <head> <base href=""> <script async src="" data-document-language="true" type="text/javascript" data-domain-script="b1e05d49-f072-4bae-9116-bdb78af15448"></script> <meta name="HandheldFriendly" content="True"> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="baidu-site-verification" content="KeThzeyMOr"> <meta name="baidu-site-verification" content="code-NIlrS7gNhx"> <meta charset="UTF-8"> <meta name="description" content="Get the latest news on how products at Cloudflare are built, technologies used, and join the teams helping to build a better Internet."> <title>Product News</title> <meta name="title" content="Product News"> <meta name="msvalidate.01" content="CF295E1604697F9CAD18B5A232E871F6"> <meta class="swiftype" name="language" data-type="string" content="en"> <script src="/static/z/i.js" type="text/javascript" referrerpolicy="origin"></script> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="apple-touch-icon" sizes="180x180" href="/images/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-32x32.png"> <link rel="mask-icon" href="/images/favicon-32x32.png" color="#f78100"> <link rel="stylesheet" href="/themes/ashes.min.css"> <link rel="sitemap" href="/sitemap.xml"> <meta name="msapplication-TileColor" content="#da532c"> <meta name="theme-color" content="#ffffff"> <link rel="canonical" href=""> <link rel="alternate" type="application/rss+xml" title="Cloudflare Product News RSS Feed" href="/tag/product-news/rss"> <link rel="alternate" hreflang="en-us" href=""> <link rel="alternate" hreflang="de-de" href=""> <link rel="alternate" hreflang="es-es" href=""> <link rel="alternate" hreflang="fr-fr" href=""> <link rel="alternate" hreflang="it-it" href=""> <link rel="alternate" hreflang="ja-jp" href=""> <link rel="alternate" hreflang="ko-kr" href=""> <link rel="alternate" hreflang="zh-tw" href=""> <link rel="alternate" hreflang="zh-cn" href=""> <link rel="alternate" hreflang="pt-br" href=""> <link rel="alternate" hreflang="ru-ru" href=""> <link rel="alternate" hreflang="id-id" href=""> <link rel="alternate" hreflang="th-th" href=""> <link rel="alternate" hreflang="pl-pl" href=""><!-- General Meta Tags --> <meta property="article:publisher" content=""><!-- Facebook Meta Tags --> <meta property="og:site_name" content="The Cloudflare Blog"> <meta property="og:type" content="website"> <meta property="og:title" content="The Cloudflare Blog: Product News"> <meta property="og:description" content="Collection of Cloudflare blog posts tagged 'Product News'"> <meta property="og:url" content=""> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="628"><!-- Twitter/X Meta Tags --> <meta name="twitter:title" content="The Cloudflare Blog: Product News"> <meta name="twitter:description" content="Collection of Cloudflare blog posts tagged 'Product News'"> <meta name="twitter:url" content=""> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@cloudflare"> <meta property="og:image"> <meta name="twitter:image"> <link rel="stylesheet" href="/_astro/index.Bpd2cWaZ.css"> <style>astro-island,astro-slot,astro-static-slot{display:contents}</style> <script>(()=>{var e=async t=>{await(await t())()};(self.Astro||(self.Astro={})).only=e;window.dispatchEvent(new Event("astro:only"));})();;(()=>{var A=Object.defineProperty;var g=(i,o,a)=>o in i?A(i,o,{enumerable:!0,configurable:!0,writable:!0,value:a}):i[o]=a;var d=(i,o,a)=>g(i,typeof o!="symbol"?o+"":o,a);{let i={0:t=>m(t),1:t=>a(t),2:t=>new RegExp(t),3:t=>new Date(t),4:t=>new Map(a(t)),5:t=>new Set(a(t)),6:t=>BigInt(t),7:t=>new URL(t),8:t=>new Uint8Array(t),9:t=>new Uint16Array(t),10:t=>new Uint32Array(t),11:t=>1/0*t},o=t=>{let[l,e]=t;return l in i?i[l](e):void 0},a=t=>,m=t=>typeof t!="object"||t===null?t:Object.fromEntries(Object.entries(t).map(([l,e])=>[l,o(e)]));class y extends HTMLElement{constructor(){super(...arguments);d(this,"Component");d(this,"hydrator");d(this,"hydrate",async()=>{var b;if(!this.hydrator||!this.isConnected)return;let e=(b=this.parentElement)==null?void 0:b.closest("astro-island[ssr]");if(e){e.addEventListener("astro:hydrate",this.hydrate,{once:!0});return}let c=this.querySelectorAll("astro-slot"),n={},h=this.querySelectorAll("template[data-astro-template]");for(let r of h){let s=r.closest(this.tagName);s!=null&&s.isSameNode(this)&&(n[r.getAttribute("data-astro-template")||"default"]=r.innerHTML,r.remove())}for(let r of c){let s=r.closest(this.tagName);s!=null&&s.isSameNode(this)&&(n[r.getAttribute("name")||"default"]=r.innerHTML)}let p;try{p=this.hasAttribute("props")?m(JSON.parse(this.getAttribute("props"))):{}}catch(r){let s=this.getAttribute("component-url")||"<unknown>",v=this.getAttribute("component-export");throw v&&(s+=` (export ${v})`),console.error(`[hydrate] Error parsing props for component ${s}`,this.getAttribute("props"),r),r}let u;await this.hydrator(this)(this.Component,p,n,{client:this.getAttribute("client")}),this.removeAttribute("ssr"),this.dispatchEvent(new CustomEvent("astro:hydrate"))});d(this,"unmount",()=>{this.isConnected||this.dispatchEvent(new CustomEvent("astro:unmount"))})}disconnectedCallback(){document.removeEventListener("astro:after-swap",this.unmount),document.addEventListener("astro:after-swap",this.unmount,{once:!0})}connectedCallback(){if(!this.hasAttribute("await-children")||document.readyState==="interactive"||document.readyState==="complete")this.childrenConnectedCallback();else{let e=()=>{document.removeEventListener("DOMContentLoaded",e),c.disconnect(),this.childrenConnectedCallback()},c=new MutationObserver(()=>{var n;((n=this.lastChild)==null?void 0:n.nodeType)===Node.COMMENT_NODE&&this.lastChild.nodeValue==="astro:end"&&(this.lastChild.remove(),e())});c.observe(this,{childList:!0}),document.addEventListener("DOMContentLoaded",e)}}async childrenConnectedCallback(){let e=this.getAttribute("before-hydration-url");e&&await import(e),this.start()}async start(){let e=JSON.parse(this.getAttribute("opts")),c=this.getAttribute("client");if(Astro[c]===void 0){window.addEventListener(`astro:${c}`,()=>this.start(),{once:!0});return}try{await Astro[c](async()=>{let n=this.getAttribute("renderer-url"),[h,{default:p}]=await Promise.all([import(this.getAttribute("component-url")),n?import(n):()=>()=>{}]),u=this.getAttribute("component-export")||"default";if(!u.includes("."))this.Component=h[u];else{this.Component=h;for(let f of u.split("."))this.Component=this.Component[f]}return this.hydrator=p,this.hydrate},e,this)}catch(n){console.error(`[astro-island] Error hydrating ${this.getAttribute("component-url")}`,n)}}attributeChangedCallback(){this.hydrate()}}d(y,"observedAttributes",["props"]),customElements.get("astro-island")||customElements.define("astro-island",y)}})();</script> <meta http-equiv="X-Translated-By" content="Google"> <meta http-equiv="X-Translated-To" content="de"> <script type="text/javascript" src="" data-sourceurl=""></script> <link href=",wght,FILL,GRAD@20..48,100..700,0..1,-50..200" rel="stylesheet"> <script type="text/javascript" src="" data-phishing-protection-enabled="false" data-forms-warning-enabled="true" data-source-url=""></script> <meta name="robots" content="none"> </head> <body> <script type="text/javascript" src=",phishing_protection/ed=1/rs=AN8SPfrf36LIV3DkhtRBGWFnLWWzaykPyw/m=navigationui" data-environment="prod" data-proxy-url="" data-proxy-full-url="" data-source-url="" data-source-language="pl" data-target-language="de" data-display-language="en-GB" data-detected-source-language="" data-is-source-untranslated="false" data-source-untranslated-url="" data-client="tr"></script><astro-island uid="Z12iFuG" component-url="/_astro/GoogleAnalytics.DSjxwi8U.js" component-export="GoogleAnalytics" renderer-url="/_astro/client.DLO1yDVm.js" props="{"title":[0,"Product News"],"canonical":[0,""],"info":[0],"tagInfo":[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"slug":[0,"product-news"],"url":[0,""],"name":[0,"Product News"],"visibility":[0,"public"],"feature_image":[0,""]}],"authorInfo":[0],"translatedPosts":[1,[]]}" ssr client="only" opts="{"name":"GoogleAnalytics","value":"react"}"></astro-island> <script>(()=>{var l=(n,t)=>{let i=async()=>{await(await n())()},e=typeof t.value=="object"?t.value:void 0,s={timeout:e==null?void 0:e.timeout};"requestIdleCallback"in window?window.requestIdleCallback(i,s):setTimeout(i,s.timeout||200)};(self.Astro||(self.Astro={})).idle=l;window.dispatchEvent(new Event("astro:idle"));})();</script><astro-island uid="1miB4t" prefix="r8" component-url="/_astro/Navigation.CSu6dGvY.js" component-export="Navigation" renderer-url="/_astro/client.DLO1yDVm.js" props="{"title":[0,"The Cloudflare Blog"],"logo":[0,"//"],"pagesStore":[0,{"page":[0,"Tag"],"slug":[0,"product-news"],"translationsAvailable":[1,[[0,"de-de"],[0,"es-es"],[0,"fr-fr"],[0,"it-it"],[0,"ja-jp"],[0,"ko-kr"],[0,"zh-tw"],[0,"zh-cn"],[0,"pt-br"],[0,"ru-ru"],[0,"id-id"],[0,"th-th"],[0,"pl-pl"]]],"navData":[1,[[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:42:46.231Z"],"updatedAt":[0,"2025-02-17T17:03:20.612Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,63],"revision":[0,22],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Security"],"name":[0,"Security"],"slug":[0,"security"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"5kZtWqjqa7aOUoZr8NFGwI"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:26.040Z"],"updatedAt":[0,"2025-02-11T11:03:11.949Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,103],"revision":[0,32],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Cloudflare Radar"],"name":[0,"Radar"],"slug":[0,"cloudflare-radar"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T22:44:28.803Z"],"updatedAt":[0,"2025-02-10T05:02:55.192Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,62],"revision":[0,23],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"AI"],"name":[0,"AI"],"slug":[0,"ai"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:20.198Z"],"updatedAt":[0,"2025-02-04T17:23:05.518Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,57],"revision":[0,24],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Product News"],"name":[0,"Product News"],"slug":[0,"product-news"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"J61Eszqn98amrYHq4IhTx"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:46.068Z"],"updatedAt":[0,"2025-02-04T17:20:13.333Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,61],"revision":[0,27],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Zero Trust"],"name":[0,"Zero Trust"],"slug":[0,"zero-trust"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:21.536Z"],"updatedAt":[0,"2025-02-04T17:19:33.689Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,59],"revision":[0,26],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Developers"],"name":[0,"Developers"],"slug":[0,"developers"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"48r7QV00gLMWOIcM1CSDRy"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:54:22.790Z"],"updatedAt":[0,"2025-02-04T17:17:33.067Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,59],"revision":[0,26],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Speed & Reliability"],"name":[0,"Speed & Reliability"],"slug":[0,"speed-and-reliability"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"V86khSc459Yi1AhTlvtY7"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:46:53.657Z"],"updatedAt":[0,"2025-02-04T17:12:59.473Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,57],"revision":[0,21],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Partners"],"name":[0,"Partners"],"slug":[0,"partners"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"4g8tPriKOAUwdUT4jNPebe"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:46:40.927Z"],"updatedAt":[0,"2025-02-04T17:11:28.566Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,55],"revision":[0,24],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Life at Cloudflare"],"name":[0,"Life at Cloudflare"],"slug":[0,"life-at-cloudflare"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"16yk8DVbNNifxov5cWvAov"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:56:23.848Z"],"updatedAt":[0,"2025-01-29T05:03:35.958Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,63],"revision":[0,28],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Policy & Legal"],"name":[0,"Policy & Legal"],"slug":[0,"policy"],"featured":[0,true]}]}]]]}],"locale":[0,"en-us"],"translations":[0,{"":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"":[0,"Careers"],"":[0,"Company"],"":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"":[0,"Community"],"footer.resources":[0,"Resources"],"":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="idle" opts="{"name":"NavigationComponent","value":true}" await-children> <header class="flex flex-row flex-wrap justify-between items-flex-end mw8 center mv3 pl3 pr1"> <div class="w-100 flex items-flex-end justify-between justify-start-l"> <div class="w-100 tr flex justify-end"> <div class="flex justify-between items-center"> <span class="dn di-l pr1"><a href="" class="f1 blue1 dn di-l b no-underline underline-hover" target="_blank" rel="noreferrer">Get Started Free</a></span><span class="f1 gray4 dn di-l pr1">|</span><span class="dn di-l"><a target="_blank" href="" class="f1 gray4 no-underline underline-hover pr1" rel="noreferrer">Contact Sales</a></span><span class="f1 gray4 dn di-l pr1">|</span> <div class="relative flex cf-dropdown"> <div class="flex items-center" dir="ltr"> <button type="button" class="f1 gray4 no-underline language-picker js-language-picker" style="background:transparent;border:none;padding:0"><span class="language-picker__globe-icon"></span><span class="language-picker__caret-icon ph1">▼</span></button> </div> </div> </div> </div> </div> <div class="w-100 w-50-l flex items-end nb5 nb1-l"> <a href="" class="header-logo mr4 dn db-l"><img class="header-logo" src="" alt="The Cloudflare Blog" width="170" height="57"></a> <h2 class="mt0 mb1 dn di-l"><a href="" class="fw5 f5 gray3 no-underline"><span class="dn di-l">The Cloudflare Blog</span></a></h2> </div> <div class="w-100 w-50-l dn db-l"> <div class="w-100 tr mkto-sub-message"> <p class="f2">Subscribe to receive notifications of new posts:</p> </div> <div class="w-100 tr"> <div class="marketo-form-container"> <form id="mktoForm_1653"> <div class="top-subscribe-form-container"> <div class="top-subscribe-form-field"> <input placeholder="Email Address" class="top-subscribe-form-input" name="email" type="email" title="Must be valid email."> </div><button class="top-subscribe-form-button" type="button">Subscribe</button> </div> </form> </div> </div> </div> </header> <nav dir="ltr" class="bb b--black-10 db dn-l w-100 ph3 "> <div class=" flex justify-between items-center" style="height:44px"> <a href=""><img class="h-6 w-6" src="/images/magnifier.svg" alt="magnifier icon"></a><button type="button" style="background:transparent;border:none"><img src="/images/hamburger.svg" alt="hamburger menu"></button> </div> <div class="js-mobile-nav-container dn"> <div class="flex flex-column flex-wrap bg-gray9 o-95 absolute w-90 ph3 z-1"> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Security</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Radar</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">AI</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Product News</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Zero Trust</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Developers</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Speed & Reliability</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Partners</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Life at Cloudflare</a> </div> <div class="pv3 ph2 tl"> <a href="" class="no-underline gray1 f4 fw7">Policy & Legal</a> </div> </div> </div> </nav> <nav id="nav" class="w-100 bb-0 bb-l b--black-10 z-1"> <div id="desktop-nav-items-container" class="flex flex-wrap justify-between items-center mw8 center mv3 mv0-l"> <div data-tag="security" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Security</a> </div> <div data-tag="cloudflare-radar" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Radar</a> </div> <div data-tag="ai" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">AI</a> </div> <div data-tag="product-news" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Product News</a> </div> <div data-tag="zero-trust" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Zero Trust</a> </div> <div data-tag="developers" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Developers</a> </div> <div data-tag="speed-and-reliability" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Speed & Reliability</a> </div> <div data-tag="partners" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Partners</a> </div> <div data-tag="life-at-cloudflare" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Life at Cloudflare</a> </div> <div data-tag="policy" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="" class="no-underline gray1 f2 fw5 pv3">Policy & Legal</a> </div> <div class="nav-item ml2 mr3 dn db-l pv3" data-tag="search icon"> <a href=""><img id="search-icon" class="h-6 w-6" src="/images/magnifier.svg" alt="magnifier icon"></a> </div> </div> </nav><!--astro:end--> </astro-island> <script>(()=>{var e=async t=>{await(await t())()};(self.Astro||(self.Astro={})).load=e;window.dispatchEvent(new Event("astro:load"));})();</script> <div class="flex flex-row flex-wrap mw8 center bb b--gray8 ph3"> <h1 class="site-title f7 fw4 mt4 mb3 mv4-l">Product News</h1> </div> <main id="site-main" class="flex flex-row flex-wrap mw8 center pt0 pt3-l mt4-l"><astro-island uid="2uKJCY" prefix="r0" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,true],"post":[0,{"id":[0,"1zc4C9M6VIkj5TrfugGxum"],"title":[0,"What’s new in Cloudflare: MASQUE now powers & WARP apps, DEX now generally available with Remote Captures"],"slug":[0,"masque-now-powers-1-1-1-1-and-warp-apps-dex-available-with-remote-captures"],"excerpt":[0,"This roundup blog post shares the latest new features and capabilities at Cloudflare."],"featured":[0,false],"html":[0,"<p>At Cloudflare, we are constantly innovating and launching new features and capabilities across our product portfolio. Today’s roundup blog post shares two exciting updates across our platform: our cross-platform <a href=\"\"><u></u></a> &amp; <a href=\"\"><u>WARP</u></a> applications (consumer) and device agents (Zero Trust) now use <a href=\"\"><u>MASQUE</u></a>, a cutting-edge <a href=\"\"><u>HTTP/3</u></a>-based protocol, to secure your Internet connection. Additionally, DEX is now available for general availability. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"faster-and-more-stable-our-1-1-1-1-warp-apps-now-use-masque-by-default\">Faster and more stable: our & WARP apps now use MASQUE by default</h2>\n <a href=\"#faster-and-more-stable-our-1-1-1-1-warp-apps-now-use-masque-by-default\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1126\" loading=\"lazy\"/>\n </figure><p>We’re excited to announce that as of today, our cross-platform <a href=\"\"><u></u></a> &amp; <a href=\"\"><u>WARP</u></a> apps now use <a href=\"\"><u>MASQUE</u></a>, a cutting-edge <a href=\"\"><u>HTTP/3</u></a>-based protocol, to secure your Internet connection.</p><p>As a reminder, our &amp; WARP apps have two main functions: send all DNS queries through, our privacy-preserving DNS resolver, and protect your device’s network traffic via WARP by creating a private and encrypted tunnel to the resources you’re accessing, preventing unwanted third parties or public Wi-Fi networks from snooping on your traffic.</p><p>There are many ways to encrypt and proxy Internet traffic — you may have heard of a few, such as IPSec, WireGuard, or OpenVPN. There are many tradeoffs we considered when choosing a protocol, but we believe MASQUE is the future of fast, secure, and stable Internet proxying, it aligns with our belief in building on top of open Internet standards, and we’ve deployed it successfully at scale for customers like <a href=\"\"><u>iCloud Private Relay</u></a> and <a href=\"\"><u>Microsoft Edge Secure Network</u></a>.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"why-masque\">Why MASQUE?</h3>\n <a href=\"#why-masque\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><a href=\"\"><b><u>MASQUE</u></b></a> is a modern framework for proxying traffic that allows a variety of application protocols, including HTTP/3, to utilize QUIC as their transport mechanism. That’s a lot of acronyms, so let&#39;s make sure those are clear. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1494\" height=\"594\" loading=\"lazy\"/>\n </figure><p><a href=\"\"><b><u>QUIC</u></b></a> is a general-purpose transport protocol and <a href=\"\"><u>Internet standard</u></a> that operates on top of UDP (instead of TCP), is encrypted by default, and solves several performance issues that plagued its predecessors. <a href=\"\"><b><u>HTTP/3</u></b></a><b> </b>is the latest version of the HTTP protocol, defining the application-layer protocol that runs on top of QUIC as its transport mechanism. MASQUE is a set of mechanisms for tunneling traffic over HTTP. It extends the existing HTTP CONNECT model, to allow tunneling UDP and IP traffic. This is especially efficient when combined with the QUIC’s <a href=\"\"><u>unreliable datagram extension</u></a>. </p><p>For example, we can use MASQUE’s <a href=\"\"><u>CONNECT-IP method</u></a> to establish a tunnel that can send multiple concurrent requests over a single QUIC connection:</p>\n <pre class=\"language-Rust\"><code class=\"language-Rust\">HEADERS\n:method = CONNECT\n:protocol = connect-ip\n:scheme = https\n:path = /.well-known/masque/ip/*/*/\n:authority =\ncapsule-protocol = ?1</pre></code>\n <p>The benefit these protocols have for the quality and security of everyone’s Internet browsing experience is real. Earlier transport protocols were built before the advent of smartphones and mobile networks, so QUIC was designed to support a mobile world, maintaining connections even in poorly connected networks, and minimizing disruptions as people switch rapidly between networks as they move through their day. Leveraging HTTP/3 as the application layer means that MASQUE is more like “normal” HTTP traffic on the Internet, meaning that it is easier to support, is compatible with existing firewall and security rules, and that it supports cryptographic agility (i.e. support for <a href=\"\"><u>post-quantum crypto</u></a>), making this traffic more secure and resilient in the long term.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"get-started-now\">Get started now </h3>\n <a href=\"#get-started-now\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>All new installations of our &amp; WARP apps support MASQUE, including iOS, Android, macOS, Windows, and Linux, and we’ve started to roll it out as the preferred protocol over WireGuard. <a href=\"\"><u>On mobile</u></a>, to check if your connection is already secured over MASQUE, or change your device’s default option, you can toggle this setting via <i>Advanced &gt; Connection options &gt; Tunnel protocol:</i></p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1710\" height=\"930\" loading=\"lazy\"/>\n </figure><p><sup><i>Protocol connection options shown here on the iOS app</i></sup></p><p>We offer the following options: </p><ul><li><p><b>Auto</b>: this allows the app to choose the protocol.</p></li><li><p><b>MASQUE</b>: always use MASQUE to secure your connection.</p></li><li><p><b>WireGuard</b>: always use WireGuard to secure your connection.</p></li></ul><p>On <a href=\"\"><u>desktop</u></a> versions, you can switch the protocol by using the WARP command-line interface. For example:</p>\n <pre class=\"language-Rust\"><code class=\"language-Rust\">warp-cli tunnel protocol set WireGuard\nwarp-cli tunnel protocol set MASQUE</pre></code>\n <p>With this rollout, we&#39;re excited to see MASQUE deliver increased performance and stability to millions of users. Download <a href=\"\"><u>one of the WARP apps</u></a> today!</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"dex-now-generally-available-announcing-detailed-device-visibility-with-dex-remote-captures\">DEX now Generally Available: Announcing detailed device visibility with DEX Remote Captures</h2>\n <a href=\"#dex-now-generally-available-announcing-detailed-device-visibility-with-dex-remote-captures\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1120\" loading=\"lazy\"/>\n </figure><p><i>Following the successful beta launch of Digital Experience Monitoring (DEX), we are thrilled to announce the general availability of DEX, along with new Remote Captures functionality.</i></p><p>In today&#39;s hyper distributed environment, user experience is paramount. Recurring performance problems can lead to decreased user satisfaction, lost productivity, and damaged brand reputation. <a href=\"\"><u>Digital Experience Monitoring (DEX)</u></a> offers a comprehensive solution to these challenges. Previous blog posts have discussed the solution and its capabilities. (<a href=\"\"><i><u>Introducing Digital Experience Monitoring</u></i></a><i>, </i><a href=\"\"><i><u>Understanding end user-connectivity and performance with Digital Experience Monitoring, now available in beta</u></i></a><i>, </i><a href=\"\"><i><u>What&#39;s new in Cloudflare One: Digital Experience monitoring notifications</u></i></a>)</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"introducing-remote-captures-pcap-and-warp-diag\">Introducing Remote Captures: PCAP and WARP Diag</h3>\n <a href=\"#introducing-remote-captures-pcap-and-warp-diag\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Imagine this: an end user is frustrated with a slow application, and your IT team is struggling to pinpoint the root cause. Traditionally, troubleshooting such issues involved contacting the end user and asking them to manually collect and share network traffic data. This process is time-consuming, prone to errors, and often disruptive to the end user&#39;s workflow.</p><p>Building upon the capabilities of DEX, we are excited to introduce Remote Captures, a powerful new feature that empowers IT admins to gain unprecedented visibility into end-user devices and network performance. DEX now introduces Remote Captures, a powerful new feature that empowers IT admins to remotely initiate network <a href=\"\"><u>packet captures (PCAP)</u></a> and <a href=\"\"><u>WARP Diag logs</u></a> directly from your end users’ devices and capture diagnostic information automatically from our device client. This streamlined approach accelerates troubleshooting, reduces the burden on end users, and provides valuable insights into network performance and security.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"why-remote-captures\">Why Remote Captures?</h3>\n <a href=\"#why-remote-captures\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Remote Captures offer several key advantages. By analyzing detailed network traffic, IT teams can quickly pinpoint the root cause of network issues. Furthermore, granular network data empowers security teams to proactively detect and investigate potential threats. Finally, by identifying bottlenecks and latency issues, Remote Captures enable organizations to optimize network performance for a smoother user experience.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"how-remote-captures-work\">How Remote Captures work</h3>\n <a href=\"#how-remote-captures-work\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Initiating a Remote Capture is straightforward. First, select the specific device you wish to troubleshoot. Then, with a few simple clicks, start capturing network traffic and/or WARP Diag data. Once the capture is complete, download the captured data and utilize your preferred tools for in-depth analysis.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1298\" height=\"1999\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"get-started-today\">Get started today</h3>\n <a href=\"#get-started-today\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>DEX Remote Captures are now available for Cloudflare One customers. They can be configured by going to <a href=\"\"><u>Cloudflare Dashboard</u></a> &gt; Zero Trust &gt; DEX &gt; Remote Captures, and then selecting the device you wish to collect from. For more information, refer to <a href=\"\"><u>Remote captures</u></a>. This new capability highlights just one of the many ways our unified SASE platform helps organizations find and fix security issues across SaaS applications. <a href=\"\"><u>Try it out now</u></a> using our free tier to get started.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"never-miss-an-update\">Never miss an update </h2>\n <a href=\"#never-miss-an-update\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We hope you enjoy reading our roundup blog posts as we continue to build and innovate. Stay tuned to the <a href=\"\"><u>Cloudflare Blog</u></a> for the latest news and updates.</p>"],"published_at":[0,"2024-12-27T14:00+00:00"],"updated_at":[0,"2024-12-27T14:00:02.712Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"3QNaVNNpUXrfZYUGDJkXwA"],"name":[0,"Cloudflare Zero Trust"],"slug":[0,"cloudflare-zero-trust"]}],[0,{"id":[0,"3aM5YgPINDR4BjE3WPTK4B"],"name":[0,"DEX"],"slug":[0,"dex"]}],[0,{"id":[0,"2FQK880QI5lKEUCjVHBber"],"name":[0,""],"slug":[0,"1-1-1-1"]}],[0,{"id":[0,"wQqSRDGY4XgmwsEZPY4AE"],"name":[0,"MASQUE"],"slug":[0,"masque"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Mari Galicer"],"slug":[0,"mari"],"bio":[0,"Product Manager, Consumer Privacy"],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@mmvri"],"facebook":[0,null]}],[0,{"name":[0,"Guy Nir"],"slug":[0,"guy-nir"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}]]],"meta_description":[0,"This roundup blog post shares the latest new features and capabilities at Cloudflare. Learn more about how our cross-platform & WARP apps now use MASQUE, a cutting-edge HTTP/3-based protocol, to secure your Internet connection. Additionally, DEX is now generally available."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"What’s new in Cloudflare: MASQUE now powers & WARP apps, DEX now generally available with Remote Captures"],"description":[0,"This roundup blog post shares the latest new features and capabilities at Cloudflare. Learn more about how our cross-platform & WARP apps now use MASQUE, a cutting-edge HTTP/3-based protocol, to secure your Internet connection. Additionally, DEX is now generally available."],"imgPreview":[0,""]}]}],"translations":[0,{"":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"":[0,"Careers"],"":[0,"Company"],"":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"":[0,"Community"],"footer.resources":[0,"Resources"],"":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-50-l"> <a href="" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">What’s new in Cloudflare: MASQUE now powers & WARP apps, DEX now generally available with Remote Captures</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2024-12-27</p> <p class="f4 fw3 lh-copy " data-testid="post-content">This roundup blog post shares the latest new features and capabilities at Cloudflare.<!-- -->...</p><a href="" class="no-underline gray1 f4 lh-copy fw3 underline-hover" data-testid="post-continue-reading">Continue reading »</a> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Mari Galicer" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw5 f4 no-underline black">Mari Galicer</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Guy Nir" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw5 f4 no-underline black">Guy Nir</a> </div></li> </ul> </div> <div class="w-50-l"> <img class="dn di-l " src="" alt="What’s new in Cloudflare: MASQUE now powers & WARP apps, DEX now generally available with Remote Captures"> </div> </article><!--astro:end--> </astro-island><astro-island uid="ZB26z5" prefix="r1" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,false],"post":[0,{"id":[0,"5BHU4q5GpzBQ1OLQoUvkKN"],"title":[0,"What’s new in Cloudflare: Account Owned Tokens and Zaraz Automated Actions"],"slug":[0,"account-owned-tokens-automated-actions-zaraz"],"excerpt":[0,"Cloudflare customers can now create Account Owned Tokens , allowing more flexibility around access control for their Cloudflare services. Additionally, Zaraz Automation Actions streamlines event tracking and third-party tool integration. "],"featured":[0,false],"html":[0,"<p>In October 2024, we started publishing roundup blog posts to share the latest features and updates from our teams. Today, we are announcing general availability for Account Owned Tokens, which allow organizations to improve access control for their Cloudflare services. Additionally, we are launching Zaraz Automated Actions, which is a new feature designed to streamline event tracking and tool integration when setting up third-party tools. By automating common actions like pageviews, custom events, and e-commerce tracking, it removes the need for manual configurations.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"improving-access-control-for-cloudflare-services-with-account-owned-tokens\">Improving access control for Cloudflare services with Account Owned Tokens</h2>\n <a href=\"#improving-access-control-for-cloudflare-services-with-account-owned-tokens\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare is critical infrastructure for the Internet, and we understand that many of the organizations that build on Cloudflare rely on apps and integrations outside the platform to make their lives easier. In order to allow access to Cloudflare resources, these apps and integrations interact with Cloudflare via our API, enabled by access tokens and API keys. Today, the API Access Tokens and API keys on the Cloudflare platform are owned by individual users, which can lead to some difficulty representing services, and adds an additional dependency on managing users alongside token permissions.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"whats-new-about-account-owned-tokens\">What’s new about Account Owned Tokens</h3>\n <a href=\"#whats-new-about-account-owned-tokens\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>First, a little explanation because the terms can be a little confusing. On Cloudflare, we have both Users and Accounts, and they mean different things, but sometimes look similar. Users are people, and they sign in with an email address. Accounts are not people, they’re the top-level bucket we use to organize all the resources you use on Cloudflare. Accounts can have many users, and that’s how we enable collaboration. If you use Cloudflare for your personal projects, both your User and Account might have your email address as the name, but if you use Cloudflare as a company, the difference is more apparent because your user is “<a href=\"\"><u></u></a>” and the account might be “Example Company”. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1836\" height=\"1225\" loading=\"lazy\"/>\n </figure><p>Account Owned Tokens are not confined by the permissions of the creating user (e.g. a user can never make a token that can edit a field that they otherwise couldn’t edit themselves) and are scoped to the account they are owned by. This means that instead of creating a token belonging to the user “<a href=\"\"><u></u></a>”, you can now create a token belonging to the account “Example Company”.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1385\" height=\"1623\" loading=\"lazy\"/>\n </figure><p>The ability to make these tokens, owned by the account instead of the user, allows for more flexibility to represent what the access should be used for.</p><p>Prior to Account Owned Tokens, customers would have to have a user (<a href=\"\"><u></u></a>) create a token to pull a list of Cloudflare zones for their account and ensure their security settings are set correctly as part of a compliance workflow, for example. All of the actions this compliance workflow does are now attributed to joe.smith, and if joe.smith leaves the company and his permissions are revoked, the compliance workflow fails.</p><p>With this new release, an Account Owned Token could be created, named “compliance workflow”, with permissions to do this operation independently of <a href=\"\"><u></u></a>. All actions this token does are attributable to “compliance workflow”. This token is visible and manageable by all the superadmins on your Cloudflare account. If joe.smith leaves the company, the access remains independent of that user, and all super administrators on the account moving forward can still see, edit, roll, and delete the token as needed.</p><p>Any long-running services or programs can be represented by these types of tokens, be made visible (and manageable) by all super administrators in your Cloudflare account, and truly represent the service, instead of the users managing the service. Audit logs moving forward will log that a given token was used, and user access can be kept to a minimum.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"getting-started\">Getting started</h3>\n <a href=\"#getting-started\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Account Owned Tokens can be found on the new “API Tokens” tab under the “Manage Account” section of your Cloudflare dashboard, and any Super Administrators on your account have the capability to create, edit, roll, and delete these tokens. The API is the same, but at a new <code>/account/&lt;accountId&gt;/tokens</code> endpoint.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"2024\" height=\"648\" loading=\"lazy\"/>\n </figure>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1394\" height=\"896\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"why-where-should-i-use-account-owned-tokens\">Why/where should I use Account Owned Tokens?</h3>\n <a href=\"#why-where-should-i-use-account-owned-tokens\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>There are a few places we would recommend replacing your User Owned Tokens with Account Owned Tokens:</p><p>1. <b>Long-running services that are managed by multiple people:</b> When multiple users all need to manage the same service, Account Owned Tokens can remove the bottleneck of requiring a single person to be responsible for all the edits, rotations, and deletions of the tokens. In addition, this guards against any user lifecycle events affecting the service. If the employee that owns the token for your service leaves the company, the service’s token will no longer be based on their permissions.</p><p>2.<b> Cloudflare accounts running any services that need attestable access records beyond user membership:</b> By restricting all of your users from being able to access the API, and consolidating all usable tokens to a single list at the account level, you can ensure that a complete list of all API access can be found in a single place on the dashboard, under “Account API Tokens”.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1379\" height=\"252\" loading=\"lazy\"/>\n </figure><p>3. <b>Anywhere you’ve created “Service Users”:</b> “Service Users”, or any identity that is meant to allow multiple people to access Cloudflare, are an active threat surface. They are generally highly privileged, and require additional controls (vaulting, password rotation, monitoring) to ensure non-repudiation and appropriate use. If these operations solely require API access, consolidating that access into an Account Owned Token is safe.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"why-where-should-i-use-user-owned-tokens\">Why/where should I use User Owned Tokens?</h3>\n <a href=\"#why-where-should-i-use-user-owned-tokens\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>There are a few scenarios/situations where you should continue to use User Owned Tokens:</p><ol><li><p><b>Where programmatic access is done by a single person at an external interface:</b> If a single user has an external interface using their own access privileges at Cloudflare, it still makes sense to use a personal token, so that information access can be traced back to them. (e.g. using a personal token in a data visualization tool that pulls logs from Cloudflare)</p></li><li><p><a href=\"\"><b><u>User level operations</u></b></a><b>:</b> Any operations that operate on your own user (e.g. email changes, password changes, user preferences) still require a user level token.</p></li><li><p><b>Where you want to control resources over multiple accounts with the same credential:</b> As of November 2024, Account Owned Tokens are scoped to a single account. In 2025, we want to ensure that we can create cross-account credentials, anywhere that multiple accounts have to be called in the same set of operations should still rely on API Tokens owned by a user.</p></li><li><p><b>Where we currently do not support a given endpoint:</b> We are currently in the process of working through a <a href=\"\"><u>list of our services</u></a> to ensure that they all support Account Owned Tokens. When interacting with any of these services that are not supported programmatically, please continue to use User Owned Tokens.</p></li><li><p><b>Where you need to do token management programmatically:</b> If you are in an organization that needs to create and delete large numbers of tokens programmatically, please continue to use User Owned Tokens. In late 2024, watch for the “Create Additional Tokens” template on the Account Owned Tokens Page. This template and associated created token will allow for the management of additional tokens.</p></li></ol>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"996\" height=\"66\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"what-does-this-mean-for-my-existing-tokens-and-programmatic-access-moving-forward\">What does this mean for my existing tokens and programmatic access moving forward?</h3>\n <a href=\"#what-does-this-mean-for-my-existing-tokens-and-programmatic-access-moving-forward\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We do not plan to decommission User Owned Tokens, as they still have a place in our overall access model and are handy for ensuring user-centric workflows can be implemented.</p><p>As of November 2024, we’re still working to ensure that ALL of our endpoints work with Account Owned Tokens, and we expect to deliver additional token management improvements continuously, with an expected end date of Q3 2025 to cover all endpoints.</p><p>A list of services that support, and do not support, Account Owned Tokens can be found in our <a href=\"\"><u>documentation.</u></a></p>\n <div class=\"flex anchor relative\">\n <h3 id=\"whats-next\">What’s next?</h3>\n <a href=\"#whats-next\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>If Account Owned Tokens could provide value to your or your organization, documentation is available <a href=\"\"><u>here</u></a>, and you can give them a try today from the “API Tokens” menu in your dashboard.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"zaraz-automated-actions-makes-adding-tools-to-your-website-a-breeze\">Zaraz Automated Actions makes adding tools to your website a breeze</h2>\n <a href=\"#zaraz-automated-actions-makes-adding-tools-to-your-website-a-breeze\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1125\" loading=\"lazy\"/>\n </figure><p><a href=\"\"><u>Cloudflare Zaraz</u></a> is a tool designed to manage and optimize third-party tools like analytics, marketing tags, or social media scripts on websites. By loading these third-party services through Cloudflare’s network, Zaraz improves website performance, security, and privacy. It ensures that these external scripts don&#39;t slow down page loading times or expose sensitive user data, as it handles them efficiently through Cloudflare&#39;s global network, reducing latency and improving the user experience.</p><p>Automated Actions are a new product feature that allow users to easily setup page views, custom events, and e-commerce tracking without going through the tedious process of manually setting up triggers and actions.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"why-we-built-automated-actions\">Why we built Automated Actions</h3>\n <a href=\"#why-we-built-automated-actions\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>An action in Zaraz is a way to tell a third party tool that a user interaction or event has occurred when certain conditions, defined by <a href=\"\"><u>triggers</u></a>, are met. You create actions from within the tools page, associating them with specific tools and triggers.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1124\" height=\"1366\" loading=\"lazy\"/>\n </figure><p>Setting up a tool in Zaraz has always involved a few steps: <a href=\"\"><u>configuring a trigger</u></a>, <a href=\"\"><u>linking it to a tool action</u></a> and finally calling <a href=\"\"><code><u>zaraz.track()</u></code></a>. This process allowed advanced configurations with complex rules, and while it was powerful, it occasionally left users confused — why isn’t calling <code>zaraz.track()</code> enough? We heard your feedback, and we’re excited to introduce <b>Zaraz Automated Actions</b>, a feature designed to make Zaraz easier to use by reducing the amount of work needed to configure a tool.</p><p>With Zaraz Automated Actions, you can now automate sending data to your third-party tools without the need to create a manual configuration. Inspired by the simplicity of <a href=\"\"><code><u>zaraz.ecommerce()</u></code></a>, we’ve extended this ease to all Zaraz events, removing the need for manual trigger and action setup. For example, calling <code>zaraz.track(‘myEvent’)</code> will send your event to the tool without the need to configure any triggers or actions.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"getting-started-with-automated-actions\">Getting started with Automated Actions</h3>\n <a href=\"#getting-started-with-automated-actions\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>When adding a new tool in Zaraz, you’ll now see an additional step where you can choose one of three Automated Actions: <b>pageviews</b>, <b>all other events</b>, or <b>ecommerce</b>. These options allow you to specify what kind of events you want to automate for that tool.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1536\" height=\"876\" loading=\"lazy\"/>\n </figure><ul><li><p><b>Pageviews</b>: Automatically sends data to the tool whenever someone visits a page on your site, without any manual configuration.</p></li><li><p><b>All other events</b>: Sends all custom events triggered using zaraz.track() to the selected tool, making it easy to automate tracking of user interactions.</p></li><li><p><b>Ecommerce</b>: Automatically sends all e-commerce events triggered via zaraz.ecommerce() to the tool, streamlining your sales and transaction tracking.</p></li></ul><p>These Automated Actions are also available for all your existing tools, which can be toggled on or off from the tool detail page in your Zaraz dashboard. This flexibility allows you to fine-tune which actions are automated based on your needs.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1364\" height=\"1184\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"custom-actions-for-tools-without-automated-action-support\">Custom actions for tools without Automated Action support</h3>\n <a href=\"#custom-actions-for-tools-without-automated-action-support\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Some tools do not support automated actions because the tool itself does not support page view, custom, or e-commerce events. For such tools you can still create your own custom actions, just like before. Custom actions allow you to configure specific events to send data to your tools based on unique triggers. The process remains the same, and you can follow the detailed steps outlined in our<a href=\"\"> <u>Create Actions guide</u></a>. Remember to set up your trigger first, or choose an existing one, before configuring the action.</p><h4>Automatically enrich your payload</h4><p>When creating a custom action, it is now easier to send Event Properties using the <b>Include Event Properties field.</b> When this is toggled on, you can automatically send client-specific data with each action, such as user behavior or interaction details. For example, to send an <code>userID</code> property when sending a <code>click</code> event you can do something like this: <code>zaraz.track(‘click’, { userID: “foo” })</code>.</p><p>Additionally, you can enable the <b>Include System Properties</b> option to send system-level information, such as browser, operating system, and more. In your action settings click on “Add Field”, pick the “Include System Properties”, click on confirm and then toggle the field on. </p><p>For a full list of system properties, visit our<a href=\"\"> <u>System Properties reference guide</u></a>. These options give you greater flexibility and control over the data you send with custom actions.</p><p>These two fields replace the now deprecated “Enrich Payload” dropdown field.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1646\" height=\"1222\" loading=\"lazy\"/>\n </figure><p>Zaraz Automated Actions marks a significant step forward in simplifying how you manage events across your tools. By automating common actions like page views, e-commerce events, and custom tracking, you can save time and reduce the complexity of manual configurations. Whether you’re leveraging Automated Actions for speed or creating custom actions for more tailored use cases, Zaraz offers the flexibility to fit your workflow. </p><p>We’re excited to see how you use this feature. Please don’t hesitate to reach out to us on Cloudflare <a href=\"\"><u>Zaraz’s Discord Channel</u></a> — we’re always there fixing issues, listening to feedback, and announcing exciting product updates.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"never-miss-an-update\">Never miss an update</h2>\n <a href=\"#never-miss-an-update\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We’ll continue to share roundup blog posts as we continue to build and innovate. Be sure to follow along on the <a href=\"\"><u>Cloudflare Blog</u></a> for the latest news and updates.</p>"],"published_at":[0,"2024-11-14T14:00+00:00"],"updated_at":[0,"2024-11-14T14:00:02.977Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"4pES8Ke33O2ROIX5tVMqyc"],"name":[0,"Identity"],"slug":[0,"identity"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"5KsuE8WNLu5C4uyvr4XWCV"],"name":[0,"Zaraz"],"slug":[0,"zaraz"]}],[0,{"id":[0,"2OotqBxtRdi5MuC90AlyxE"],"name":[0,"Analytics"],"slug":[0,"analytics"]}],[0,{"id":[0,"49e0LtPKRtCoIvqkN8MIde"],"name":[0,"Managed Components"],"slug":[0,"managed-components"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Joseph So"],"slug":[0,"joseph"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Omar Mohammad"],"slug":[0,"omar-mohammad"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}],[0,{"name":[0,"Yo'av Moshe"],"slug":[0,"yoav"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@yoavmoshe"],"facebook":[0,null]}]]],"meta_description":[0,"Cloudflare customers can now create Account Owned Tokens, allowing more flexibility around access control for their Cloudflare services. Additionally, Zaraz Automation Actions streamlines event tracking and third-party tool integration. "],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"What’s new in Cloudflare: Account Owned Tokens and Zaraz Automated Actions"],"description":[0,"Cloudflare customers can now create Account Owned Tokens, allowing more flexibility around access control for their Cloudflare services. Additionally, Zaraz Automation Actions streamlines event tracking and third-party tool integration."],"imgPreview":[0,""]}]}],"translations":[0,{"":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"":[0,"Careers"],"":[0,"Company"],"":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"":[0,"Community"],"footer.resources":[0,"Resources"],"":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-50-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">What’s new in Cloudflare: Account Owned Tokens and Zaraz Automated Actions</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2024-11-14</p> <div class=""> <a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Identity</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developers</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Zaraz</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Analytics</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Managed Components</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Cloudflare customers can now create Account Owned Tokens , allowing more flexibility around access control for their Cloudflare services. Additionally, Zaraz Automation Actions streamlines event tracking and third-party tool integration. <!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Joseph So" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Joseph So</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Omar Mohammad" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Omar Mohammad</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Yo'av Moshe" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Yo'av Moshe</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="1E3Ehm" prefix="r2" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,false],"post":[0,{"id":[0,"41vXJNWrB0YHsKqSz6SGDS"],"title":[0,"Durable Objects aren't just durable, they're fast: a 10x speedup for Cloudflare Queues"],"slug":[0,"how-we-built-cloudflare-queues"],"excerpt":[0,"Learn how we built Cloudflare Queues using our own Developer Platform and how it evolved to a geographically-distributed, horizontally-scalable architecture built on Durable Objects. Our new architecture supports over 10x more throughput and over 3x lower latency compared to the previous version."],"featured":[0,false],"html":[0,"<p></p><p><a href=\"\"><u>Cloudflare Queues</u></a> let a developer decouple their Workers into event-driven services. Producer Workers write events to a Queue, and consumer Workers are invoked to take actions on the events. For example, you can use a Queue to decouple an e-commerce website from a service which sends purchase confirmation emails to users. During 2024’s Birthday Week, we <a href=\"*18s1fwl*_gcl_au*MTgyNDA5NjE5OC4xNzI0MjgzMTQ0*_ga*OTgwZmE0YWUtZWJjMS00NmYxLTllM2QtM2RmY2I4ZjAwNzZk*_ga_SQCRB0TXZW*MTcyODkyOTU2OS4xNi4xLjE3Mjg5Mjk1NzcuNTIuMC4w/#queues-is-ga\"><u>announced that Cloudflare Queues is now Generally Available</u></a>, with significant performance improvements that enable larger workloads. To accomplish this, we switched to a new architecture for Queues that enabled the following improvements:</p><ul><li><p>Median latency for sending messages has dropped from ~200ms to ~60ms</p></li><li><p>Maximum throughput for each Queue has increased over 10x, from 400 to 5000 messages per second</p></li><li><p>Maximum Consumer concurrency for each Queue has increased from 20 to 250 concurrent invocations</p></li></ul>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"959\" loading=\"lazy\"/>\n </figure><p><sup><i>Median latency drops from ~200ms to ~60ms as Queues are migrated to the new architecture</i></sup></p><p>In this blog post, we&#39;ll share details about how we built Queues using Durable Objects and the Cloudflare Developer Platform, and how we migrated from an initial Beta architecture to a geographically-distributed, horizontally-scalable architecture for General Availability.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"v1-beta-architecture\">v1 Beta architecture</h3>\n <a href=\"#v1-beta-architecture\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>When initially designing Cloudflare Queues, we decided to build something simple that we could get into users&#39; hands quickly. First, we considered leveraging an off-the-shelf messaging system such as Kafka or Pulsar. However, we decided that it would be too challenging to operate these systems at scale with the large number of isolated tenants that we wanted to support.</p><p>Instead of investing in new infrastructure, we decided to build on top of one of Cloudflare&#39;s existing developer platform building blocks: <b>Durable Objects.</b> <a href=\"\"><u>Durable Objects</u></a> are a simple, yet powerful building block for coordination and storage in a distributed system. In our initial <i>v1 </i>architecture, each Queue was implemented using a single Durable Object. As shown below, clients would send messages to a Worker running in their region, which would be forwarded to the single Durable Object hosted in the WNAM (Western North America) region. We used a single Durable Object for simplicity, and hosted it in WNAM for proximity to our centralized configuration API service.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1100\" loading=\"lazy\"/>\n </figure><p>One of a Queue&#39;s main responsibilities is to accept and store incoming messages. Sending a message to a <i>v1</i> Queue used the following flow:</p><ul><li><p>A client sends a POST request containing the message body to the Queues API at <code>/accounts/:accountID/queues/:queueID/messages</code></p></li><li><p>The request is handled by an instance of the <b>Queue Broker Worker</b> in a Cloudflare data center running near the client.</p></li><li><p>The Worker performs authentication, and then uses Durable Objects <code>idFromName</code> API to route the request to the <b>Queue Durable Object</b> for the given <code>queueID</code></p></li><li><p>The Queue Durable Object persists the message to storage before returning a <i>success </i>back to the client.</p></li></ul><p>Durable Objects handled most of the heavy-lifting here: we did not need to set up any new servers, storage, or service discovery infrastructure. To route requests, we simply provided a <code>queueID</code> and the platform handled the rest. To store messages, we used the Durable Object storage API to <code>put</code> each message, and the platform handled reliably storing the data redundantly.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"consuming-messages\">Consuming messages</h3>\n <a href=\"#consuming-messages\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The other main responsibility of a Queue is to deliver messages to a Consumer. Delivering messages in a v1 Queue used the following process:</p><ul><li><p>Each Queue Durable Object maintained an <b>alarm </b>that was always set when there were undelivered messages in storage. The alarm guaranteed that the Durable Object would reliably wake up to deliver any messages in storage, even in the presence of failures. The alarm time was configured to fire after the user&#39;s selected <i>max wait time</i><b><i>, </i></b>if only a partial batch of messages was available. Whenever one or more full batches were available in storage, the alarm was scheduled to fire immediately.</p></li><li><p>The alarm would wake the Durable Object, which continually looked for batches of messages in storage to deliver.</p></li><li><p>Each batch of messages was sent to a &quot;Dispatcher Worker&quot; that used <a href=\"\"><u>Workers for Platforms</u></a> <a href=\"\"><i><u>dynamic dispatch</u></i></a> to pass the messages to the <code>queue()</code> function defined in a user&#39;s Consumer Worker</p></li></ul>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"942\" loading=\"lazy\"/>\n </figure><p>This v1 architecture let us flesh out the initial version of the Queues Beta product and onboard users quickly. Using Durable Objects allowed us to focus on building application logic, instead of complex low-level systems challenges such as global routing and guaranteed durability for storage. Using a separate Durable Object for each Queue allowed us to host an essentially unlimited number of Queues, and provided isolation between them.</p><p>However, using <i>only</i> one Durable Object per queue had some significant limitations:</p><ul><li><p><b>Latency: </b>we created all of our v1 Queue Durable Objects in Western North America. Messages sent from distant regions incurred significant latency when traversing the globe.</p></li><li><p><b>Throughput: </b>A single Durable Object is not scalable: it is single-threaded and has a fixed capacity for how many requests per second it can process. This is where the previous 400 messages per second limit came from.</p></li><li><p><b>Consumer Concurrency: </b>Due to <a href=\"\"><u>concurrent subrequest limits</u></a>, a single Durable Object was limited in how many concurrent subrequests it could make to our Dispatcher Worker. This limited the number of <code>queue()</code> handler invocations that it could run simultaneously.</p></li></ul><p>To solve these issues, we created a new v2 architecture that horizontally scales across <b>multiple</b> Durable Objects to implement each single high-performance Queue.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"v2-architecture\">v2 Architecture</h3>\n <a href=\"#v2-architecture\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In the new v2 architecture for Queues, each Queue is implemented using multiple Durable Objects, instead of just one. Instead of a single region, we place <i>Storage Shard </i>Durable Objects in <a href=\"\"><u>all available regions</u></a> to enable lower latency. Within each region, we create multiple Storage Shards and load balance incoming requests amongst them. Just like that, we’ve multiplied message throughput.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1100\" loading=\"lazy\"/>\n </figure><p>Sending a message to a v2 Queue uses the following flow:</p><ul><li><p>A client sends a POST request containing the message body to the Queues API at <code>/accounts/:accountID/queues/:queueID/messages</code></p></li><li><p>The request is handled by an instance of the <b>Queue Broker Worker</b> running in a Cloudflare data center near the client.</p></li><li><p>The Worker:</p><ul><li><p>Performs authentication</p></li><li><p>Reads from Workers KV to obtain a <i>Shard Map</i> that lists available storage shards for the given <code>region</code> and <code>queueID</code></p></li><li><p>Picks one of the region&#39;s Storage Shards at random, and uses Durable Objects <code>idFromName</code> API to route the request to the chosen shard</p></li></ul></li><li><p>The Storage Shard persists the message to storage before returning a <i>success </i>back to the client.</p></li></ul><p>In this v2 architecture, messages are stored in the closest available Durable Object storage cluster near the user, greatly reducing latency since messages don&#39;t need to be shipped all the way to WNAM. Using multiple shards within each region removes the bottleneck of a single Durable Object, and allows us to scale each Queue horizontally to accept even more messages per second. <a href=\"\"><u>Workers KV</u></a> acts as a fast metadata store: our Worker can quickly look up the shard map to perform load balancing across shards.</p><p>To improve the <i>Consumer</i> side of v2 Queues, we used a similar &quot;scale out&quot; approach. A single Durable Object can only perform a limited number of concurrent subrequests. In v1 Queues, this limited the number of concurrent subrequests we could make to our Dispatcher Worker. To work around this, we created a new <i>Consumer Shard</i> Durable Object class that we can scale horizontally, enabling us to execute many more concurrent instances of our users&#39; <code>queue()</code> handlers.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1243\" loading=\"lazy\"/>\n </figure><p>Consumer Durable Objects in v2 Queues use the following approach:</p><ul><li><p>Each Consumer maintains an alarm that guarantees it will wake up to process any pending messages. <i>v2 </i>Consumers are notified by the Queue&#39;s <i>Coordinator </i>(introduced below) when there are messages ready for consumption. Upon notification, the Consumer sets an alarm to go off immediately.</p></li><li><p>The Consumer looks at the shard map, which contains information about the storage shards that exist for the Queue, including the number of available messages on each shard.</p></li><li><p>The Consumer picks a random storage shard with available messages, and asks for a batch.</p></li><li><p>The Consumer sends the batch to the Dispatcher Worker, just like for v1 Queues.</p></li><li><p>After processing the messages, the Consumer sends another request to the Storage Shard to either &quot;acknowledge&quot; or &quot;retry&quot; the messages.</p></li></ul><p>This scale-out approach enabled us to work around the subrequest limits of a single Durable Object, and increase the maximum supported concurrency level of a Queue from 20 to 250. </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"the-coordinator-and-control-plane\">The Coordinator and “Control Plane”</h3>\n <a href=\"#the-coordinator-and-control-plane\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>So far, we have primarily discussed the &quot;Data Plane&quot; of a v2 Queue: how messages are load balanced amongst Storage Shards, and how Consumer Shards read and deliver messages. The other main piece of a v2 Queue is the &quot;Control Plane&quot;, which handles creating and managing all the individual Durable Objects in the system. In our v2 architecture, each Queue has a single <i>Coordinator</i> Durable Object that acts as the brain of the Queue. Requests to create a Queue, or change its settings, are sent to the Queue&#39;s Coordinator.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1100\" loading=\"lazy\"/>\n </figure><p>The Coordinator maintains a <i>Shard Map</i> for the Queue, which includes metadata about all the Durable Objects in the Queue (including their region, number of available messages, current estimated load, etc.). The Coordinator periodically writes a fresh copy of the Shard Map into Workers KV, as pictured in step 1 of the diagram. Placing the shard map into Workers KV ensures that it is globally cached and available for our Worker to read quickly, so that it can pick a shard to accept the message.</p><p>Every shard in the system periodically sends a heartbeat to the Coordinator as shown in steps 2 and 3 of the diagram. Both Storage Shards and Consumer Shards send heartbeats, including information like the number of messages stored locally, and the current load (requests per second) that the shard is handling. The Coordinator uses this information to perform <b><i>autoscaling. </i></b>When it detects that the shards in a particular region are overloaded, it creates additional shards in the region, and adds them to the shard map in Workers KV. Our Worker sees the updated shard map and naturally load balances messages across the freshly added shards. Similarly, the Coordinator looks at the backlog of available messages in the Queue, and decides to add more Consumer shards to increase Consumer throughput when the backlog is growing. Consumer Shards pull messages from Storage Shards for processing as shown in step 4 of the diagram.</p><p>Switching to a new scalable architecture allowed us to meet our performance goals and take Queues to GA. As a recap, this new architecture delivered these significant improvements:</p><ul><li><p>P50 latency for writing to a Queue has dropped from ~200ms to ~60ms.</p></li><li><p>Maximum throughput for a Queue has increased from 400 to 5000 messages per second.</p></li><li><p>Maximum consumer concurrency has increased from 20 to 250 invocations.\t</p></li></ul>\n <div class=\"flex anchor relative\">\n <h3 id=\"whats-next-for-queues\">What's next for Queues</h3>\n <a href=\"#whats-next-for-queues\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <ul><li><p>We plan on leveraging the performance improvements in the new <a href=\"\"><u>beta version of Durable Objects</u></a> which use SQLite to continue to improve throughput/latency in Queues.</p></li><li><p>We will soon be adding message management features to Queues so that you can take actions to purge messages in a queue, pause consumption of messages, or “redrive”/move messages from one queue to another (for example messages that have been sent to a Dead Letter Queue could be “redriven” or moved back to the original queue).</p></li><li><p>Work to make Queues the &quot;event hub&quot; for the Cloudflare Developer Platform:</p><ul><li><p>Create a low-friction way for events emitted from other Cloudflare services with event schemas to be sent to Queues.</p></li><li><p>Build multi-Consumer support for Queues so that Queues are no longer limited to one Consumer per queue.</p></li></ul></li></ul><p>To start using Queues, head over to our <a href=\"\"><u>Getting Started</u></a> guide. </p><p>Do distributed systems like Cloudflare Queues and Durable Objects interest you? Would you like to help build them at Cloudflare? <a href=\"\"><u>We&#39;re Hiring!</u></a></p>"],"published_at":[0,"2024-10-24T14:00+01:00"],"updated_at":[0,"2024-10-24T13:00:03.392Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"7p9V4sEnUw2qMWnn5Jzsp9"],"name":[0,"Cloudflare Queues"],"slug":[0,"cloudflare-queues"]}],[0,{"id":[0,"6hbkItfupogJP3aRDAq6v8"],"name":[0,"Cloudflare Workers"],"slug":[0,"workers"]}],[0,{"id":[0,"5v2UZdTRX1Rw9akmhexnxs"],"name":[0,"Durable Objects"],"slug":[0,"durable-objects"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Josh Wheeler"],"slug":[0,"josh"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Siddhant Sinha"],"slug":[0,"siddhant"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Todd Mantell"],"slug":[0,"todd-mantell"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}],[0,{"name":[0,"Pranshu Maheshwari"],"slug":[0,"pranshu-maheshwari"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}]]],"meta_description":[0,"Learn how we built Cloudflare Queues using our own Developer Platform and how it evolved to a geographically-distributed, horizontally-scalable architecture built on Durable Objects. Our new architecture supports over 10x more throughput and over 3x lower latency compared to the previous version."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Durable Objects aren't just durable, they're fast: a 10x speedup for Cloudflare Queues"],"description":[0,"Learn how we built Cloudflare Queues using our own Developer Platform and how it evolved to a geographically-distributed, horizontally-scalable architecture built on Durable Objects. Our new architecture supports over 10x more throughput and over 3x lower latency compared to the previous version."],"imgPreview":[0,""]}]}],"translations":[0,{"":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"":[0,"Careers"],"":[0,"Company"],"":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"":[0,"Community"],"footer.resources":[0,"Resources"],"":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-50-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Durable Objects aren't just durable, they're fast: a 10x speedup for Cloudflare Queues</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2024-10-24</p> <div class=""> <a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Queues</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Workers</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Durable Objects</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developers</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developer Platform</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Learn how we built Cloudflare Queues using our own Developer Platform and how it evolved to a geographically-distributed, horizontally-scalable architecture built on Durable Objects. Our new architecture supports over 10x more throughput and over 3x lower latency compared to the previous version.<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Josh Wheeler" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Josh Wheeler</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Siddhant Sinha" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Siddhant Sinha</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Todd Mantell" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Todd Mantell</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Pranshu Maheshwari" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Pranshu Maheshwari</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="Z12y6RM" prefix="r3" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,false],"post":[0,{"id":[0,"6e7vmGCa8tZRTNJWqYs1di"],"title":[0,"Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One "],"slug":[0,"cloudflare-acquires-kivera"],"excerpt":[0,"The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. "],"featured":[0,false],"html":[0,"<p>We’re excited to announce that <a href=\"\"><u>Kivera</u></a>, a cloud security, data protection, and compliance company, has joined Cloudflare. This acquisition extends our SASE portfolio to incorporate inline cloud app controls, empowering <a href=\"\"><u>Cloudflare One</u></a> customers with preventative security controls for all their cloud services.</p><p>In today’s digital landscape, cloud services and SaaS (software as a service) apps have become indispensable for the daily operation of organizations. At the same time, the amount of data flowing between organizations and their cloud providers has ballooned, increasing the chances of data leakage, compliance issues, and worse, opportunities for attackers. Additionally, many companies — especially at enterprise scale — are working directly with multiple cloud providers for flexibility based on the strengths, resiliency against outages or errors, and cost efficiencies of different clouds. </p><p>Security teams that rely on <a href=\"\"><u>Cloud Security Posture Management (CSPM)</u></a> or similar tools for monitoring cloud configurations and permissions and Infrastructure as code (IaC) scanning are falling short due to detecting issues only after misconfigurations occur with an overwhelming volume of alerts. The combination of Kivera and Cloudflare One puts preventive controls directly into the deployment process, or ‘inline’, blocking errors before they happen. This offers a proactive approach essential to protecting cloud infrastructure from evolving cyber threats, maintaining data security, and accelerating compliance. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"an-early-warning-system-for-cloud-security-risks\">An early warning system for cloud security risks </h2>\n <a href=\"#an-early-warning-system-for-cloud-security-risks\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In a significant leap forward in cloud security, the combination of Kivera’s technology and Cloudflare One adds preventive, inline controls to enforce secure configurations for cloud resources. By inspecting cloud API traffic, these new capabilities equip organizations with enhanced visibility and granular controls, allowing for a proactive approach in mitigating risks, managing cloud security posture, and embracing a streamlined DevOps process when deploying cloud infrastructure.</p><p>Kivera will add the following capabilities to Cloudflare’s <a href=\"\"><u>SASE</u></a> platform:</p><ul><li><p><b>One-click security:</b> Customers benefit from immediate prevention of the most common cloud breaches caused by misconfigurations, such as accidentally allowing public access or policy inconsistencies.</p></li><li><p><b>Enforced cloud tenant control:</b> Companies can easily draw boundaries around their cloud resources and tenants to ensure that sensitive data stays within their organization. </p></li><li><p><b>Prevent data exfiltration:</b> Easily set rules to prevent data being sent to unauthorized locations.</p></li><li><p><b>Reduce ‘shadow’ cloud infrastructure:</b> Ensure that every interaction between a customer and their cloud provider is in line with preset standards. </p></li><li><p><b>Streamline cloud security compliance:</b> Customers can automatically assess and enforce compliance against the most common regulatory frameworks.</p></li><li><p><b>Flexible DevOps model:</b> Enforce bespoke controls independent of public cloud setup and deployment tools, minimizing the layers of lock-in between an organization and a cloud provider.</p></li><li><p><b>Complementing other cloud security tools:</b> Create a first line of defense for cloud deployment errors, reducing the volume of alerts for customers also using CSPM tools or Cloud Native Application Protection Platforms (CNAPPs). </p></li></ul>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2592 2\" class=\"kg-image\" width=\"1999\" height=\"1155\" loading=\"lazy\"/>\n </figure><p><sub><i>An intelligent proxy that uses a policy-based approach to \nenforce secure configuration of cloud resources.</i></sub></p>\n <div class=\"flex anchor relative\">\n <h2 id=\"better-together-with-cloudflare-one\">Better together with Cloudflare One</h2>\n <a href=\"#better-together-with-cloudflare-one\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As a SASE platform, Cloudflare One ensures safe access and provides data controls for cloud and SaaS apps. This integration broadens the scope of Cloudflare’s SASE platform beyond user-facing applications to incorporate increased cloud security through proactive configuration management of infrastructure services, beyond what CSPM and <a href=\"\"><u>CASB</u></a> solutions provide. With the addition of Kivera to Cloudflare One, customers now have a unified platform for all their inline protections, including cloud control, access management, and threat and data protection. All of these features are available with single-pass inspection, which is <a href=\"\"><u>50% faster</u></a> than <a href=\"\"><u>Secure Web Gateway (SWG)</u></a> alternatives. </p><p>With the earlier <a href=\"\"><u>acquisition of BastionZero</u></a>, a Zero Trust infrastructure access company, Cloudflare One expanded the scope of its VPN replacement solution to cover infrastructure resources as easily as it does apps and networks. Together Kivera and BastionZero enable centralized security management across hybrid IT environments, and provide a modern DevOps-friendly way to help enterprises connect and protect their hybrid infrastructure with Zero Trust best practices.</p><p>Beyond its SASE capabilities, Cloudflare One is integral to <a href=\"\"><u>Cloudflare’s connectivity cloud</u></a>, enabling organizations to consolidate IT security tools on a single platform. This simplifies secure access to resources, from developer privileged access to technical infrastructure and expanding cloud services. As <a href=\"\"><u>Forrester echoes</u></a>, “Cloudflare is a good choice for enterprise prospects seeking a high-performance, low-maintenance, DevOps-oriented solution.”</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"the-growing-threat-of-cloud-misconfigurations\">The growing threat of cloud misconfigurations</h2>\n <a href=\"#the-growing-threat-of-cloud-misconfigurations\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The cloud has become a prime target for cyberattacks. According to the <a href=\"\"><u>2023 Cloud Risk Report</u></a>, CrowdStrike observed a 95% increase in cloud exploitation from 2021 to 2022, with a staggering 288% jump in cases involving threat actors directly targeting the cloud.</p><p>Misconfigurations in cloud infrastructure settings, such as improperly set security parameters and default access controls, provide adversaries with an easy path to infiltrate the cloud. According to the <a href=\"\"><u>2023 Thales Global Cloud Security Study</u></a>, which surveyed nearly 3,000 IT and security professionals from 18 countries, 44% of respondents reported experiencing a data breach, with misconfigurations and human error identified as the leading cause, accounting for 31% of the incidents.</p><p>Further, according to Gartner<sup>Ⓡ</sup>, “Through 2027, 99% of records compromised in cloud environments will be the result of user misconfigurations and account compromise, not the result of an issue with the cloud provider.”<sup>1</sup></p><p>Several factors contribute to the rise of cloud misconfigurations:</p><ul><li><p><b>Rapid adoption of cloud services:</b> Leaders are often driven by the scalability, cost-efficiency, and ability to support remote work and real-time collaboration that cloud services offer. These factors enable rapid adoption of cloud services which can lead to unintentional misconfigurations as IT teams struggle to keep up with the pace and complexity of these services. </p></li><li><p><b>Complexity of cloud environments:</b> Cloud infrastructure can be highly complex with multiple services and configurations to manage. For example, <a href=\"\"><u>AWS alone offers</u></a> 373 services with 15,617 actions and 140,000+ parameters, making it challenging for IT teams to manage settings accurately. </p></li><li><p><b>Decentralized management:</b> In large organizations, cloud infrastructure resources are often managed by multiple teams or departments. Without centralized oversight, inconsistent security policies and configurations can arise, increasing the risk of misconfigurations.</p></li><li><p><b>Continuous Integration and Continuous Deployment (CI/CD):</b> CI/CD pipelines promote the ability to rapidly deploy, change and frequently update infrastructure. With this velocity comes the increased risk of misconfigurations when changes are not properly managed and reviewed.</p></li><li><p><b>Insufficient training and awareness:</b> Employees may lack the cross-functional skills needed for cloud security, such as understanding networks, identity, and service configurations. This knowledge gap can lead to mistakes and increases the risk of misconfigurations that compromise security.</p></li></ul>\n <div class=\"flex anchor relative\">\n <h3 id=\"common-exploitation-methods\">Common exploitation methods </h3>\n <a href=\"#common-exploitation-methods\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Threat actors exploit cloud services through various means, including targeting misconfigurations, abusing privileges, and bypassing encryption. Misconfigurations such as exposed storage buckets or improperly secured APIs offer attackers easy access to sensitive data and resources. Privilege abuse occurs when attackers gain unauthorized access through compromised credentials or poorly managed identity and access management (IAM) policies, allowing them to escalate their access and move laterally within the cloud environment. Additionally, unencrypted data enables attackers to intercept and decrypt data in transit or at rest, further compromising the integrity and confidentiality of sensitive information.</p><p>Here are some other vulnerabilities that organizations should address: </p><ul><li><p><b>Unrestricted access to cloud tenants:</b> Allowing unrestricted access exposes cloud platforms to <a href=\"\">data exfiltration</a> by malicious actors. Limiting access to approved tenants with specific IP addresses and service destinations helps prevent unauthorized access.</p></li><li><p><b>Exposed access keys:</b> Exposed access keys can be exploited by unauthorized parties to steal or delete data. Requiring encryption for the access keys and restricting their usage can mitigate this risk.</p></li><li><p><b>Excessive account permissions:</b> Granting excessive privileges to cloud accounts increases the potential impact of security breaches. Limiting permissions to necessary operations helps prevent lateral movement and privilege escalation by threat actors.</p></li><li><p><b>Inadequate network segmentation:</b> Poorly managed network security groups and insufficient segmentation practices can allow attackers to move freely within cloud environments. Drawing boundaries around your cloud resources and tenants ensures that data stays within your organization.</p></li><li><p><b>Improper public access configuration:</b> Incorrectly exposing critical services or storage resources to the internet increases the likelihood of unauthorized access and data compromise. Preventing public access drastically reduces risk.</p></li><li><p><b>Shadow cloud infrastructure:</b> Abandoned or neglected cloud instances are often left vulnerable to exploitation, providing attackers with opportunities to access sensitive data left behind. Preventing untagged or unapproved cloud resources to be created can reduce the risk of exposure.</p></li></ul>\n <div class=\"flex anchor relative\">\n <h2 id=\"limitations-of-existing-tools\">Limitations of existing tools </h2>\n <a href=\"#limitations-of-existing-tools\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Many organizations turn to CSPM tools to give them more visibility into cloud misconfigurations. These tools often alert teams after an issue occurs, putting security teams in a reactive mode. Remediation efforts require collaboration between security teams and developers to implement changes, which can be time-consuming and resource-intensive. This approach not only delays issue resolution but also exposes companies to compliance and legal risks, while failing to train employees on secure cloud practices. <a href=\"\"><u>On average</u></a>, it takes 207 days to identify these breaches and an additional 70 days to contain them. </p><p>Addressing the growing threat of cloud misconfigurations requires proactive security measures and continuous monitoring. Organizations must adopt proactive security solutions that not only detect and alert but also prevent misconfigurations from occuring in the first place and enforce best practices. Creating a first line of defense for cloud deployment errors reduces the volume of alerts for customers, especially those also using CSPM tools or CNAPPs. </p><p>By implementing these proactive strategies, organizations can safeguard their cloud environments against the evolving landscape of cyber threats, ensuring robust security and compliance while minimizing risks and operational disruptions.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"whats-next-for-kivera\">What’s next for Kivera</h2>\n <a href=\"#whats-next-for-kivera\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The Kivera product will not be a point solution add-on. We’re making it a core part of our Cloudflare One offering because integrating features from products like our Secure Web Gateway give customers a comprehensive solution that works better together.</p><p>We’re excited to welcome Kivera to the Cloudflare team. Through the end of 2024 and into early 2025, Kivera’s team will focus on integrating their preventive inline cloud app controls directly into Cloudflare One. We are looking for early access testers and teams to provide feedback about what they would like to see. If you’d like early access, please <a href=\"\"><u>join the waitlist</u></a>.</p><p><sub>[1] Source: Outcome-Driven Metrics You Can Use to Evaluate Cloud Security Controls, Gartner, Charlie Winckless, Paul Proctor, Manuel Acosta, 09/28/2023 </sub></p><p><sub>GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.</sub></p><p>\n</p>"],"published_at":[0,"2024-10-08T06:00-07:00"],"updated_at":[0,"2024-11-22T18:43:45.968Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"6l7hyMgGAf9GhOz3E7MNxh"],"name":[0,"Data Protection"],"slug":[0,"data-protection"]}],[0,{"id":[0,"013htAspXBEMdE76Afcyq2"],"name":[0,"Acquisitions"],"slug":[0,"acquisitions"]}],[0,{"id":[0,"2Kxh34kIQRA3gyymmhJpsR"],"name":[0,"Email Security"],"slug":[0,"email-security"]}],[0,{"id":[0,"73lXar1fZP6qrIIcgBA5Te"],"name":[0,"Cloud Email Security"],"slug":[0,"cloud-email-security"]}],[0,{"id":[0,"2UI24t7uddD0CIIUJCu1f4"],"name":[0,"SASE"],"slug":[0,"sase"]}],[0,{"id":[0,"J61Eszqn98amrYHq4IhTx"],"name":[0,"Zero Trust"],"slug":[0,"zero-trust"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"4Z2oveL0P0AeqGa5lL4Vo1"],"name":[0,"Cloudflare One"],"slug":[0,"cloudflare-one"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Noelle Kagan"],"slug":[0,"noelle"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Neil Brown"],"slug":[0,"neil-brown"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}],[0,{"name":[0,"Yumna Moazzam"],"slug":[0,"yumna"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}]]],"meta_description":[0,"The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. "],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One"],"description":[0,"The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. "],"imgPreview":[0,""]}]}],"translations":[0,{"":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"":[0,"Careers"],"":[0,"Company"],"":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"":[0,"Community"],"footer.resources":[0,"Resources"],"":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-50-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2024-10-08</p> <div class=""> <a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Data Protection</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Acquisitions</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Email Security</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloud Email Security</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">SASE</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Zero Trust</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare One</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. <!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Noelle Kagan" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Noelle Kagan</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Neil Brown" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Neil Brown</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Yumna Moazzam" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Yumna Moazzam</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="10fxJq" prefix="r4" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,false],"post":[0,{"id":[0,"6HqKUMoXg0wFIQg9howLMX"],"title":[0,"AI Everywhere with the WAF Rule Builder Assistant, Cloudflare Radar AI Insights, and updated AI bot protection"],"slug":[0,"bringing-ai-to-cloudflare"],"excerpt":[0,"This year for Cloudflare’s birthday, we’ve extended our AI Assistant capabilities to help you build new WAF rules, added new AI bot & crawler traffic insights to Radar, and given customers new AI bot "],"featured":[0,false],"html":[0,"<p>The continued growth of AI has fundamentally changed the Internet over the past 24 months. AI is increasingly ubiquitous, and Cloudflare is leaning into the new opportunities and challenges it presents in a big way. This year for Cloudflare’s birthday, we’ve extended our AI Assistant capabilities to help you build new WAF rules, added AI bot traffic insights on Cloudflare Radar, and given customers new AI bot blocking capabilities. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"ai-assistant-for-waf-rule-builder\">AI Assistant for WAF Rule Builder</h2>\n <a href=\"#ai-assistant-for-waf-rule-builder\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 1\" class=\"kg-image\" width=\"1999\" height=\"501\" loading=\"lazy\"/>\n </figure><p>At Cloudflare, we’re always listening to your feedback and striving to make our products as user-friendly and powerful as possible. One area where we&#39;ve heard your feedback loud and clear is in the complexity of creating custom and rate-limiting rules for our Web Application Firewall (WAF). With this in mind, we’re excited to introduce a new feature that will make rule creation easier and more intuitive: the AI Assistant for WAF Rule Builder. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 2\" class=\"kg-image\" width=\"1056\" height=\"1460\" loading=\"lazy\"/>\n </figure><p>By simply entering a natural language prompt, you can generate a custom or rate-limiting rule tailored to your needs. For example, instead of manually configuring a complex rule matching criteria, you can now type something like, &quot;Match requests with low bot score,&quot; and the assistant will generate the rule for you. It’s not about creating the perfect rule in one step, but giving you a strong foundation that you can build on. </p><p>The assistant will be available in the Custom and Rate Limit Rule Builder for all WAF users. We’re launching this feature in Beta for all customers, and we encourage you to give it a try. We’re looking forward to hearing your feedback (via the UI itself) as we continue to refine and enhance this tool to meet your needs.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"ai-bot-traffic-insights-on-cloudflare-radar\">AI bot traffic insights on Cloudflare Radar</h2>\n <a href=\"#ai-bot-traffic-insights-on-cloudflare-radar\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>AI platform providers use bots to crawl and scrape websites, vacuuming up data to use for model training. This is frequently done without the permission of, or a business relationship with, the content owners and providers. In July, Cloudflare urged content owners and providers to <a href=\"\"><u>“declare their AIndependence”</u></a>, providing them with a way to block AI bots, scrapers, and crawlers with a single click. In addition to this so-called “easy button” approach, sites can provide more specific guidance to these bots about what they are and are not allowed to access through directives in a <a href=\"\"><u>robots.txt</u></a> file. Regardless of whether a customer chooses to block or allow requests from AI-related bots, Cloudflare has insight into request activity from these bots, and associated traffic trends over time.</p><p>Tracking traffic trends for AI bots can help us better understand their activity over time — which are the most aggressive and have the highest volume of requests, which launch crawls on a regular basis, etc. The new <a href=\"\"><b><u>AI bot &amp; crawler traffic </u></b><u>graph on Radar’s Traffic page</u></a> provides insight into these traffic trends gathered over the selected time period for the top known AI bots. The associated list of bots tracked here is based on the <a href=\"\"><u>ai.robots.txt list</u></a>, and will be updated with new bots as they are identified. <a href=\"\"><u>Time series</u></a> and <a href=\"\"><u>summary</u></a> data is available from the Radar API as well. (Traffic trends for the full set of AI bots &amp; crawlers <a href=\"\"><u>can be viewed in the new Data Explorer</u></a>.)</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 3\" class=\"kg-image\" width=\"1999\" height=\"631\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"blocking-more-ai-bots\">Blocking more AI bots</h2>\n <a href=\"#blocking-more-ai-bots\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 4\" class=\"kg-image\" width=\"1999\" height=\"501\" loading=\"lazy\"/>\n </figure><p>For Cloudflare’s birthday, we’re following up on our previous blog post, <a href=\"\"><i><u>Declaring Your AIndependence</u></i></a>, with an update on the new detections we’ve added to stop AI bots. Customers who haven’t already done so can simply <a href=\"\"><u>click the button</u></a> to block AI bots to gain more protection for their website. </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"enabling-dynamic-updates-for-the-ai-bot-rule\">Enabling dynamic updates for the AI bot rule</h3>\n <a href=\"#enabling-dynamic-updates-for-the-ai-bot-rule\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The old button allowed customers to block <i>verified</i> AI crawlers, those that respect robots.txt and crawl rate, and don’t try to hide their behavior. We’ve added new crawlers to that list, but we’ve also expanded the previous rule to include 27 signatures (and counting) of AI bots that <i>don’t </i>follow the rules. We want to take time to say “thank you” to everyone who took the time to use our “<a href=\"\"><u>tip line</u></a>” to point us towards new AI bots. These tips have been extremely helpful in finding some bots that would not have been on our radar so quickly. </p><p>For each bot we’ve added, we’re also adding them to our “Definitely automated” definition as well. So, if you’re a self-service plan customer using <a href=\"\"><u>Super Bot Fight Mode</u></a>, you’re already protected. Enterprise Bot Management customers will see more requests shift from the “Likely Bot” range to the “Definitely automated” range, which we’ll discuss more below.</p><p>Under the hood, we’ve converted this rule logic to a <a href=\"\"><u>Cloudflare managed rule</u></a> (the same framework that powers our WAF). This enables our security analysts and engineers to safely push updates to the rule in real-time, similar to how new WAF rule changes are rapidly delivered to ensure our customers are protected against the latest CVEs. If you haven’t logged back into the Bots dashboard since the previous version of our AI bot protection was announced, click the button again to update to the latest protection. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 5\" class=\"kg-image\" width=\"1999\" height=\"522\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"the-impact-of-new-fingerprints-on-the-model\">The impact of new fingerprints on the model </h3>\n <a href=\"#the-impact-of-new-fingerprints-on-the-model\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>One hidden beneficiary of fingerprinting new AI bots is our ML model. <a href=\"\"><u>As we’ve discussed before</u></a>, our global ML model uses supervised machine learning and greatly benefits from more sources of labeled bot data. Below, you can see how well our ML model recognized these requests as automated, before and after we updated the button, adding new rules. To keep things simple, we have shown only the top 5 bots by the volume of requests on the chart. With the introduction of our new managed rule, we have observed an improvement in our detection capabilities for the majority of these AI bots. Button v1 represents the old option that let customers block only verified AI crawlers, while Button v2 is the newly introduced feature that includes managed rule detections.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 6\" class=\"kg-image\" width=\"1887\" height=\"1406\" loading=\"lazy\"/>\n </figure><p>So how did we make our detections more robust? As we have mentioned before, sometimes <a href=\"\"><i><u>a single attribute can give a bot away</u></i></a>. We developed a sophisticated set of heuristics tailored to these AI bots, enabling us to effortlessly and accurately classify them as such. Although our ML model was already detecting the vast majority of these requests, the integration of additional heuristics has resulted in a noticeable increase in detection rates for each bot, and ensuring we score every request correctly 100% of the time. Transitioning from a purely machine learning approach to incorporating heuristics offers several advantages, including faster detection times and greater certainty in classification. While deploying a machine learning model is complex and time-consuming, new heuristics can be created in minutes. </p><p>The initial launch of the AI bots block button was well-received and is now used by over 133,000 websites, with significant adoption even among our Free tier customers. The newly updated button, launched on August 20, 2024, is rapidly gaining traction. Over 90,000 zones have already adopted the new rule, with approximately 240 new sites integrating it every hour. Overall, we are now helping to protect the intellectual property of more than 146,000 sites from AI bots, and we are currently blocking 66 million requests daily with this new rule. Additionally, we’re excited to announce that support for configuring AI bots protection via Terraform will be available by the end of this year, providing even more flexibility and control for managing your bot protection settings.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"bot-behavior\">Bot behavior</h3>\n <a href=\"#bot-behavior\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>With the enhancements to our detection capabilities, it is essential to assess the impact of these changes to bot activity on the Internet. Since the launch of the updated AI bots block button, we have been closely monitoring for any shifts in bot activity and adaptation strategies. The most basic fingerprinting technique we use to identify AI bot looking for simple user-agent matches. User-agent matches are important to monitor because they indicate the bot is transparently announcing who they are when they’re crawling a website. </p><p>The graph below shows a volume of traffic we label as AI bot over the past two months. The blue line indicates the daily request count, while the red line represents the monthly average number of requests. In the past two months, we have seen an average reduction of nearly 30 million requests, with a decrease of 40 million in the most recent month.This decline coincides with the release of Button v1 and Button v2. Our hypothesis is that with the new AI bots blocking feature, Cloudflare is blocking a majority of these bots, which is discouraging them from crawling. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 7\" class=\"kg-image\" width=\"1999\" height=\"1048\" loading=\"lazy\"/>\n </figure><p>This hypothesis is supported by the observed decline in requests from several top AI crawlers. Specifically, the Bytespider bot reduced its daily requests from approximately 100 million to just 50 million between the end of June and the end of August (see graph below). This reduction could be attributed to several factors, including our new AI bots block button and changes in the crawler&#39;s strategy.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 8\" class=\"kg-image\" width=\"1999\" height=\"993\" loading=\"lazy\"/>\n </figure><p>We have also observed an increase in the accountability of some AI crawlers. The most basic fingerprinting technique we use to identify AI bot looking for simple user-agent matches. User-agent matches are important to monitor because they indicate the bot is transparently announcing who they are when they’re crawling a website. These crawlers are now more frequently using their agents, reflecting a shift towards more transparent and responsible behavior. Notably, there has been a dramatic surge in the number of requests from the Perplexity user agent. This increase might be linked to <a href=\"\">previous accusations<u> </u></a>that Perplexity did not properly present its user agent, which could have prompted a shift in their approach to ensure better identification and compliance. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2564 9\" class=\"kg-image\" width=\"1999\" height=\"991\" loading=\"lazy\"/>\n </figure><p>These trends suggest that our updates are likely affecting how AI crawlers interact with content. We will continue to monitor AI bot activity to help users control who accesses their content and how. By keeping a close watch on emerging patterns, we aim to provide users with the tools and insights needed to make informed decisions about managing their traffic. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"wrap-up\">Wrap up</h2>\n <a href=\"#wrap-up\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We’re excited to continue to explore the AI landscape, whether we’re finding more ways to make the Cloudflare dashboard usable or new threats to guard against. Our AI insights on Radar update in near real-time, so please join us in watching as new trends emerge and discussing them in the <a href=\"\"><u>Cloudflare Community</u></a>. </p>"],"published_at":[0,"2024-09-27T14:00+01:00"],"updated_at":[0,"2024-12-12T00:04:47.650Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"1Cv5JjXzKWKEA10JdYbXu1"],"name":[0,"Birthday Week"],"slug":[0,"birthday-week"]}],[0,{"id":[0,"267TTPMscUWABgYgHSH4ye"],"name":[0,"Bot Management"],"slug":[0,"bot-management"]}],[0,{"id":[0,"4l3WDYLk6bXCyaRc9pRzXa"],"name":[0,"Bots"],"slug":[0,"bots"]}],[0,{"id":[0,"3404RT2rd0b1M4ZCCIceXx"],"name":[0,"AI Bots"],"slug":[0,"ai-bots"]}],[0,{"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"name":[0,"AI"],"slug":[0,"ai"]}],[0,{"id":[0,"1HAYmR545ufVxM2rQzz0SE"],"name":[0,"Machine Learning"],"slug":[0,"machine-learning"]}],[0,{"id":[0,"6pD9OvooldcqcJ8z8Y6QQ1"],"name":[0,"Generative AI"],"slug":[0,"generative-ai"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"36Dg2NwTgUHhrlE0FRpSdJ"],"name":[0,"Application Services"],"slug":[0,"application-services"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Adam Martinetti"],"slug":[0,"adam-martinetti"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@adamemcf"],"facebook":[0,null]}],[0,{"name":[0,"Harsh Saxena"],"slug":[0,"harsh-saxena"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}],[0,{"name":[0,"Gauri Baraskar"],"slug":[0,"gauri-baraskar"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}],[0,{"name":[0,"Carlos Azevedo"],"slug":[0,"carlos"],"bio":[0,null],"profile_image":[0,""],"location":[0,"Lisbon"],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"David Belson"],"slug":[0,"david-belson"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@dbelson"],"facebook":[0,null]}]]],"meta_description":[0,"This year for Cloudflare’s birthday, we’ve extended our AI Assistant capabilities to help you build new WAF rules, added new AI bot & crawler traffic insights to Radar, and given customers new AI bot blocking capabilities"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"AI Everywhere with the WAF Rule Builder Assistant, Cloudflare Radar AI Insights, and updated AI bot protection LOC"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"AI Everywhere with the WAF Rule Builder Assistant, Cloudflare Radar AI Insights, and updated AI bot protection"],"description":[0,"This year for Cloudflare’s birthday, we’ve extended our AI Assistant capabilities to help you build new WAF rules, added new AI bot & crawler traffic insights to Radar, and given customers new AI bot blocking capabilities. "],"imgPreview":[0,""]}]}],"translations":[0,{"":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"":[0,"Careers"],"":[0,"Company"],"":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"":[0,"Community"],"footer.resources":[0,"Resources"],"":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-50-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">AI Everywhere with the WAF Rule Builder Assistant, Cloudflare Radar AI Insights, and updated AI bot protection</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2024-09-27</p> <div class=""> <a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Birthday Week</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Bot Management</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Bots</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">AI Bots</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">AI</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Machine Learning</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Generative AI</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developers</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developer Platform</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Application Services</a><a href="" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">This year for Cloudflare’s birthday, we’ve extended our AI Assistant capabilities to help you build new WAF rules, added new AI bot & crawler traffic insights to Radar, and given customers new AI bot <!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Adam Martinetti" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Adam Martinetti</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Harsh Saxena" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Harsh Saxena</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Gauri Baraskar" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Gauri Baraskar</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="Carlos Azevedo" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">Carlos Azevedo</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src=",dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/" alt="David Belson" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="" class="fw4 f3 no-underline black">David Belson</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island> <astro-island uid="Z1blFoe" prefix="r5" component-url="/_astro/MorePosts.DyRVOquy.js" component-export="default" renderer-url="/_astro/client.DLO1yDVm.js" props="{"locale":[0,"en-us"],"posts":[1,[[0,{"id":[0,"29PAMer5L0do12OtNa557I"],"title":[0,"Making Workers AI faster and more efficient: Performance optimization with KV cache compression and speculative decoding"],"slug":[0,"making-workers-ai-faster"],"excerpt":[0,"With a new generation of data center accelerator hardware and using optimization techniques such as KV cache compression and speculative decoding, we’ve made large language model (LLM)"],"featured":[0,false],"html":[0,"<p>During Birthday Week 2023, <a href=\"\"><u>we launched Workers AI</u></a>. Since then, we have been listening to your feedback, and one thing we’ve heard consistently is that our customers want Workers AI to be faster. In particular, we hear that large language model (LLM) generation needs to be faster. Users want their interactive chat and agents to go faster, developers want faster help, and users do not want to wait for applications and generated website content to load. Today, we’re announcing three upgrades we’ve made to Workers AI to bring faster and more efficient inference to our customers: upgraded hardware, KV cache compression, and speculative decoding.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"watch-on-cloudflare-tv\">Watch on Cloudflare TV</h3>\n <a href=\"#watch-on-cloudflare-tv\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <div style=\"position: relative; padding-top: 56.25%;\">\n <iframe\n src=\"\"\n loading=\"lazy\"\n style=\"border: none; position: absolute; top: 0; left: 0; height: 100%; width: 100%;\"\n allow=\"accelerometer; gyroscope; autoplay; encrypted-media; picture-in-picture;\"\n allowfullscreen=\"true\"\n ></iframe>\n</div><p>Thanks to Cloudflare’s <a href=\"\"><u>12th generation compute servers</u></a>, our network now supports a newer generation of GPUs capable of supporting larger models and faster inference. Customers can now use <a href=\"\"><u>Meta Llama 3.2 11B</u></a>, Meta’s <a href=\"\"><u>newly released</u></a> multi-modal model with vision support, as well as Meta Llama 3.1 70B on Workers AI. Depending on load and time of day, customers can expect to see two to three times the throughput for Llama 3.1 and 3.2 compared to our previous generation Workers AI hardware. More performance information for these models can be found in today’s post: <a href=\"\"><i><u>Cloudflare’s Bigger, Better, Faster AI platform</u></i></a>.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"new-kv-cache-compression-methods-now-open-source\">New KV cache compression methods, now open source</h2>\n <a href=\"#new-kv-cache-compression-methods-now-open-source\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In our effort to deliver low-cost low-latency inference to the world, Workers AI has been developing novel methods to boost efficiency of LLM inference. Today, we’re excited to announce a technique for KV cache compression that can help increase throughput of an inference platform. And we’ve made it open source too, so that everyone can benefit from our research.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"its-all-about-memory\">It’s all about memory</h3>\n <a href=\"#its-all-about-memory\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>One of the main bottlenecks when running LLM inference is the amount of vRAM (memory) available. Every word that an LLM processes generates a set of vectors that encode the meaning of that word in the context of any earlier words in the input that are used to generate new tokens in the future. These vectors are stored in the <i>KV cache</i>, causing the memory required for inference to scale linearly with the total number of tokens of all sequences being processed. This makes memory a bottleneck for a lot of transformer-based models. Because of this, the amount of memory an instance has available limits the number of sequences it can generate concurrently, as well as the maximum token length of sequences it can generate.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"so-what-is-the-kv-cache-anyway\">So what is the KV cache anyway?</h3>\n <a href=\"#so-what-is-the-kv-cache-anyway\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>LLMs are made up of layers, with an <a href=\"\"><u>attention</u></a> operation occurring in each layer. Within each layer’s attention operation, information is collected from the representations of all previous tokens that are stored in cache. This means that vectors in the KV cache are organized into layers, so that the active layer’s attention operation can only query vectors from the corresponding layer of KV cache. Furthermore, since attention within each layer is parallelized across multiple attention “heads”, the KV cache vectors of a specific layer are further subdivided into groups corresponding to each attention head of that layer.</p><p>The diagram below shows the structure of an LLM’s KV cache for a single sequence being generated. Each cell represents a KV and the model’s representation for a token consists of all KV vectors for that token across all attention heads and layers. As you can see, the KV cache for a single layer is allocated as an M x N matrix of KV vectors where M is the number of attention heads and N is the sequence length. This will be important later!</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2571 2\" class=\"kg-image\" width=\"1528\" height=\"876\" loading=\"lazy\"/>\n </figure><p>For a deeper look at attention, see the original “<a href=\"\"><u>Attention is All You Need</u></a>” paper. </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"kv-cache-compression-use-it-or-lose-it\">KV-cache compression — “use it or lose it”</h3>\n <a href=\"#kv-cache-compression-use-it-or-lose-it\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Now that we know what the KV cache looks like, let’s dive into how we can shrink it!</p><p>The most common approach to compressing the KV cache involves identifying vectors within it that are unlikely to be queried by future attention operations and can therefore be removed without impacting the model’s outputs. This is commonly done by looking at the past attention weights for each pair of key and value vectors (a measure of the degree with which that KV’s representation has been queried during past attention operations) and selecting the KVs that have received the lowest total attention for eviction. This approach is conceptually similar to a LFU (least frequently used) cache management policy: the less a particular vector is queried, the more likely it is to be evicted in the future.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"different-attention-heads-need-different-compression-rates\">Different attention heads need different compression rates</h3>\n <a href=\"#different-attention-heads-need-different-compression-rates\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As we saw earlier, the KV cache for each sequence in a particular layer is allocated on the GPU as a <i># attention heads X sequence length</i> tensor. This means that the total memory allocation scales with the <i>maximum</i> sequence length for all attention heads of the KV cache. Usually this is not a problem, since each sequence generates the same number of KVs per attention head.</p><p>When we consider the problem of eviction-based KV cache compression, however, this forces us to remove an equal number of KVs from each attention head when doing the compression. If we remove more KVs from one attention head alone, those removed KVs won’t actually contribute to lowering the memory footprint of the KV cache on GPU, but will just add more empty “padding” to the corresponding rows of the tensor. You can see this in the diagram below (note the empty cells in the second row below):</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2571 3\" class=\"kg-image\" width=\"1452\" height=\"808\" loading=\"lazy\"/>\n </figure><p>The extra compression along the second head frees slots for two KVs, but the cache’s shape (and memory footprint) remains the same.</p><p>This forces us to use a fixed compression rate for all attention heads of KV cache, which is very limiting on the compression rates we can achieve before compromising performance.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"enter-pagedattention\">Enter PagedAttention</h3>\n <a href=\"#enter-pagedattention\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The solution to this problem is to change how our KV cache is represented in physical memory. <a href=\"\"><u>PagedAttention</u></a> can represent N x M tensors with padding efficiently by using an N x M block table to index into a series of “blocks”.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2571 4\" class=\"kg-image\" width=\"1512\" height=\"722\" loading=\"lazy\"/>\n </figure><p>This lets us retrieve the i<sup>th</sup> element of a row by taking the i<sup>th</sup> block number from that row in the block table and using the block number to lookup the corresponding block, so we avoid allocating space to padding elements in our physical memory representation. In our case, the elements in physical memory are the KV cache vectors, and the <i>M </i>and <i>N</i> that define the shape of our block table are the number of attention heads and sequence length, respectively. Since the block table is only storing integer indices (rather than high-dimensional KV vectors), its memory footprint is negligible in most cases.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"results\">Results</h3>\n <a href=\"#results\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Using paged attention lets us apply different rates of compression to different heads in our KV cache, giving our compression strategy more flexibility than other methods. We tested our compression algorithm on <a href=\"\"><u>LongBench</u></a> (a collection of long-context LLM benchmarks) with Llama-3.1-8B and found that for most tasks we can retain over 95% task performance while reducing cache size by up to 8x (left figure below). Over 90% task performance can be retained while further compressing up to 64x. That means you have room in memory for 64 times as many tokens!</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2571 5\" class=\"kg-image\" width=\"1758\" height=\"652\" loading=\"lazy\"/>\n </figure><p>This lets us increase the number of requests we can process in parallel, increasing the total throughput (total tokens generated per second) by 3.44x and 5.18x for compression rates of 8x and 64x, respectively (right figure above).</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"try-it-yourself\">Try it yourself!</h3>\n <a href=\"#try-it-yourself\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>If you’re interested in taking a deeper dive check out our <a href=\"\"><u>vLLM fork</u></a> and get compressing!!</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"speculative-decoding-for-faster-throughput\">Speculative decoding for faster throughput</h2>\n <a href=\"#speculative-decoding-for-faster-throughput\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>A new inference strategy that we implemented is speculative decoding, which is a very popular way to get faster throughput (measured in tokens per second). LLMs work by predicting the next expected token (a token can be a word, word fragment or single character) in the sequence with each call to the model, based on everything that the model has seen before. For the first token generated, this means just the initial prompt, but after that each subsequent token is generated based on the prompt plus all other tokens that have been generated. Typically, this happens one token at a time, generating a single word, or even a single letter, depending on what comes next.</p><p>But what about this prompt:</p><blockquote><p><i>Knock, knock!</i></p></blockquote><p>If you are familiar with knock-knock jokes, you could very accurately predict more than one token ahead. For an English language speaker, what comes next is a very specific sequence that is four to five tokens long: “Who’s there?” or “Who is there?” Human language is full of these types of phrases where the next word has only one, or a few, high probability choices. Idioms, common expressions, and even basic grammar are all examples of this. So for each prediction the model makes, we can take it a step further with speculative decoding to predict the next <i>n</i> tokens. This allows us to speed up inference, as we’re not limited to predicting one token at a time.</p><p>There are several different implementations of speculative decoding, but each in some way uses a smaller, faster-to-run model to generate more than one token at a time. For Workers AI, we have applied <a href=\"\"><u>prompt-lookup decoding</u></a> to some of the LLMs we offer. This simple method matches the last <i>n </i>tokens of generated text against text in the prompt/output and predicts candidate tokens that continue these identified patterns as candidates for continuing the output. In the case of knock-knock jokes, it can predict all the tokens for <i>“Who’s there</i>” at once after seeing “<i>Knock, knock!</i>”, as long as this setup occurs somewhere in the prompt or previous dialogue already. Once these candidate tokens have been predicted, the model can verify them all with a single forward-pass and choose to either accept or reject them. This increases the generation speed of llama-3.1-8b-instruct by up to 40% and the 70B model by up to 70%.</p><p>Speculative decoding has tradeoffs, however. Typically, the results of a model using speculative decoding have a lower quality, both when measured using benchmarks like <a href=\"\"><u>MMLU</u></a> as well as when compared by humans. More aggressive speculation can speed up sequence generation, but generally comes with a greater impact to the quality of the result. Prompt lookup decoding offers one of the smallest overall quality impacts while still providing performance improvements, and we will be adding it to some language models on Workers AI including <a href=\"\"><u>@cf/meta/llama-3.1-8b-instruct</u></a>.</p><p>And, by the way, here is one of our favorite knock-knock jokes, can you guess the punchline?</p><blockquote><p><i>Knock, knock!</i></p><p><i>Who’s there?</i></p><p><i>Figs!</i></p><p><i>Figs who?</i></p><p><i>Figs the doorbell, it’s broken!</i></p></blockquote>\n <div class=\"flex anchor relative\">\n <h2 id=\"keep-accelerating\">Keep accelerating</h2>\n <a href=\"#keep-accelerating\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As the AI industry continues to evolve, there will be new hardware and software that allows customers to get faster inference responses. Workers AI is committed to researching, implementing, and making upgrades to our services to help you get fast inference. As an Inference-as-a-Service platform, you’ll be able to benefit from all the optimizations we apply, without having to hire your own team of ML researchers and SREs to manage inference software and hardware deployments.\n\nWe’re excited for you to try out some of these new releases we have and let us know what you think! Check out our full-suite of AI announcements <a href=\"\"><u>here</u></a> and check out the <a href=\"\"><u>developer docs</u></a> to get started.</p>"],"published_at":[0,"2024-09-26T14:00+01:00"],"updated_at":[0,"2024-12-12T00:06:43.607Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"1Cv5JjXzKWKEA10JdYbXu1"],"name":[0,"Birthday Week"],"slug":[0,"birthday-week"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"6hbkItfupogJP3aRDAq6v8"],"name":[0,"Cloudflare Workers"],"slug":[0,"workers"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"6gMpGK5HugYKaxJbvTMOHp"],"name":[0,"LLM"],"slug":[0,"llm"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Isaac Rehg"],"slug":[0,"isaac-rehg"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"With a new generation of data center accelerator hardware and using optimization techniques such as KV cache compression and speculative decoding, we’ve made large language model (LLM) inference lightning-fast on the Cloudflare Workers AI platform."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Making Workers AI faster and more efficient: Performance optimization with KV cache compression and speculative decoding"],"description":[0,"With a new generation of data center accelerator hardware and using optimization techniques such as KV cache compression and speculative decoding, we’ve made large language model (LLM) inference lightning-fast on the Cloudflare Workers AI platform."],"imgPreview":[0,""]}]}],[0,{"id":[0,"44R2ywetTc9l1c6D7oWTsz"],"title":[0,"Zero-latency SQLite storage in every Durable Object"],"slug":[0,"sqlite-in-durable-objects"],"excerpt":[0,"Traditional cloud storage is inherently slow because it is accessed over a network and must synchronize many clients. But what if we could instead put your application code deep into the storage layer"],"featured":[0,false],"html":[0,"<p>Traditional cloud storage is inherently slow, because it is normally accessed over a network and must carefully synchronize across many clients that could be accessing the same data. But what if we could instead put your application code deep into the storage layer, such that your code runs directly on the machine where the data is stored, and the database itself executes as a local library embedded inside your application?</p><p><a href=\"\"><u>Durable Objects (DO)</u></a> are a novel approach to cloud computing which accomplishes just that: Your application code runs exactly where the data is stored. Not just on the same machine: your storage lives in the same thread as the application, requiring not even a context switch to access. With proper use of caching, storage latency is essentially zero, while nevertheless being durable and consistent.</p><p>Until today, DOs only offered key/value oriented storage. But now, they support a full SQL query interface with tables and indexes, through the power of SQLite.</p><p><a href=\"\"><u>SQLite</u></a> is the most-used SQL database implementation in the world, with billions of installations. It’s on practically every phone and desktop computer, and many embedded devices use it as well. It&#39;s known to be blazingly fast and rock solid. But it&#39;s been less common on the server. This is because traditional cloud architecture favors large distributed databases that live separately from application servers, while SQLite is designed to run as an embedded library. In this post, we&#39;ll show you how Durable Objects turn this architecture on its head and unlock the full power of SQLite in the cloud.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2536 2\" class=\"kg-image\" width=\"1999\" height=\"900\" loading=\"lazy\"/>\n </figure>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2536 3\" class=\"kg-image\" width=\"1999\" height=\"1000\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"refresher-what-are-durable-objects\">Refresher: what are Durable Objects?</h2>\n <a href=\"#refresher-what-are-durable-objects\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><a href=\"\"><u>Durable Objects</u></a> (DOs) are a part of the Cloudflare <a href=\"\"><u>Workers</u></a> serverless platform. A DO is essentially a small server that can be addressed by a unique name and can keep state both in-memory and on-disk. Workers running anywhere on Cloudflare&#39;s network can send messages to a DO by its name, and all messages addressed to the same name — from anywhere in the world — will find their way to the same DO instance.</p><p>DOs are intended to be small and numerous. A single application can create billions of DOs distributed across our global network. Cloudflare automatically decides where a DO should live based on where it is accessed, automatically starts it up as needed when requests arrive, and shuts it down when idle. A DO has in-memory state while running and can also optionally store long-lived durable state. Since there is exactly one DO for each name, a DO can be used to coordinate between operations on the same logical object.</p><p>For example, imagine a real-time collaborative document editor application. Many users may be editing the same document at the same time. Each user&#39;s changes must be broadcast to other users in real time, and conflicts must be resolved. An application built on DOs would typically create one DO for each document. The DO would receive edits from users, resolve conflicts, broadcast the changes back out to other users, and keep the document content updated in its local storage.</p><p>DOs are especially good at real-time collaboration, but are by no means limited to this use case. They are general-purpose servers that can implement any logic you desire to serve requests. Even more generally, <b>DOs are a basic building block for distributed systems</b>.</p><p>When using Durable Objects, it&#39;s important to remember that they are intended to scale <i>out</i>, not <i>up</i>. A single object is inherently limited in throughput since it runs on a single thread of a single machine. To handle more traffic, you create more objects. This is easiest when different objects can handle different logical units of state (like different documents, different users, or different &quot;shards&quot; of a database), where each unit of state has low enough traffic to be handled by a single object. But sometimes, a lot of traffic needs to modify the same state: consider a vote counter with a million users all trying to cast votes at once. To handle such cases with Durable Objects, you would need to create a set of objects that each handle a subset of traffic and then replicate state to each other. Perhaps they use <a href=\"\"><u>CRDTs</u></a> in a <a href=\"\"><u>gossip network</u></a>, or perhaps they implement a fan-in/fan-out approach to a single primary object. Whatever approach you take, Durable Objects make it fast and easy to create more stateful nodes as needed.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"why-is-sqlite-in-do-so-fast\">Why is SQLite-in-DO so fast?</h2>\n <a href=\"#why-is-sqlite-in-do-so-fast\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In traditional cloud architecture, stateless application servers run business logic and communicate over the network to a database. Even if the network is local, database requests still incur latency, typically measured in milliseconds.</p><p>When a Durable Object uses SQLite, SQLite is invoked as a library. This means the database code runs not just on the same machine as the DO, not just in the same process, but in the very same thread. Latency is effectively zero, because there is no communication barrier between the application and SQLite. A query can complete in microseconds.</p><h4>Reads and writes are synchronous</h4><p>The SQL query API in DOs does not require you to await results — they are returned synchronously:</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">// No awaits!\nlet cursor = sql.exec(&quot;SELECT name, email FROM users&quot;);\nfor (let user of cursor) {\n console.log(,;\n}\n</pre></code>\n <p>This may come as a surprise to some. Querying a database is I/O, right? I/O should always be asynchronous, right? Isn&#39;t this a violation of the natural order of JavaScript?</p><p>It&#39;s OK! The database content is probably cached in memory already, and SQLite is being called as a library in the same thread as the application, so the query often actually won&#39;t spend any time at all waiting for I/O. Even if it does have to go to disk, it&#39;s a local SSD. You might as well consider the local disk as just another layer in the memory cache hierarchy: L5 cache, if you will. In any case, it will respond quickly.</p><p>Meanwhile, synchronous queries provide some big benefits. First, the logistics of asynchronous event loops have a cost, so in the common case where the data is already in memory, a synchronous query will actually complete faster than an async one.</p><p>More importantly, though, synchronous queries help you avoid subtle bugs. Any time your application awaits a promise, it&#39;s possible that some other code executes while you wait. The state of the world may have changed by the time your await completes. Maybe even other SQL queries were executed. This can lead to subtle bugs that are hard to reproduce because they require events to happen at just the wrong time. With a synchronous API, though, none of that can happen. Your code always executes in the order you wrote it, uninterrupted.</p><h4>Fast writes with Output Gates</h4><p>Database experts might have a deeper objection to synchronous queries: Yes, caching may mean we can perform reads and writes very fast. However, in the case of a write, just writing to cache isn&#39;t good enough. Before we return success to our client, we must <i>confirm</i> that the write is actually <i>durable</i>, that is, it has actually made it onto disk or network storage such that it cannot be lost if the power suddenly goes out.</p><p>Normally, a database would confirm all writes before returning to the application. So if the query is successful, it is confirmed. But confirming writes can be slow, because it requires waiting for the underlying storage medium to respond. Normally, this is OK because the write is performed asynchronously, so the program can go on and work on other things while it waits for the write to finish. It looks kind of like this:</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2536 4\" class=\"kg-image\" width=\"732\" height=\"817\" loading=\"lazy\"/>\n </figure><p>But I just told you that in Durable Objects, writes are synchronous. While a synchronous call is running, no other code in the program can run (because JavaScript does not have threads). This is convenient, as mentioned above, because it means you don&#39;t need to worry that the state of the world may have changed while you were waiting. However, if write queries have to wait a while, and the whole program must pause and wait for them, then throughput will suffer.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2536 5\" class=\"kg-image\" width=\"732\" height=\"817\" loading=\"lazy\"/>\n </figure><p>Luckily, in Durable Objects, writes do not have to wait, due to a little trick we call &quot;Output Gates&quot;.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2536 6\" class=\"kg-image\" width=\"732\" height=\"482\" loading=\"lazy\"/>\n </figure><p>In DOs, when the application issues a write, it continues executing without waiting for confirmation. However, when the DO then responds to the client, the response is blocked by the &quot;Output Gate&quot;. This system holds the response until all storage writes relevant to the response have been confirmed, then sends the response on its way. In the rare case that the write fails, the response will be replaced with an error and the Durable Object itself will restart. So, even though the application constructed a &quot;success&quot; response, nobody can ever see that this happened, and thus nobody can be misled into believing that the data was stored.</p><p>Let&#39;s see what this looks like with multiple requests:</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2536 7\" class=\"kg-image\" width=\"732\" height=\"734\" loading=\"lazy\"/>\n </figure><p>If you compare this against the first diagram above, you should notice a few things:</p><ul><li><p>The timing of requests and confirmations are the same.</p></li><li><p>But, all responses were sent to the client <i>sooner</i> than in the first diagram. Latency was reduced! This is because the application is able to work on constructing the response in parallel with the storage layer confirming the write.</p></li><li><p>Request handling is no longer interleaved between the three requests. Instead, each request runs to completion before the next begins. The application does not need to worry, during the handling of one request, that its state might change unexpectedly due to a concurrent request.</p></li></ul><p>With Output Gates, we get the ease-of-use of synchronous writes, while also getting lower latency and no loss of throughput.</p><h4>N+1 selects? No problem.</h4><p>Zero-latency queries aren&#39;t just faster, they allow you to structure your code differently, often making it simpler. A classic example is the &quot;N+1 selects&quot; or &quot;N+1 queries&quot; problem. Let&#39;s illustrate this problem with an example:</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">// N+1 SELECTs example\n\n// Get the 100 most-recently-modified docs.\nlet docs = sql.exec(`\n SELECT title, authorId FROM documents\n ORDER BY lastModified DESC\n LIMIT 100\n`).toArray();\n\n// For each returned document, get the author name from the users table.\nfor (let doc of docs) {\n doc.authorName = sql.exec(\n &quot;SELECT name FROM users WHERE id = ?&quot;, doc.authorId).one().name;\n}\n</pre></code>\n <p>If you are an experienced SQL user, you are probably cringing at this code, and for good reason: this code does 101 queries! If the application is talking to the database across a network with 5ms latency, this will take 505ms to run, which is slow enough for humans to notice.</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">// Do it all in one query with a join?\nlet docs = sql.exec(`\n SELECT documents.title,\n FROM documents JOIN users ON documents.authorId =\n ORDER BY documents.lastModified DESC\n LIMIT 100\n`).toArray();\n</pre></code>\n <p>Here we&#39;ve used SQL features to turn our 101 queries into one query. Great! Except, what does it mean? We used an inner join, which is not to be confused with a left, right, or cross join. What&#39;s the difference? Honestly, I have no idea! I had to look up joins just to write this example and I&#39;m already confused.</p><p>Well, good news: You don&#39;t need to figure it out. Because <b>when using SQLite as a library, the first example above </b><b><i>works just fine</i></b><b>.</b> It&#39;ll perform about the same as the second fancy version.</p><p>More generally, when using SQLite as a library, you don&#39;t have to learn how to do fancy things in SQL syntax. Your logic can be in regular old application code in your programming language of choice, orchestrating the most basic SQL queries that are easy to learn. It&#39;s fine. <a href=\"\"><u>The creators of SQLite have made this point themselves.</u></a></p><h4>Point-in-Time Recovery</h4><p>While not necessarily related to speed, SQLite-backed Durable Objects offer another feature: any object can be reverted to the state it had at any point in time in the last 30 days. So if you accidentally execute a buggy query that corrupts all your data, don&#39;t worry: you can recover. There&#39;s no need to opt into this feature in advance; it&#39;s on by default for all SQLite-backed DOs. See the <a href=\"\"><u>docs</u></a> for details.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"how-do-i-use-it\">How do I use it?</h2>\n <a href=\"#how-do-i-use-it\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Let&#39;s say we&#39;re an airline, and we are implementing a way for users to choose their seats on a flight. We will create a new Durable Object for each flight. Within that DO, we will use a SQL table to track the assignments of seats to passengers. The code might look something like this:</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">import {DurableObject} from &quot;cloudflare:workers&quot;;\n\n// Manages seat assignment for a flight.\n//\n// This is an RPC interface. The methods can be called remotely by other Workers\n// running anywhere in the world. All Workers that specify same object ID\n// (probably based on the flight number and date) will reach the same instance of\n// FlightSeating.\nexport class FlightSeating extends DurableObject {\n sql =;\n\n // Application calls this when the flight is first created to set up the seat map.\n initializeFlight(seatList) {\n this.sql.exec(`\n CREATE TABLE seats (\n seatId TEXT PRIMARY KEY, -- e.g. &quot;3B&quot;\n occupant TEXT -- null if available\n )\n `);\n\n for (let seat of seatList) {\n this.sql.exec(`INSERT INTO seats VALUES (?, null)`, seat);\n }\n }\n\n // Get a list of available seats.\n getAvailable() {\n let results = [];\n\n // Query returns a cursor.\n let cursor = this.sql.exec(`SELECT seatId FROM seats WHERE occupant IS NULL`);\n\n // Cursors are iterable.\n for (let row of cursor) {\n // Each row is an object with a property for each column.\n results.push(row.seatId);\n }\n\n return results;\n }\n\n // Assign passenger to a seat.\n assignSeat(seatId, occupant) {\n // Check that seat isn&#039;t occupied.\n let cursor = this.sql.exec(`SELECT occupant FROM seats WHERE seatId = ?`, seatId);\n let result = [...cursor][0]; // Get the first result from the cursor.\n if (!result) {\n throw new Error(&quot;No such seat: &quot; + seatId);\n }\n if (result.occupant !== null) {\n throw new Error(&quot;Seat is occupied: &quot; + seatId);\n }\n\n // If the occupant is already in a different seat, remove them.\n this.sql.exec(`UPDATE seats SET occupant = null WHERE occupant = ?`, occupant);\n\n // Assign the seat. Note: We don&#039;t have to worry that a concurrent request may\n // have grabbed the seat between the two queries, because the code is synchronous\n // (no `await`s) and the database is private to this Durable Object. Nothing else\n // could have changed since we checked that the seat was available earlier!\n this.sql.exec(`UPDATE seats SET occupant = ? WHERE seatId = ?`, occupant, seatId);\n }\n}\n</pre></code>\n <p>(With just a little more code, we could extend this example to allow clients to subscribe to seat changes with <a href=\"\"><u>WebSockets</u></a>, so that if multiple people are choosing their seats at the same time, they can see in real time as seats become unavailable. But, that&#39;s outside the scope of this blog post, which is just about SQL storage.)</p><p>Then in wrangler.toml, <a href=\"\"><u>define a migration</u></a> setting up your DO class like usual, but instead of using new_classes, use new_sqlite_classes:</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">[[migrations]]\ntag = &quot;v1&quot;\nnew_sqlite_classes = [&quot;FlightSeating&quot;]\n</pre></code>\n <p>SQLite-backed objects also support the existing <a href=\"\"><u>key/value-based storage API</u></a>: KV data is stored into a hidden table in the SQLite database. So, existing applications built on DOs will work when deployed using SQLite-backed objects.</p><p>However, because SQLite-backed objects are based on an all-new storage backend, it is currently not possible to switch an existing deployed DO class to use SQLite. You must ask for SQLite when initially deploying the new DO class; you cannot change it later. We plan to begin migrating existing DOs to the new storage backend in 2025.</p><h4>Pricing</h4><p>We’ve kept <a href=\"\"><u>pricing</u></a> for SQLite-in-DO similar to D1, Cloudflare’s serverless SQL database, by billing for SQL queries (based on rows) and SQL storage. SQL storage per object is limited to 1 GB during the beta period, and will be increased to 10 GB on general availability. DO <a href=\"\"><u>requests and duration billing</u></a> are unchanged and apply to all DOs regardless of storage backend. </p><p>During the initial beta, billing is not enabled for SQL queries (rows read and rows written) and SQL storage. SQLite-backed objects will incur charges for requests and duration. We plan to enable SQL billing in the first half of 2025 with advance notice.</p><style type=\"text/css\">\ {border-collapse:collapse;border-spacing:0;margin:0px auto;}\ td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\ th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\ .tg-4qtd{background-color:#f8a102;font-weight:bold;text-align:left;vertical-align:top}\ .tg-y0nj{background-color:#f8a102;font-weight:bold;text-align:center;vertical-align:top}\ .tg-0lax{text-align:left;vertical-align:top}\n@media screen and (max-width: 767px) {.tg {width: auto !important;}.tg col {width: auto !important;}.tg-wrap {overflow-x: auto;-webkit-overflow-scrolling: touch;margin: auto 0px;}}</style>\n<div class=\"tg-wrap\"><table class=\"tg\"><thead>\n <tr>\n <th class=\"tg-4qtd\"></th>\n <th class=\"tg-y0nj\"><span style=\"font-style:normal;text-decoration:none;color:#000\">Workers Paid</span></th>\n </tr></thead>\n<tbody>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Rows read</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">First 25 billion / month included + $0.001 / million rows</span></td>\n </tr>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Rows written</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">First 50 million / month included + $1.00 / million rows</span></td>\n </tr>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">SQL storage</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">5 GB-month + $0.20/ GB-month</span></td>\n </tr>\n</tbody></table></div><p>For more on how to use SQLite-in-Durable Objects, check out the <a href=\"\"><u>documentation</u></a>. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"what-about-d1\">What about D1?</h2>\n <a href=\"#what-about-d1\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare Workers already offers another SQLite-backed database product: <a href=\"\"><u>D1</u></a>. In fact, D1 is itself built on SQLite-in-DO. So, what&#39;s the difference? Why use one or the other?</p><p>In short, you should think of D1 as a more &quot;managed&quot; database product, while SQLite-in-DO is more of a lower-level “compute with storage” building block.</p><p>D1 fits into a more traditional cloud architecture, where stateless application servers talk to a separate database over the network. Those application servers are typically Workers, but could also be clients running outside of Cloudflare. D1 also comes with a pre-built HTTP API and managed observability features like query insights. With D1, where your application code and SQL database queries are not colocated like in SQLite-in-DO, Workers has <a href=\"\"><u>Smart Placement</u></a> to dynamically run your Worker in the best location to reduce total request latency, considering everything your Worker talks to, including D1. By the end of 2024, D1 will support automatic read replication for scalability and low-latency access around the world. If this managed model appeals to you, use D1.</p><p>Durable Objects require a bit more effort, but in return, give you more power. With DO, you have two pieces of code that run in different places: a front-end Worker which routes incoming requests from the Internet to the correct DO, and the DO itself, which runs on the same machine as the SQLite database. You may need to think carefully about which code to run where, and you may need to build some of your own tooling that exists out-of-the-box with D1. But because you are in full control, you can tailor the solution to your application&#39;s needs and potentially achieve more.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"under-the-hood-storage-relay-service\">Under the hood: Storage Relay Service</h2>\n <a href=\"#under-the-hood-storage-relay-service\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><a href=\"\"><u>When Durable Objects first launched in 2020</u></a>, it offered only a simple key/value-based interface for durable storage. Under the hood, these keys and values were stored in a well-known off-the-shelf database, with regional instances of this database deployed to locations in our data centers around the world. Durable Objects in each region would store their data to the regional database.</p><p>For SQLite-backed Durable Objects, we have completely replaced the persistence layer with a new system built from scratch, called Storage Relay Service, or SRS. SRS has already been powering D1 for over a year, and can now be used more directly by applications through Durable Objects.</p><p>SRS is based on a simple idea:</p><blockquote><p><i>Local disk is fast and randomly-accessible, but expensive and prone to disk failures. Object storage (like </i><a href=\"\"><i><u>R2</u></i></a><i>) is cheap and durable, but much slower than local disk and not designed for database-like access patterns. Can we get the best of both worlds by using a local disk as a cache on top of object storage?</i></p></blockquote><p>So, how does it work?</p><h4>The mismatch in functionality between local disk and object storage</h4><p>A SQLite database on disk tends to undergo many small changes in rapid succession. Any row of the database might be updated by any particular query, but the database is designed to avoid rewriting parts that didn&#39;t change. Read queries may randomly access any part of the database. Assuming the right indexes exist to support the query, they should not require reading parts of the database that aren&#39;t relevant to the results, and should complete in microseconds.</p><p>Object storage, on the other hand, is designed for an entirely different usage model: you upload an entire &quot;object&quot; (blob of bytes) at a time, and download an entire blob at a time. Each blob has a different name. For maximum efficiency, blobs should be fairly large, from hundreds of kilobytes to gigabytes in size. Latency is relatively high, measured in tens or hundreds of milliseconds.</p><p>So how do we back up our SQLite database to object storage? An obviously naive strategy would be to simply make a copy of the database files from time to time and upload it as a new &quot;object&quot;. But, uploading the database on every change — and making the application wait for the upload to complete — would obviously be way too slow. We could choose to upload the database only occasionally — say, every 10 minutes — but this means in the case of a disk failure, we could lose up to 10 minutes of changes. Data loss is, uh, bad! And even then, for most databases, it&#39;s likely that most of the data doesn&#39;t change every 10 minutes, so we&#39;d be uploading the same data over and over again.</p><h4>Trick one: Upload a log of changes</h4><p>Instead of uploading the entire database, SRS records a log of <i>changes</i>, and uploads those.</p><p>Conveniently, SQLite itself already has a concept of a change log: the <a href=\"\"><u>Write-Ahead Log, or WAL</u></a>. SRS always configures SQLite to use WAL mode. In this mode, any changes made to the database are first written to a separate log file. From time to time, the database is &quot;checkpointed&quot;, merging the changes back into the main database file. The WAL format is <a href=\"\"><u>well-documented</u></a> and easy to understand: it&#39;s just a sequence of &quot;frames&quot;, where each frame is an instruction to write some bytes to a particular offset in the database file.</p><p>SRS monitors changes to the WAL file (by hooking <a href=\"\"><u>SQLite&#39;s VFS</u></a> to intercept file writes) to discover the changes being made to the database, and uploads those to object storage.</p><p>Unfortunately, SRS cannot simply upload every single change as a separate &quot;object&quot;, as this would result in too many objects, each of which would be inefficiently small. Instead, SRS batches changes over a period of up to 10 seconds, or up to 16 MB worth, whichever happens first, then uploads the whole batch as a single object.</p><p>When reconstructing a database from object storage, we must download the series of change batches and replay them in order. Of course, if the database has undergone many changes over a long period of time, this can get expensive. In order to limit how far back it needs to look, SRS also occasionally uploads a snapshot of the entire content of the database. SRS will decide to upload a snapshot any time that the total size of logs since the last snapshot exceeds the size of the database itself. This heuristic implies that the total amount of data that SRS must download to reconstruct a database is limited to no more than twice the size of the database. Since we can delete data from object storage that is older than the latest snapshot, this also means that our total stored data is capped to 2x the database size.</p><p>Credit where credit is due: This idea — uploading WAL batches and snapshots to object storage — was inspired by <a href=\"\"><u>Litestream</u></a>, although our implementation is different.</p><h4>Trick two: Relay through other servers in our global network</h4>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2536 8\" class=\"kg-image\" width=\"1200\" height=\"452\" loading=\"lazy\"/>\n </figure><p>Batches are only uploaded to object storage every 10 seconds. But obviously, we cannot make the application wait for 10 whole seconds just to confirm a write. So what happens if the application writes some data, returns a success message to the user, and then the machine fails 9 seconds later, losing the data?</p><p>To solve this problem, we take advantage of our global network. Every time SQLite commits a transaction, SRS will immediately forward the change log to five &quot;follower&quot; machines across our network. Once at least three of these followers respond that they have received the change, SRS informs the application that the write is confirmed. (As discussed earlier, the write confirmation opens the Durable Object&#39;s &quot;output gate&quot;, unblocking network communications to the rest of the world.)</p><p>When a follower receives a change, it temporarily stores it in a buffer on local disk, and then awaits further instructions. Later on, once SRS has successfully uploaded the change to object storage as part of a batch, it informs each follower that the change has been persisted. At that point, the follower can simply delete the change from its buffer.</p><p>However, if the follower never receives the persisted notification, then, after some timeout, the follower itself will upload the change to object storage. Thus, if the machine running the database suddenly fails, as long as at least one follower is still running, it will ensure that all confirmed writes are safely persisted.</p><p>Each of a database&#39;s five followers is located in a different physical data center. Cloudflare&#39;s network consists of hundreds of data centers around the world, which means it is always easy for us to find four other data centers nearby any Durable Object (in addition to the one it is running in). In order for a confirmed write to be lost, then, at least four different machines in at least three different physical buildings would have to fail simultaneously (three of the five followers, plus the Durable Object&#39;s host machine). Of course, anything can happen, but this is exceedingly unlikely.</p><p>Followers also come in handy when a Durable Object&#39;s host machine is unresponsive. We may not know for sure if the machine has died completely, or if it is still running and responding to some clients but not others. We cannot start up a new instance of the DO until we know for sure that the previous instance is dead – or, at least, that it can no longer confirm writes, since the old and new instances could then confirm contradictory writes. To deal with this situation, if we can&#39;t reach the DO&#39;s host, we can instead try to contact its followers. If we can contact at least three of the five followers, and tell them to stop confirming writes for the unreachable DO instance, then we know that instance is unable to confirm any more writes going forward. We can then safely start up a new instance to replace the unreachable one.</p><h4>Bonus feature: Point-in-Time Recovery</h4><p>I mentioned earlier that SQLite-backed Durable Objects can be asked to revert their state to any time in the last 30 days. How does this work?</p><p>This was actually an accidental feature that fell out of SRS&#39;s design. Since SRS stores a complete log of changes made to the database, we can restore to any point in time by replaying the change log from the last snapshot. The only thing we have to do is make sure we don&#39;t delete those logs too soon.</p><p>Normally, whenever a snapshot is uploaded, all previous logs and snapshots can then be deleted. But instead of deleting them immediately, SRS merely marks them for deletion 30 days later. In the meantime, if a point-in-time recovery is requested, the data is still there to work from.</p><p>For a database with a high volume of writes, this may mean we store a lot of data for a lot longer than needed. As it turns out, though, once data has been written at all, keeping it around for an extra month is pretty cheap — typically cheaper, even, than writing it in the first place. It&#39;s a small price to pay for always-on disaster recovery.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"get-started-with-sqlite-in-do\">Get started with SQLite-in-DO</h2>\n <a href=\"#get-started-with-sqlite-in-do\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>SQLite-backed DOs are available in beta starting today. You can start building with SQLite-in-DO by visiting <a href=\"\"><u>developer documentation</u></a> and provide beta feedback via the <a href=\"\"><u>#durable-objects channel</u></a> on our Developer Discord.</p><p>Do distributed systems like SRS excite you? Would you like to be part of building them at Cloudflare? <a href=\"\"><u>We&#39;re hiring!</u></a></p>"],"published_at":[0,"2024-09-26T14:00+01:00"],"updated_at":[0,"2024-12-12T00:07:19.134Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"1Cv5JjXzKWKEA10JdYbXu1"],"name":[0,"Birthday Week"],"slug":[0,"birthday-week"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"6hbkItfupogJP3aRDAq6v8"],"name":[0,"Cloudflare Workers"],"slug":[0,"workers"]}],[0,{"id":[0,"5v2UZdTRX1Rw9akmhexnxs"],"name":[0,"Durable Objects"],"slug":[0,"durable-objects"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Kenton Varda"],"slug":[0,"kenton-varda"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@kentonvarda"],"facebook":[0,null]}]]],"meta_description":[0,"Traditional cloud storage is inherently slow because it is accessed over a network and must synchronize many clients. But what if we could instead put your application code deep into the storage layer, such that your code runs where the data is stored? Durable Objects with SQLite do just that.\n"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Zero-latency SQLite storage in every Durable Object"],"description":[0,"Traditional cloud storage is inherently slow because it is accessed over a network and must synchronize many clients. But what if we could instead put your application code deep into the storage layer, such that your code runs where the data is stored? Durable Objects with SQLite do just that."],"imgPreview":[0,""]}]}],[0,{"id":[0,"sC3G9YR2M9IIoRMg8slDl"],"title":[0,"Introducing Speed Brain: helping web pages load 45% faster"],"slug":[0,"introducing-speed-brain"],"excerpt":[0,"We are excited to announce the latest leap forward in speed – Speed Brain. Speed Brain uses the Speculation Rules API to prefetch content for the user's likely next navigations. The goal is to download a web page to the browser before a user navigates to it, allowing pages to load instantly. \n"],"featured":[0,false],"html":[0,"<p>Each time a user visits your web page, they are initiating a race to receive content as quickly as possible. Performance is a critical <a href=\"\"><u>factor</u></a> that influences how visitors interact with your site. Some might think that moving content across the globe introduces significant latency, but for a while, network transmission speeds have approached their <a href=\"\"><u>theoretical limits</u></a>. To put this into perspective, data on Cloudflare can traverse the 11,000 kilometer round trip between New York and London in about 76 milliseconds – faster than the <a href=\"\"><u>blink of an eye</u></a>.</p><p>However, delays in loading web pages persist due to the complexities of processing requests, responses, and configurations. In addition to pushing advancements in <a href=\"\"><u>connection establishment</u></a>, <a href=\"\"><u>compression</u></a>, <a href=\"\"><u>hardware</u></a>, and <a href=\"\"><u>software</u></a>, we have built a new way to reduce page load latency by anticipating how visitors will interact with a given web page. </p><p>Today we are very excited to share the latest leap forward in speed: <b>Speed Brain</b>. It relies on the <a href=\"\"><u>Speculation Rules API </u></a>to <a href=\"\"><u>prefetch</u></a> the content of the user&#39;s likely next navigations. The main goal of Speed Brain is to download a web page to the browser cache before a user navigates to it, allowing pages to load almost instantly when the actual navigation takes place. </p><p>Our initial approach uses a <a href=\"\"><u>conservative</u></a> model that prefetches static content for the next page when a user starts a touch or <a href=\"\"><u>click event</u></a>. Through the fourth quarter of 2024 and into 2025, we will offer more aggressive speculation models, such as speculatively <a href=\"\"><u>prerendering</u></a> (not just fetching the page before the navigation happens but rendering it completely) for an even faster experience. Eventually, Speed Brain will learn how to eliminate latency for your static website, without any configuration, and work with browsers to make sure that it loads as fast as possible. </p><p>To illustrate, imagine an ecommerce website selling clothing. Using the insights from our global request logs, we can predict with high accuracy that a typical visitor is likely to click on ‘Shirts’ when viewing the parent page ‘Mens &gt; Clothes’. Based on this, we can start delivering static content, like images, before the shopper even clicks the ‘Shirts’ link. As a result, when they inevitably click, the page loads instantly. <b>Recent lab testing of our aggressive loading model implementation has shown up to a 75% reduction in </b><a href=\"\"><b><u>Largest Contentful Paint (LCP)</u></b></a>, the time it takes for the largest visible element (like an image, video, or text block) to load and render in the browser.</p><p>The best part? We are making Speed Brain available to all plan types immediately and at no cost. Simply toggle on the Speed Brain feature for your website from the <a href=\"\"><u>dashboard</u></a> or the <a href=\"\"><u>API</u></a>. It’ll feel like magic, but behind the scenes it&#39;s a lot of clever engineering. </p><p>We have already enabled Speed Brain by default on <u>all</u> free domains and are seeing a <b>reduction in LCP of 45% on successful prefetches.</b> Pro, Business, and Enterprise domains need to enable Speed Brain manually. If you have not done so already, we <b>strongly</b> recommend also <a href=\"\"><u>enabling Real User Measurements (RUM)</u></a> via your dashboard so you can see your new and improved web page performance. As a bonus, enabling RUM for your domain will help us provide <b>improved</b> and <b>customized</b> prefetching and prerendering rules for your website in the near future!</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"how-browsers-work-at-a-glance\">How browsers work at a glance</h2>\n <a href=\"#how-browsers-work-at-a-glance\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Before discussing how Speed Brain can help load content exceptionally fast, we need to take a step back to review the complexity of loading content on browsers. Every time a user navigates to your web page, a series of request and response cycles must be completed. </p><p>After the browser <a href=\"\"><u>establishes a secure connection</u></a> with a server, it sends an HTTP request to retrieve the base document of the web page. The server processes the request, constructs the necessary HTML document and sends it back to the browser in the response. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2422 2\" class=\"kg-image\" width=\"1371\" height=\"1821\" loading=\"lazy\"/>\n </figure><p>When the browser receives an HTML document, it immediately begins <a href=\"\"><u>parsing</u></a> the content. During this process, it may encounter references to external resources such as CSS files, JavaScript, images, and fonts. These subresources are essential for rendering the page correctly, so the browser issues additional HTTP requests to fetch them. However, if these resources are available in the browser’s cache, the browser can retrieve them locally, significantly reducing <a href=\"\"><u>network latency</u></a> and improving page load times.</p><p>As the browser processes HTML, CSS, and JavaScript, the rendering engine begins to display content on the screen. Once the page’s visual elements are displayed, user interactions — like clicking a link — prompt the browser to restart much of this process to fetch new content for the next page. This workflow is typical of every browsing session: as users navigate, the browser continually fetches and renders new or uncached resources, introducing a delay before the new page fully loads.</p><p>Take the example of a user navigating the shopping site described above. As the shopper moves from the homepage to the ‘men&#39;s’ section of the site to the ‘clothing’ section to the ‘shirts’ section, the time spent on retrieving each of those subsequent pages can add up and contribute to the shopper leaving the site before they complete the transaction. </p><p>Ideally, having prefetched and prerendered pages present in the browser at the time each of those links are clicked would eliminate much of the network latency impact, allowing the browser to load content instantly and providing a smoother user experience. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"wait-ive-heard-this-story-before-how-did-we-get-to-speed-brain\">Wait, I’ve heard this story before (how did we get to Speed Brain?)</h2>\n <a href=\"#wait-ive-heard-this-story-before-how-did-we-get-to-speed-brain\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We know what you’re thinking. We’ve had prefetching for years. There have even been several speculative prefetching efforts in the past. You’ve heard this all before. How is this different now?</p><p>You’re right, of course. Over the years, there has been a constant effort by developers and browser vendors to optimize page load times and enhance user experience across the web. Numerous techniques have been developed, spanning various layers of the Internet stack — from optimizing network layer connectivity to preloading application content closer to the client.</p><h4>Early prefetching: lack of data and flexibility</h4><p>Web prefetching has been one such technique that has existed for more than a decade. It is based on the assumption that certain subresources are likely to be needed in the near future, so why not fetch them proactively? This could include anything from HTML pages to images, stylesheets, or scripts that the user might need as they navigate through a website. In fact, the core concept of speculative execution is not new, as it&#39;s a general technique that&#39;s been employed in various areas of computer science for years, with <a href=\"\"><u>branch prediction</u></a> in CPUs as a prime example.</p><p>In the early days of the web, several custom prefetching solutions emerged to enhance performance. For example, in 2005, Google introduced the <a href=\"\"><u>Google Web Accelerator</u></a>, a client-side application aimed at speeding up browsing for broadband users. Though innovative, the project was short-lived due to privacy and compatibility issues (we will describe how Speed Brain is different below). Predictive prefetching at that time lacked the data insights and API support for capturing user behavior, especially those handling sensitive actions like deletions or purchases.</p><h4>Static lists and manual effort</h4><p>Traditionally, prefetching has been accomplished through the use of the <code>&lt;link rel=&quot;prefetch&quot;&gt;</code> attribute as one of the <a href=\"\"><u>Resource Hints</u></a>. Developers had to manually specify the attribute on each page for each resource they wanted the browser to preemptively fetch and cache in memory. This manual effort has not only been laborious but developers often lacked insight into what resources should be prefetched, which reduced the quality of their specified hints.</p><p>In a similar vein, <a href=\"\"><u>Cloudflare has offered a URL prefetching feature since 2015</u></a>. Instead of prefetching in browser cache, Cloudflare allows customers to prefetch a static list of resources into the CDN cache. The feature allows prefetching resources in advance of when they are actually needed, usually during idle time or when network conditions are favorable. However, similar concerns apply for CDN prefetching, since customers have to manually decide on what resources are good candidates for prefetching for each page they own. If misconfigured, static link prefetching can be a <a href=\"\"><u>footgun</u></a>, causing the web page load time to actually slow down.</p><h4>Server Push and its struggles</h4><p><a href=\"\"><u>HTTP/2’s &quot;server push&quot;</u></a> was another attempt to improve web performance by pushing resources to the client before they were requested. In theory, this would reduce latency by eliminating the need for additional round trips for future assets. However, the server-centric dictatorial nature of &quot;pushing&quot; resources to the client raised significant challenges, primarily due to lack of context about what was already cached in the browser. This not only wasted bandwidth but had the potential to slow down the delivery of critical resources, like base HTML and CSS, due to race conditions on browser fetches when rendering the page. The <a href=\"\"><u>proposed solution of cache digests</u></a>, which would have informed servers about client cache contents, never gained widespread implementation, leaving servers to push resources blindly. <a href=\"\"><u>In October 2022, Google Chrome removed Server Push support</u></a>, and in September 2024, <a href=\"\"><u>Firefox followed suit</u></a>.</p><h4>A step forward with Early Hints</h4><p>As a successor, <a href=\"\"><u>Early Hints</u></a> was specified in 2017 but not widely adopted until 2022, when <a href=\"\"><u>we partnered with browsers and key customers to deploy it</u></a>. It offers a more efficient alternative by &quot;hinting&quot; to clients which resources to load, allowing better prioritization based on what the browser needs. Specifically, the server sends a 103 Early Hints HTTP status code with a list of key page assets that the browser should start loading while the main response is still being prepared. This gives the browser a head start in fetching essential resources and avoids redundant preloading if assets are already cached. Although Early Hints doesn&#39;t adapt to user behaviors or dynamic page conditions (yet), its use is primarily limited to preloading specific assets rather than full web pages — in particular, cases where there is a long server “think time” to produce HTML.</p><p>As the web evolves, tools that can handle complex, dynamic user interactions will become increasingly important to balance the performance gains of speculative execution with its potential drawbacks for end-users. For years Cloudflare has offered performance-based solutions that adapt to user behavior and work to balance the speed and correctness decisions across the Internet like <a href=\"\"><u>Argo Smart Routing</u></a>, <a href=\"\"><u>Smart Tiered Cache</u></a>, and <a href=\"\"><u>Smart Placement</u></a>. Today we take another step forward toward an adaptable framework for serving content lightning-fast. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"enter-speed-brain-what-makes-it-different\">Enter Speed Brain: what makes it different?</h2>\n <a href=\"#enter-speed-brain-what-makes-it-different\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Speed Brain offers a robust approach for implementing predictive prefetching strategies directly within the browser based on the ruleset returned by our servers. By building on lessons from previous attempts, it shifts the responsibility for resource prediction to the client, enabling more dynamic and personalized optimizations based on user interaction – like hovering over a link, for example – and their device capabilities. Instead of the browser sitting idly waiting for the next web page to be requested by the user, it takes cues from how a user is interacting with a page and begins asking for the next web page before the user finishes clicking on a link.</p><p>Behind the scenes, all of this magic is made possible by the <a href=\"\"><u>Speculation Rules API</u></a>, which is an emerging standard in the web performance space from Google. When Cloudflare’s Speed Brain feature is enabled, an HTTP header called Speculation-Rules is added to web page responses. The value for this header is a URL that hosts an opinionated Rules configuration. This configuration instructs the browser to initiate prefetch requests for future navigations. Speed Brain does not improve page load time for the first page that is visited on a website, but it can improve it for subsequent web pages that are visited on the same site.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2422 3\" class=\"kg-image\" width=\"1999\" height=\"756\" loading=\"lazy\"/>\n </figure><p>The idea seems simple enough, but <a href=\"\"><u>prefetching comes with challenges</u></a>, as some prefetched content may never end up being used. With the initial release of Speed Brain, we have designed a solution with guardrails that addresses two important but distinct issues that limited previous speculation efforts — <i>stale prefetch configuration</i> and <i>incorrect prefetching. </i>The Speculation Rules API configuration we have chosen for this initial release has been carefully designed to balance safety of prefetching while still maintaining broad applicability of rules for the entire site.</p><h4>Stale prefetch configuration</h4><p>As websites inevitably change over time, static prefetch configurations often become outdated, leading to inefficient or ineffective prefetching. This has been especially true for techniques like the rel=prefetch attribute or static CDN prefetching URL sets, which have required developers to manually maintain relevant prefetchable URL lists for each page of their website. Most static prefetch lists are based on developer intuition rather than real user navigation data, potentially missing important prefetch opportunities or wasting resources on unnecessary prefetches. </p><h4>Incorrect prefetching</h4><p>Since prefetch requests are just like normal requests except with a `sec-purpose` HTTP request header, they incur the same overhead on the client, network, and server. However, the crucial difference is that prefetch requests anticipate user behavior and the response might not end up being used, <a href=\"\"><u>so all that overhead might be wasted</u></a>. This makes prefetch accuracy extremely important — that is, maximizing the percentage of prefetched pages that end up being viewed by the user. Incorrect prefetching can lead to inefficiencies and unneeded costs, such as caching resources that aren&#39;t requested, or wasting bandwidth and network resources, which is especially critical on metered mobile networks or in low-bandwidth environments.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"guardrails\">Guardrails</h3>\n <a href=\"#guardrails\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>With the initial release of Speed Brain, we have designed a solution with important side effect prevention guardrails that completely removes the chance of <i>stale prefetch configuration</i>, and minimizes the risk of<i> incorrect prefetching</i>. This opinionated configuration is achieved by leveraging the <a href=\"\"><u>document rules</u></a> and <a href=\"\"><u>eagerness</u></a> settings from the <a href=\"\"><u>Speculation Rules API</u></a>. Our chosen configuration looks like the following:</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">{\n &quot;prefetch&quot;: [{\n &quot;source&quot;: &quot;document&quot;,\n &quot;where&quot;: {\n &quot;and&quot;: [\n { &quot;href_matches&quot;: &quot;/*&quot;, &quot;relative_to&quot;: &quot;document&quot; },\n ]\n },\n &quot;eagerness&quot;: &quot;conservative&quot;\n }]\n}\n</pre></code>\n <h5>\nDocument Rules</h5><p><a href=\"\"><u>Document Rules</u></a>, indicated by &quot;source&quot;: &quot;document&quot; and the &quot;where&quot; key in the configuration, allows prefetching to be applied dynamically over the entire web page. This eliminates the need for a predefined static URL list for prefetching. Hence, we remove the problem of <i>stale prefetch configuration</i> as prefetch candidate links are determined based on the active page structure.</p><p>Our use of &quot;relative_to&quot;: &quot;document&quot; in the where clause instructs the browser to limit prefetching to same-site links. This has the added bonus of allowing our implementation to avoid cross-origin prefetches to avoid any privacy implications for users, as it doesn’t follow them around the web. </p><h5>Eagerness</h5><p><a href=\"\"><u>Eagerness</u></a> controls how aggressively the browser prefetches content. There are four possible settings:</p><ul><li><p><b><i>immediate</i></b><i>: Used as soon as possible on page load — generally as soon as the rule value is seen by the browser, it starts prefetching the next page.</i></p></li><li><p><b><i>eager</i></b><i>: Identical to immediate setting above, but the prefetch trigger additionally relies on slight user interaction events, such as moving the cursor towards the link (coming soon).</i></p></li><li><p><b><i>moderate</i></b><i>: Prefetches if you hold the pointer over a link for more than 200 milliseconds (or on the </i><a href=\"\"><i><u>pointerdown</u></i></a><i> event if that is sooner, and on mobile where there is no hover event).</i></p></li><li><p><b><i>conservative</i></b><i>: Prefetches on pointer or touch down on the link.</i></p></li></ul><p>Our initial release of Speed Brain makes use of the <b><u>conservative</u></b> eagerness value to minimize the risk of incorrect prefetching, which can lead to unintended resource waste while making your websites noticeably faster. While we lose out on the potential performance improvements that the more aggressive eagerness settings offer, we chose this cautious approach to prioritize safety for our users. Looking ahead, we plan to explore more dynamic eagerness settings for sites that could benefit from a more liberal setting, and we&#39;ll also expand our rules to include <a href=\"\"><u>prerendering</u></a>.</p><p>Another important safeguard we implement is to only accept prefetch requests for static content that is already stored in our CDN cache. If the content isn&#39;t in the cache, we reject the prefetch request. Retrieving content directly from our CDN cache for prefetching requests lets us bypass concerns about their cache eligibility. The rationale for this is straightforward: if a page is not eligible for caching, we don&#39;t want it to be prefetched in the browser cache, as it could lead to unintended consequences and increased origin load. For instance, prefetching a logout page might log the user out prematurely before the user actually finishes their action. Stateful prefetching or prerendering requests can have unpredictable effects, potentially altering the server&#39;s state for actions the client has not confirmed. By only allowing prefetching for pages already in our CDN cache, we have confidence those pages will not negatively impact the user experience.</p><p>These guardrails were implemented to work in performance-sensitive environments. We measured the impact of our baseline conservative deployment model on all pages across <a href=\"\"><u>Cloudflare’s developer documentation</u></a> in early July 2024. We found that we were able to prefetch the correct content, content that would in fact be navigated to by the users, <b>94</b>% of the time. We did this while improving the performance of the navigation by reducing LCP at p75 quantile by <b>40</b>% without inducing any unintended side effects. The results were amazing!</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"explaining-cloudflares-implementation\">Explaining Cloudflare’s implementation </h2>\n <a href=\"#explaining-cloudflares-implementation\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Our global <a href=\"\"><u>network</u></a> spans over 330 cities and operates within 50 milliseconds of 95% of the Internet-connected population. This extensive reach allows us to significantly improve the performance of cacheable assets for our customers. By leveraging this network for smart prefetching with Speed Brain, Cloudflare can serve prefetched content directly from the CDN cache, reducing network latency to practically instant.</p><p>Our unique position on the network provides us the leverage to automatically enable Speed Brain without requiring any changes from our customers to their origin server configurations. It&#39;s as simple as flipping a switch! Our first version of Speed Brain is now live.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2422 4\" class=\"kg-image\" width=\"1370\" height=\"1540\" loading=\"lazy\"/>\n </figure><ul><li><p>Upon receiving a request for a web page with Speed Brain enabled, the Cloudflare server returns an additional &quot;Speculation-Rules&quot; HTTP response header. The value for this header is a URL that hosts an opinionated Rules configuration (as mentioned above).</p></li><li><p>When the browser begins parsing the response header, it fetches our Speculation-Rules configuration, and loads it as part of the web page.</p></li><li><p>The configuration guides the browser on when to prefetch the next likely page from Cloudflare that the visitor may navigate to, based on how the visitor is engaging with the page.</p></li><li><p>When a user action (such as mouse down event on the next page link) triggers the Rules application, the browser sends a prefetch request for that page with the &quot;sec-purpose: prefetch&quot; HTTP request header.</p></li><li><p>Our server parses the request header to identify the prefetch request. If the requested content is present in our cache, we return it; otherwise,<b> we return a 503 HTTP status </b>code and deny the prefetch request. This removes the risk of unsafe side-effects of sending requests to origins or Cloudflare Workers that are unaware of prefetching. Only content present exclusively in the cache is returned.</p></li><li><p>On a success response, the browser successfully prefetches the content in memory, and when the visitor navigates to that page, the browser directly loads the web page from the browser cache for immediate rendering.</p></li></ul>\n <div class=\"flex anchor relative\">\n <h2 id=\"common-troubleshooting-patterns\">Common troubleshooting patterns </h2>\n <a href=\"#common-troubleshooting-patterns\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Support for Speed Brain relies on the <a href=\"\"><u>Speculation Rules API</u></a>, an emerging web standard. As of September 2024, <a href=\"\"><u>support for this emerging standard</u></a> is limited to <b>Chromium-based browsers (version 121 or later)</b>, such as Google Chrome and Microsoft Edge. As the web community reaches consensus on API standardization, we hope to see wider adoption across other browser vendors.</p><p>Prefetching by nature does not apply to dynamic content, as the state of such content can change, potentially leading to stale or outdated data being delivered to the end user as well as increased origin load. Therefore, Speed Brain will only work for non-dynamic pages of your website that are cached on our network. It has no impact on the loading of dynamic pages. To get the most benefit out of Speed Brain, we suggest making use of <a href=\"\"><u>cache rules</u></a> to ensure that all static content (<b>especially HTML content</b>) on your site is eligible for caching.</p><p>When the browser receives a 503 HTTP status code in response to a speculative prefetch request (marked by the sec-purpose: prefetch header), it cancels the prefetch attempt. Although a 503 error appearing in the browser&#39;s console may seem alarming, it is completely harmless for prefetch request cancellation. In our early tests, the 503 response code has caused some site owners concern. We are working with our partners to iterate on this to improve the client experience, but for now follow the specification guidance, <a href=\"\"><u>which suggests a 503 response</u></a> for the browser to safely discard the speculative request. We&#39;re in active discussions with Chrome, based on feedback from early beta testers, and believe a new non-error dedicated response code would be more appropriate, and cause less confusion. In the meantime, 503 response logs for prefetch requests related to Speed Brain are harmless. If your tooling makes ignoring these requests difficult, you can temporarily disable Speed Brain until we work out something better with the Chrome Team.</p><p>Additionally, when a website uses both its own custom Speculation Rules and Cloudflare&#39;s Speed Brain feature, both rule sets can operate simultaneously. Cloudflare’s guardrails will limit speculation rules to cacheable pages, which may be an unexpected limitation for those with existing implementations. If you observe such behavior, consider disabling one of the implementations for your site to ensure consistency in behavior. Note that if your origin server responses include the Speculation-Rules header, it will not be overridden. Therefore, the potential for ruleset conflicts primarily applies to predefined in-line speculation rules.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"how-can-i-see-the-impact-of-speed-brain\">How can I see the impact of Speed Brain?</h2>\n <a href=\"#how-can-i-see-the-impact-of-speed-brain\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In general, we suggest that you use Speed Brain and most other Cloudflare performance <a href=\"\"><u>features</u></a> with our <a href=\"\"><u>RUM performance measurement tool</u></a> enabled. Our RUM feature helps developers and website operators understand how their end users are experiencing the performance of their application, providing visibility into:</p><ul><li><p><b>Loading</b>: How long did it take for content to become available?</p></li><li><p><b>Interactivity</b>: How responsive is the website when users interact with it?</p></li><li><p><b>Visual stability</b>: How much does the page move around while loading?</p></li></ul><p>With RUM enabled, you can navigate to the Web Analytics section in the dashboard to see important information about how Speed Brain is helping reduce latency in your <a href=\"\"><u>core web vitals</u></a> metrics like Largest Contentful Paint (LCP) and load time. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2422 5\" class=\"kg-image\" width=\"1128\" height=\"730\" loading=\"lazy\"/>\n </figure><p><sub><i>Example RUM dashboard for a website with a high amount of prefetchable content that enabled Speed Brain around September 16.</i></sub></p>\n <div class=\"flex anchor relative\">\n <h2 id=\"what-have-we-seen-in-our-rollout-so-far\">What have we seen in our rollout so far? </h2>\n <a href=\"#what-have-we-seen-in-our-rollout-so-far\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We have enabled this feature by default on all free plans and have observed the following:</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"domains\">Domains</h3>\n <a href=\"#domains\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare currently has tens of millions of domains using Speed Brain. We have measured the LCP at the 75th quantile (p75) for these sites and found an improvement for these sites between 40% and 50% (average around 45%). </p><p>We found this improvement by comparing navigational prefetches to normal (non-prefetched) page loads for the same set of domains. </p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2422 6\" class=\"kg-image\" width=\"682\" height=\"334\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"requests\">Requests</h3>\n <a href=\"#requests\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Before Speed Brain is enabled, the p75 of free websites on Cloudflare experience an LCP around 2.2 seconds. With Speed Brain enabled, these sites see significant latency savings on LCP. In aggregate, Speed Brain saves about 0.88 seconds on the low end and up to 1.1 seconds on each successful prefetch! </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"applicable-browsers\">Applicable browsers</h3>\n <a href=\"#applicable-browsers\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Currently, the Speculation Rules API is only available in Chromium browsers. From Cloudflare Radar, we can see that approximately <a href=\"\"><u>70% of requests</u></a> from visitors are from <a href=\"\"><u>Chromium</u></a> (Chrome, Edge, etc) browsers.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"across-the-network\">Across the network</h3>\n <a href=\"#across-the-network\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare sees hundreds of billions of requests for HTML content each day. Of these requests, about half are cached (make sure your HTML is cacheable!). Around 1% of those requests are for navigational prefetching made by the visitors. This represents significant savings every day for visitors to websites with Speed Brain enabled. Every 24 hours, <b>Speed Brain can save more than 82 years worth of latency!</b></p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2422 7\" class=\"kg-image\" width=\"1210\" height=\"1246\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"whats-next\">What’s next? </h2>\n <a href=\"#whats-next\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>What we’re offering today for Speed Brain is only the beginning. Heading into 2025, we have a number of exciting additions to explore and ship. </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"leveraging-machine-learning\">Leveraging Machine Learning</h3>\n <a href=\"#leveraging-machine-learning\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Our unique position on the Internet provides us valuable insights into web browsing patterns, which we can leverage for improving web performance while maintaining individual user privacy. By employing a generalized data-driven machine learning approach, we can define more accurate and site-specific prefetch predictors for users’ pages. </p><p>We are in the process of developing an adaptive speculative model that significantly improves upon our current conservative offering. This model uses a privacy-preserving method to generate a user traversal graph for each site based on same-site Referrer headers. For any two pages connected by a navigational hop, our model predicts the likelihood of a typical user moving between them, using insights extracted from our aggregated traffic data.</p><p>This model enables us to tailor rule sets with custom eagerness values to each relevant next page link on your site. For pages where the model predicts high confidence in user navigation, the system will aggressively prefetch or prerender them. If the model does not provide a rule for a page, it defaults to our existing conservative approach, maintaining the benefits of baseline Speed Brain model. These signals guide browsers in prefetching and prerendering the appropriate pages, which helps speed up navigation for users, while maintaining our current safety guardrails.</p><p>In lab tests, our ML model improved LCP latency by 75% and predicted visitor navigation with ~98% accuracy, ensuring the correct pages were being prefetched to prevent resource waste for users. As we move toward scaling this solution, we are focused on periodic training of the model to adapt to varying user behaviors and evolving websites. Using an online machine learning approach will drastically reduce the need for any manual update, and content drifts, while maintaining high accuracy — the Speed Brain load solution that gets smarter over time!</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"finer-observability-via-rum\">Finer observability via RUM</h3>\n <a href=\"#finer-observability-via-rum\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As we’ve mentioned, we believe that our RUM tools offer the best insights for how Speed Brain is helping the performance of your website. In the future, we plan on offering the ability to filter RUM tooling by navigation type so that you can compare the browser rendering of prefetched content versus non-prefetched content. </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"prerendering\">Prerendering</h3>\n <a href=\"#prerendering\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We are currently offering the ability for prefetching on cacheable content. Prefetching downloads the main document resource of the page before the user’s navigation, but it does not instruct the browser to prerender the page or download any additional subresources.</p><p>In the future, Cloudflare’s Speed Brain offering will prefetch content into our CDN cache and then work with browsers to know what are the best prospects for prerendering. This will help get static content even closer to instant rendering. </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"argo-smart-browsing-speed-brain-smart-routing\">Argo Smart Browsing: Speed Brain & Smart Routing</h3>\n <a href=\"#argo-smart-browsing-speed-brain-smart-routing\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Speed Brain, in its initial implementation, provides an incredible performance boost whilst still remaining conservative in its implementation; both from an eagerness, and a resource consumption perspective.</p><p>As was outlined earlier in the post, lab testing of a more aggressive model, powered by machine-learning and a higher eagerness, yielded a <b>75% reduction in LCP.</b> We are investigating bundling this more aggressive, additional implementation of Speed Brain with Argo Smart Routing into a product called <b>“Argo Smart Browsing”. </b></p><p>Cloudflare customers will be free to continue using Speed Brain, however those who want even more performance improvement will be able to enable Argo Smart Browsing with a single button click. With Argo Smart Browsing, not only will cacheable static content load up to 75% faster in the browser, thanks to the more aggressive models, however in times when content can’t be cached, and the request must go forward to an origin server, it will be sent over the most performant network path resulting in an average <b>33% performance increase.</b> Performance optimizations are being applied to almost every segment of the request lifecycle regardless if the content is static or dynamic, cached or not. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"conclusion\">Conclusion</h2>\n <a href=\"#conclusion\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>To get started with Speed Brain, navigate to <a href=\"\"><b><u>Speed</u></b><u> &gt; Optimization &gt; Content Optimization &gt; </u><b><u>Speed Brain</u></b></a> in the Cloudflare Dashboard and enable it. That&#39;s all! The feature can also be enabled via <a href=\"\"><u>API</u></a>. Free plan domains have had Speed Brain enabled by default.</p><p>We strongly recommend that customers also <a href=\"\"><b><u>enable RUM</u></b></a>, found in the same section of the dashboard, to give visibility into the performance improvements provided by Speed Brain and other Cloudflare features and products. </p><p>We’re excited to continue to build products and features that make web performance reliably fast. If you’re an engineer interested in improving the performance of the web for all, <a href=\"\">come join us</a>!</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2422 8\" class=\"kg-image\" width=\"1800\" height=\"552\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"watch-on-cloudflare-tv\">Watch on Cloudflare TV</h3>\n <a href=\"#watch-on-cloudflare-tv\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <div style=\"position: relative; padding-top: 56.25%;\">\n <iframe\n src=\"\"\n loading=\"lazy\"\n style=\"border: none; position: absolute; top: 0; left: 0; height: 100%; width: 100%;\"\n allow=\"accelerometer; gyroscope; autoplay; encrypted-media; picture-in-picture;\"\n allowfullscreen=\"true\"\n ></iframe>\n</div><p></p>"],"published_at":[0,"2024-09-25T14:00+01:00"],"updated_at":[0,"2024-10-09T23:05:02.341Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"1Cv5JjXzKWKEA10JdYbXu1"],"name":[0,"Birthday Week"],"slug":[0,"birthday-week"]}],[0,{"id":[0,"48r7QV00gLMWOIcM1CSDRy"],"name":[0,"Speed & Reliability"],"slug":[0,"speed-and-reliability"]}],[0,{"id":[0,"1x7tpPmKIUCt19EDgM1Tsl"],"name":[0,"Research"],"slug":[0,"research"]}],[0,{"id":[0,"5RrjSR5vIOJAfRdT8966hf"],"name":[0,"Cache"],"slug":[0,"cache"]}],[0,{"id":[0,"1q6r2yWvvqOfafxEeKdl8J"],"name":[0,"Speed Brain"],"slug":[0,"speed-brain"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Alex Krivit"],"slug":[0,"alex"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@ackriv"],"facebook":[0,null]}],[0,{"name":[0,"Suleman Ahmad"],"slug":[0,"suleman"],"bio":[0,null],"profile_image":[0,""],"location":[0,"Austin, TX"],"website":[0,null],"twitter":[0,"@sulemanahmadd"],"facebook":[0,null]}],[0,{"name":[0,"William Woodhead"],"slug":[0,"william"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"We are excited to announce the latest leap forward in speed – Speed Brain. Speed Brain uses the Speculation Rules API to prefetch content for the user's likely next navigations. The goal is to download a web page to the browser before a user navigates to it, allowing pages to load instantly. \n"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Loc: Introducing Speed Brain: helping web pages load 45% faster "],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Introducing Speed Brain: helping web pages load 45% faster "],"description":[0,"We are excited to announce the latest leap forward in speed – Speed Brain. Speed Brain uses the Speculation Rules API to prefetch content for the user's likely next navigations. The goal is to download a web page to the browser before a user navigates to it, allowing pages to load instantly. "],"imgPreview":[0,""]}]}],[0,{"id":[0,"1M8zVthnUiMpJpGylQuptu"],"title":[0,"Automatically generating Cloudflare’s Terraform provider"],"slug":[0,"automatically-generating-cloudflares-terraform-provider"],"excerpt":[0,"The Cloudflare Terraform provider used to be manually maintained. With the help of our existing OpenAPI code generation pipeline, we’re now automatically generating the provider for better "],"featured":[0,false],"html":[0,"<p>In November 2022, we announced the transition to <a href=\"\"><u>OpenAPI Schemas for the Cloudflare API</u></a>. Back then, we had an audacious goal to make the OpenAPI schemas the source of truth for our SDK ecosystem and reference documentation. During 2024’s Developer Week, we backed this up by <a href=\"\"><u>announcing that our SDK libraries are now automatically generated</u></a> from these OpenAPI schemas. Today, we’re excited to announce the latest pieces of the ecosystem to now be automatically generated — the Terraform provider and API reference documentation.</p><p>This means that the moment a new feature or attribute is added to our products and the team documents it, you’ll be able to see how it’s meant to be used across our SDK ecosystem <i>and</i> make use of it immediately. No more delays. No more lacking coverage of API endpoints.</p><p>You can find the new documentation site at <a href=\"\"><u></u></a>, and you can try the preview release candidate of the Terraform provider by <a href=\"\"><u>installing 5.0.0-alpha1</u></a>.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"why-terraform\">Why Terraform? </h2>\n <a href=\"#why-terraform\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>For anyone who is unfamiliar with <a href=\"\"><u>Terraform</u></a>, it is a tool for managing your infrastructure as code, much like you would with your application code. Many of our customers (big and small) rely on Terraform to orchestrate their infrastructure in a technology-agnostic way. Under the hood, it is essentially an HTTP client with lifecycle management built in, which means it makes use of our publicly documented APIs in a way that understands how to create, read, update and delete for the life of the resource. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"keeping-terraform-updated-the-old-way\">Keeping Terraform updated — the old way</h2>\n <a href=\"#keeping-terraform-updated-the-old-way\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Historically, Cloudflare has manually maintained a Terraform provider, but since the provider internals require their own unique way of doing things, responsibility for maintenance and support has landed on the shoulders of a handful of individuals. The service teams always had difficulties keeping up with the number of changes, due to the amount of cognitive overhead required to ship a single change in the provider. In order for a team to get a change to the provider, it took a minimum of 3 pull requests (4 if you were adding support to <a href=\"\"><u>cf-terraforming</u></a>).</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1318\" height=\"898\" loading=\"lazy\"/>\n </figure><p>Even with the 4 pull requests completed, it didn’t offer guarantees on coverage of all available attributes, which meant small yet important details could be forgotten and not exposed to customers, causing frustration when trying to configure a resource.</p><p>To address this, our Terraform provider needed to be relying on the same OpenAPI schemas that the rest of our SDK ecosystem was <a href=\"\"><u>already benefiting from</u></a>.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"updating-terraform-automatically\">Updating Terraform automatically</h2>\n <a href=\"#updating-terraform-automatically\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The thing that differentiates Terraform from our SDKs is that it manages the lifecycle of resources. With that comes a new range of problems related to known values and managing differences in the request and response payloads. Let’s compare the two different approaches of creating a new DNS record and fetching it back.</p><p>With our Go SDK:</p>\n <pre class=\"language-GOLANG\"><code class=\"language-GOLANG\">// Create the new record\nrecord, _ := client.DNS.Records.New(context.TODO(), dns.RecordNewParams{\n\tZoneID: cloudflare.F(&quot;023e105f4ecef8ad9ca31a8372d0c353&quot;),\n\tRecord: dns.RecordParam{\n\t\tName: cloudflare.String(&quot;@&quot;),\n\t\tType: cloudflare.String(&quot;CNAME&quot;),\n Content: cloudflare.String(&quot;;),\n\t},\n})\n\n\n// Wasteful fetch, but shows the point\nclient.DNS.Records.Get(\n\tcontext.Background(),\n\trecord.ID,\n\tdns.RecordGetParams{\n\t\tZoneID: cloudflare.String(&quot;023e105f4ecef8ad9ca31a8372d0c353&quot;),\n\t},\n)\n</pre></code>\n <p>\nAnd with Terraform:</p>\n <pre class=\"language-JavaScript\"><code class=\"language-JavaScript\">resource &quot;cloudflare_dns_record&quot; &quot;example&quot; {\n zone_id = &quot;023e105f4ecef8ad9ca31a8372d0c353&quot;\n name = &quot;@&quot;\n content = &quot;;\n type = &quot;CNAME&quot;\n}</pre></code>\n <p>On the surface, it looks like the Terraform approach is simpler, and you would be correct. The complexity of knowing how to create a new resource and maintain changes are handled for you. However, the problem is that for Terraform to offer this abstraction and data guarantee, all values must be known at apply time. That means that even if you’re not using the <code>proxied</code> value, Terraform needs to know what the value needs to be in order to save it in the state file and manage that attribute going forward. The error below is what Terraform operators commonly see from providers when the value isn’t known at apply time.</p>\n <pre class=\"language-JavaScript\"><code class=\"language-JavaScript\">Error: Provider produced inconsistent result after apply\n\nWhen applying changes to, provider &quot;provider[\\&quot;\\&quot;]&quot;\nproduced an unexpected new value: .foo: was null, but now cty.StringVal(&quot;&quot;).</pre></code>\n <p>Whereas when using the SDKs, if you don’t need a field, you just omit it and never need to worry about maintaining known values.</p><p>Tackling this for our OpenAPI schemas was no small feat. Since introducing Terraform generation support, the quality of our schemas has improved by an order of magnitude. Now we are explicitly calling out all default values that are present, variable response properties based on the request payload, and any server-side computed attributes. All of this means a better experience for anyone that interacts with our APIs.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"making-the-jump-from-terraform-plugin-sdk-to-terraform-plugin-framework\">Making the jump from terraform-plugin-sdk to terraform-plugin-framework</h3>\n <a href=\"#making-the-jump-from-terraform-plugin-sdk-to-terraform-plugin-framework\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>To build a Terraform provider and expose resources or data sources to operators, you need two main things: a provider server and a provider.</p><p>The provider server takes care of exposing a <a href=\"\"><u>gRPC server</u></a> that Terraform core (via the CLI) uses to communicate when managing resources or reading data sources from the operator provided configuration.</p><p>The provider is responsible for wrapping the resources and data sources, communicating with the remote services, and managing the state file. To do this, you either rely on the <a href=\"\"><u>terraform-plugin-sdk</u></a> (commonly referred to as SDKv2) or <a href=\"\"><u>terraform-plugin-framework</u></a>, which includes all the interfaces and methods provided by Terraform in order to manage the internals correctly. The decision as to which plugin you use depends on the age of your provider. SDKv2 has been around longer and is what most Terraform providers use, but due to the age and complexity, it has many core unresolved issues that must remain in order to facilitate backwards compatibility for those who rely on it. <code>terraform-plugin-framework</code> is the new version that, while lacking the breadth of features SDKv2 has, provides a more Go-like approach to building providers and addresses many of the underlying bugs in SDKv2.</p><p><i>(For a deeper comparison between SDKv2 and the framework, you can check out a </i><a href=\"\"><i><u>conversation between myself and John Bristowe from Octopus Deploy</u></i></a><i>.)</i></p><p>The majority of the Cloudflare Terraform provider is built using SDKv2, but at the beginning of 2023, we <a href=\"\"><u>took the plunge to multiplex</u></a> and offer both in our provider. To understand why this was needed, we have to understand a little about SDKv2. The way SDKv2 is structured isn&#39;t really conducive to representing null or &quot;unset&quot; values consistently and reliably. You can use the <a href=\"\"><u>experimental ResourceData.GetRawConfig</u></a> to check whether the value is set, null, or unknown in the config, but writing it back as null isn&#39;t really supported.</p><p>This caveat first popped up for us when the Edge Rules Engine (Rulesets) started onboarding new services and those services needed to support API responses that contained booleans in an unset (or missing), <code>true</code>, or <code>false</code> state each with their own reasoning and purpose. While this isn’t a conventional API design at Cloudflare, it is a valid way to do things that we should be able to work with. However, as mentioned above, the SDKv2 provider couldn&#39;t. This is because when a value isn&#39;t present in the response or read into state, it gets a Go-compatible zero value for the default. This showed up as the inability to unset values after they had been written to state as false values (and vice versa).</p><p>The only solution we have here to reliably use the three states of those boolean values is to migrate to the <code>terraform-plugin-framework</code>, which has the <a href=\"\"><u>correct implementation of writing back unset values</u></a>.</p><p>Once we started adding more functionality using <code>terraform-plugin-framework</code> in the old provider, it was clear that it was a better developer experience, so we <a href=\"\"><u>added a ratchet</u></a> to prevent SDKv2 usage going forward to get ahead of anyone unknowingly setting themselves up to hit this issue.</p><p>When we decided that we would be automatically generating the Terraform provider, it was only fitting that we also brought all the resources over to be based on the <code>terraform-plugin-framework</code> and leave the issues from SDKv2 behind for good. This did complicate the migration as with the improved internals came changes to major components like the schema and <a href=\",_read,_update_and_delete\"><u>CRUD operations</u></a> that we needed to familiarize ourselves with. However, it has been a worthwhile investment because by doing so, we’ve future-proofed the foundations of the provider and are now making fewer compromises on a great Terraform experience due to buggy, legacy internals.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"iteratively-finding-bugs\">Iteratively finding bugs </h3>\n <a href=\"#iteratively-finding-bugs\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>One of the common struggles with code generation pipelines is that unless you have existing tools that implement your new thing, it’s hard to know if it works or is reasonable to use. Sure, you can also generate your tests to exercise the new thing, but if there is a bug in the pipeline, you are very likely to not see it as a bug as you will be generating test assertions that show the bug is expected behavior.</p><p>One of the essential feedback loops we have had is the existing acceptance test suite. All resources within the existing provider had a mix of regression and functionality tests. Best of all, as the test suite is creating and managing real resources, it was very easy to know whether the outcome was a working implementation or not by looking at the HTTP traffic to see whether the API calls were accepted by the remote endpoints. Getting the test suite ported over was only a matter of copying over all the existing tests and checking for any type assertion differences (such as list to single nested list) before kicking off a test run to determine whether the resource was working correctly.</p><p>While the centralized schema pipeline was a huge quality of life improvement for having schema fixes propagate to the whole ecosystem almost instantly, it couldn’t help us solve the largest hurdle, which was surfacing bugs that hide other bugs. This was time-consuming because when fixing a problem in Terraform, you have three places where you can hit an error:</p><ol><li><p>Before any API calls are made, Terraform implements logical schema validation and when it encounters validation errors, it will immediately halt.</p></li><li><p>If any API call fails, it will stop at the CRUD operation and return the diagnostics, immediately halting.</p></li><li><p>After the CRUD operation has run, Terraform then has checks in place to ensure all values are known.</p></li></ol><p>That means that if we hit the bug at step 1 and then fixed the bug, there was no guarantee or way to tell that we didn’t have two more waiting for us. Not to mention that if we found a bug in step 2 and shipped a fix, that it wouldn’t then identify a bug in the first step on the next round of testing.</p><p>There is no silver bullet here and our workaround was instead to notice patterns of problems in the schema behaviors and apply CI lint rules within the OpenAPI schemas before it got into the code generation pipeline. Taking this approach incrementally cut down the number of bugs in step 1 and 2 until we were largely only dealing with the type in step 3.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"a-more-reusable-approach-to-model-and-struct-conversion\">A more reusable approach to model and struct conversion </h3>\n <a href=\"#a-more-reusable-approach-to-model-and-struct-conversion\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Within Terraform provider CRUD operations, it is fairly common to see boilerplate like the following:</p>\n <pre class=\"language-JavaScript\"><code class=\"language-JavaScript\">var plan ThingModel\ndiags := req.Plan.Get(ctx, &amp;plan)\nresp.Diagnostics.Append(diags...)\nif resp.Diagnostics.HasError() {\n\treturn\n}\n\nout, err := r.client.UpdateThingModel(ctx, client.ThingModelRequest{\n\tAttrA: plan.AttrA.ValueString(),\n\tAttrB: plan.AttrB.ValueString(),\n\tAttrC: plan.AttrC.ValueString(),\n})\nif err != nil {\n\tresp.Diagnostics.AddError(\n\t\t&quot;Error updating project Thing&quot;,\n\t\t&quot;Could not update Thing, unexpected error: &quot;+err.Error(),\n\t)\n\treturn\n}\n\nresult := convertResponseToThingModel(out)\ntflog.Info(ctx, &quot;created thing&quot;, map[string]interface{}{\n\t&quot;attr_a&quot;: result.AttrA.ValueString(),\n\t&quot;attr_b&quot;: result.AttrB.ValueString(),\n\t&quot;attr_c&quot;: result.AttrC.ValueString(),\n})\n\ndiags = resp.State.Set(ctx, result)\nresp.Diagnostics.Append(diags...)\nif resp.Diagnostics.HasError() {\n\treturn\n}</pre></code>\n <p>At a high level:</p><ul><li><p>We fetch the proposed updates (known as a plan) using <code>req.Plan.Get()</code></p></li><li><p>Perform the update API call with the new values</p></li><li><p>Manipulate the data from a Go type into a Terraform model (<code>convertResponseToThingModel</code>)</p></li><li><p>Set the state by calling <code>resp.State.Set()</code></p></li></ul><p>Initially, this doesn’t seem too problematic. However, the third step where we manipulate the Go type into the Terraform model quickly becomes cumbersome, error-prone, and complex because all of your resources need to do this in order to swap between the type and associated Terraform models.</p><p>To avoid generating more complex code than needed, one of the improvements featured in our provider is that all CRUD methods use unified <code>apijson.Marshal, apijson.Unmarshal</code>, and <code>apijson.UnmarshalComputed</code> methods that solve this problem by centralizing the conversion and handling logic based on the struct tags.</p>\n <pre class=\"language-JavaScript\"><code class=\"language-JavaScript\">var data *ThingModel\n\nresp.Diagnostics.Append(req.Plan.Get(ctx, &amp;data)...)\nif resp.Diagnostics.HasError() {\n\treturn\n}\n\ndataBytes, err := apijson.Marshal(data)\nif err != nil {\n\tresp.Diagnostics.AddError(&quot;failed to serialize http request&quot;, err.Error())\n\treturn\n}\nres := new(http.Response)\nenv := ThingResultEnvelope{*data}\n_, err = r.client.Thing.Update(\n\t// ...\n)\nif err != nil {\n\tresp.Diagnostics.AddError(&quot;failed to make http request&quot;, err.Error())\n\treturn\n}\n\nbytes, _ := io.ReadAll(res.Body)\nerr = apijson.UnmarshalComputed(bytes, &amp;env)\nif err != nil {\n\tresp.Diagnostics.AddError(&quot;failed to deserialize http request&quot;, err.Error())\n\treturn\n}\ndata = &amp;env.Result\n\nresp.Diagnostics.Append(resp.State.Set(ctx, &amp;data)...)</pre></code>\n <p>Instead of needing to generate hundreds of instances of type-to-model converter methods, we can instead decorate the Terraform model with the correct tags and handle marshaling and unmarshaling of the data consistently. It’s a minor change to the code that in the long run makes the generation more reusable and readable. As an added benefit, this approach is great for bug fixing as once you identify a bug with a particular type of field, fixing that in the unified interface fixes it for other occurrences you may not yet have found.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"but-wait-theres-more-docs\">But wait, there’s more (docs)!</h2>\n <a href=\"#but-wait-theres-more-docs\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>To top off our OpenAPI schema usage, we’re tightening the SDK integration with our <a href=\"\"><u>new API documentation site</u></a>. It’s using the same pipeline we’ve invested in for the last two years while addressing some of the common usage issues.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"sdk-aware\">SDK aware </h3>\n <a href=\"#sdk-aware\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>If you’ve used our API documentation site, you know we give you examples of interacting with the API using command line tools like curl. This is a great starting point, but if you’re using one of the SDK libraries, you need to do the mental gymnastics to convert it to the method or type definition you want to use. Now that we’re using the same pipeline to generate the SDKs <b>and</b> the documentation, we’re solving that by providing examples in all the libraries you <i>could</i> use — not just curl.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1528\" height=\"334\" loading=\"lazy\"/>\n \n </figure><p><sup><i>Example using cURL to fetch all zones.</i></sup></p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1534\" height=\"658\" loading=\"lazy\"/>\n \n </figure><p><sup><i>Example using the Typescript library to fetch all zones.</i></sup></p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1534\" height=\"568\" loading=\"lazy\"/>\n \n </figure><p><sup><i>Example using the Python library to fetch all zones.</i></sup></p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1530\" height=\"974\" loading=\"lazy\"/>\n \n </figure><p><sup><i>Example using the Go library to fetch all zones.</i></sup></p><p>With this improvement, we also remember the language selection so if you’ve selected to view the documentation using our Typescript library and keep clicking around, we keep showing you examples using Typescript until it is swapped out.</p><p>Best of all, when we introduce new attributes to existing endpoints or add SDK languages, this documentation site is automatically kept in sync with the pipeline. It is no longer a huge effort to keep it all up to date.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"faster-and-more-efficient-rendering\">Faster and more efficient rendering</h3>\n <a href=\"#faster-and-more-efficient-rendering\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>A problem we’ve always struggled with is the sheer number of API endpoints and how to represent them. As of this post, we have 1,330 endpoints, and for each of those endpoints, we have a request payload, a response payload, and multiple types associated with it. When it comes to rendering this much information, the solutions we’ve used in the past have had to make tradeoffs in order to make parts of the representation work.</p><p>This next iteration of the API documentation site addresses this is a couple of ways:</p><ul><li><p>It&#39;s implemented as a modern React application that pairs an interactive client-side experience with static pre-rendered content, resulting in a quick initial load and fast navigation. (Yes, it even works without JavaScript enabled!). </p></li><li><p>It fetches the underlying data incrementally as you navigate.</p></li></ul><p>By solving this foundational issue, we’ve unlocked other planned improvements to the documentation site and SDK ecosystem to improve the user experience without making tradeoffs like we’ve needed to in the past. </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"permissions\">Permissions</h3>\n <a href=\"#permissions\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>One of the most requested features to be re-implemented into the documentation site has been minimum required permissions for API endpoints. One of the previous iterations of the documentation site had this available. However, unknown to most who used it, the values were manually maintained and were regularly incorrect, causing support tickets to be raised and frustration for users.</p><p>Inside Cloudflare&#39;s identity and access management system, answering the question “what do I need to access this endpoint” isn’t a simple one. The reason for this is that in the normal flow of a request to the control plane, we need two different systems to provide parts of the question, which can then be combined to give you the full answer. As we couldn’t initially automate this as part of the OpenAPI pipeline, we opted to leave it out instead of having it be incorrect with no way of verifying it.</p><p>Fast-forward to today, and we’re excited to say endpoint permissions are back! We built some new tooling that abstracts answering this question in a way that we can integrate into our code generation pipeline and have all endpoints automatically get this information. Much like the rest of the code generation platform, it is focused on having service teams own and maintain high quality schemas that can be reused with value adds introduced without any work on their behalf.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1534\" height=\"360\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"stop-waiting-for-updates\">Stop waiting for updates</h2>\n <a href=\"#stop-waiting-for-updates\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>With these announcements, we’re putting an end to waiting for updates to land in the SDK ecosystem. These new improvements allow us to streamline the ability of new attributes and endpoints the moment teams document them. So what are you waiting for? Check out the <a href=\"\"><u>Terraform provider</u></a> and <a href=\"\"><u>API documentation site</u></a> today.</p>"],"published_at":[0,"2024-09-24T14:00+01:00"],"updated_at":[0,"2024-12-12T00:18:18.131Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"1Cv5JjXzKWKEA10JdYbXu1"],"name":[0,"Birthday Week"],"slug":[0,"birthday-week"]}],[0,{"id":[0,"5x72ei67SoD11VQ0uqFtpF"],"name":[0,"API"],"slug":[0,"api"]}],[0,{"id":[0,"3rbBQ4KGWcg4kafhbLilKu"],"name":[0,"SDK"],"slug":[0,"sdk"]}],[0,{"id":[0,"4PjcrP7azfu8cw8rGcpYoM"],"name":[0,"Terraform"],"slug":[0,"terraform"]}],[0,{"id":[0,"5agGcvExXGm8IVuFGxiuBF"],"name":[0,"Open API"],"slug":[0,"open-api"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Jacob Bednarz"],"slug":[0,"jacob-bednarz"],"bio":[0,"System Engineer, Control Plane"],"profile_image":[0,""],"location":[0,"Australia"],"website":[0,""],"twitter":[0,"@jacobbednarz"],"facebook":[0,null]}]]],"meta_description":[0,"The Cloudflare Terraform provider used to be manually maintained. With the help of our existing OpenAPI code generation pipeline, we’re now automatically generating the provider for better endpoint and attribute coverage, faster updates when new products are announced and a new API documentation site to top it all off. Read on to see how we pulled it all together."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Automatically generating Cloudflare’s Terraform provider - LL- koKR, zhCN, zhTW, esES, frFR, deDE"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"English for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"English for Locale"],"esLA":[0,"English for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"English for Locale"],"thTH":[0,"English for Locale"],"trTR":[0,"English for Locale"],"heIL":[0,"English for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Automatically generating Cloudflare’s Terraform provider"],"description":[0,"The Cloudflare Terraform provider used to be manually maintained. With the help of our existing OpenAPI code generation pipeline, we’re now automatically generating the provider for better endpoint and attribute coverage, faster updates when new products are announced and a new API documentation site to top it all off. Read on to see how we pulled it all together."],"imgPreview":[0,""]}]}],[0,{"id":[0,"6V6W6JxQO7bnM0CbhuO1OA"],"title":[0,"Introducing Ephemeral IDs: a new tool for fraud detection"],"slug":[0,"turnstile-ephemeral-ids-for-fraud-detection"],"excerpt":[0,"As the Internet evolves, Turnstile does too. Introducing Ephemeral IDs — a new dimension in detecting fraudulent activity, bot or human, that links behavior to a specific client instead of an IP address. This makes Turnstile better for everyone, everywhere. \n"],"featured":[0,false],"html":[0,"<p>In the early days of the Internet, a single IP address was a reliable indicator of a single user. However, today’s Internet is more complex. Shared IP addresses are now common, with users connecting via mobile IP address pools, VPNs, or behind <a href=\"\"><u>CGNAT (Carrier Grade Network Address Translation)</u></a>. This makes relying on IP addresses alone a weak method to combat modern threats like automated attacks and fraudulent activity. Additionally, many Internet users have no option but to use an IP address which they don’t have sole control over, and as such, <a href=\"\"><u>should not be penalized for that</u></a>.</p><p>At Cloudflare, we are solving this complexity with <a href=\"\"><u>Turnstile</u></a>, our <a href=\"\"><u>CAPTCHA alternative</u></a>. And now, we’re taking the next step in advancing security with Ephemeral IDs, a new feature that generates a unique short-lived ID, without relying on any network-level information.</p><p>When a website visitor interacts with Turnstile, we now calculate an Ephemeral ID that can link behavior to a specific client instead of an IP address. This means that even when attackers rotate through large pools of IP addresses, we can still identify and block malicious actions. For example, in attacks like <a href=\"\"><u>credential stuffing</u></a> or account signups, where fraudsters attempt to disguise themselves using different IP addresses, Ephemeral IDs allow us to detect abuse patterns more accurately beyond just determining whether the visitor is a human or a bot. Multiple fraudulent actions from the same client are grouped together, improving our detection rate while reducing false positives.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"how-ephemeral-ids-work\">How Ephemeral IDs work</h3>\n <a href=\"#how-ephemeral-ids-work\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Turnstile detects bots by analyzing browser attributes and signals. Using these aggregated client-side signals, we generate a short-lived Ephemeral ID without setting any cookies or using similar client-side storage. These IDs are intentionally not 100% unique and have a brief lifespan, making them highly effective in identifying patterns of fraud and abuse, without compromising user privacy.</p><p>When the same visitor interacts with Turnstile widgets from different Cloudflare customers, they receive different Ephemeral IDs for each one. Additionally, because these IDs change frequently, they cannot be used to track a single visitor over multiple days.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"Blue: A single IP address | Green: A single Ephemeral ID\nThe bigger the node, the more frequently seen that ID or IP address was in our dataset.\" class=\"kg-image\" width=\"1960\" height=\"1504\" loading=\"lazy\"/>\n </figure><p><sub><i>Blue: A single IP address | Green: A single Ephemeral ID</i></sub><sub>\n</sub><sub><i>The bigger the node, the more frequently seen that ID or IP address was in our dataset.</i></sub></p><p>The graphic above illustrates the complex reality of the modern Internet, where the relationship between clients and IP addresses is far from a simple one-to-one mapping. While some straightforward mappings still exist, they are no longer the norm.</p><p>During a period where a site or service is under attack, we observe a “nest” of highly correlated Ephemeral IDs. In the example below, the correlation is based on both Ephemeral ID and IP address.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"Nest in the center of the diagram visualizes thousands of IP addresses (blue) which are correlated by the commonly identified Ephemeral IDs (green). The bigger the node, the more frequently seen that ID or IP address was in our dataset.\" class=\"kg-image\" width=\"1900\" height=\"1812\" loading=\"lazy\"/>\n </figure><p><sub><i>Nest in the center of the diagram visualizes thousands of IP addresses (blue) which are correlated by the commonly identified Ephemeral IDs (green). The bigger the node, the more frequently seen that ID or IP address was in our dataset.</i></sub></p><p>This is real-world data showing fraudulent activity on one of Cloudflare’s public-facing forms. Even with access to a broad range of IP addresses, attackers struggle to completely disguise their requests because Ephemeral IDs are generated based on patterns beyond IP addresses. This means that even if they rotate addresses, the underlying client characteristics are still detected, making it harder for them to evade our security measures. This makes it easier for us to group these requests and apply appropriate business logic, whether that means discarding the requests, requiring further validation, enforcing <a href=\"\"><u>multi-factor authentication (MFA)</u></a>, or other actions. </p><p>This new client identification technology seamlessly integrates into the broader advancements we’ve made to Turnstile over the past year. Whether you’re protecting <a href=\"\"><u>login forms</u></a>, signup pages, or high value transactions, you’ll immediately benefit from this extra layer of abuse detection <b>without needing to change a single line of code</b>. We’ll take care of all the heavy lifting and analysis behind the scenes, and our system will continue to improve its accuracy and effectiveness over time.</p><p>What does this mean for you? Starting today, <a href=\"\"><u>Turnstile</u></a> will go beyond just identifying bots. <b>All</b> <b>websites protected by Turnstile will automatically benefit</b> from the integration of Ephemeral IDs into our detection logic. This means we can more effectively identify and penalize offending clients without impacting other users on the same network, or IP address, improving security and user experience for everyone.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"ephemeral-ids-in-action\">Ephemeral IDs in action</h3>\n <a href=\"#ephemeral-ids-in-action\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Everyone benefits from the addition of Ephemeral IDs to the Challenge Platform, but for those who want to use it beyond that, the Ephemeral ID is available through the Turnstile <a href=\"\"><u>siteverify</u></a> response. A practical use case for Ephemeral IDs is preventing fraudulent account signups. Imagine a bad actor, a real person using a real device, creating hundreds of fake accounts while rotating IP addresses to avoid detection. By ingesting Ephemeral IDs and logging them alongside your account creation logs, you can set up alerts based on account creation thresholds in real-time or retroactively investigate suspicious activity. Even though Ephemeral IDs are short-lived and may have changed by the time an investigation begins, they still provide valuable insights through aggregate analysis, and provide an extra dimension to identify fraud and abuse.</p><p>For our <b>Turnstile Enterprise </b>and<b> Bot Management Enterprise </b>customers, you now have the option to access Ephemeral IDs directly through the Turnstile siteverify response. Get in touch with your Account Executive to enable it on your account.</p><p>Below is an example of <a href=\"\"><u>siteverify</u></a> response for those who have enabled Ephemeral IDs.</p>\n <pre class=\"language-JavaScript\"><code class=\"language-JavaScript\">curl &#039;; --data &#039;secret=verysecret&amp;response=&lt;RESPONSE&gt;&#039;</pre></code>\n \n <pre class=\"language-JavaScript\"><code class=\"language-JavaScript\">{\n &quot;success&quot;: true,\n &quot;error-codes&quot;: [],\n &quot;challenge_ts&quot;: &quot;2024-09-10T17:29:00.463Z&quot;,\n &quot;hostname&quot;: &quot;;,\n &quot;metadata&quot;: {\n &quot;ephemeral_id&quot;: &quot;x:9f78e0ed210960d7693b167e&quot;\n }\n}\n</pre></code>\n \n <div class=\"flex anchor relative\">\n <h2 id=\"whats-next-for-turnstile\">What’s next for Turnstile?</h2>\n <a href=\"#whats-next-for-turnstile\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We launched Turnstile with a bold mission: to redefine CAPTCHAs with a frictionless, privacy-first solution that eliminates the annoyance of picking puzzles, selecting stoplights, and clicking crosswalks to prove our humanity. It’s incredible to think that Turnstile has been generally available for a whole year now! During this time, it has blocked over <b>one trillion bots</b>, and is actively protecting more than <b>350,000 domains</b> worldwide.</p><p>As we celebrate Turnstile’s second birthday, we’re proud of the progress we’ve made and thrilled to introduce our latest innovations. While Ephemeral IDs represent the newest evolution of Turnstile, they’re part of our ongoing commitment to continuous improvement. Over the past year, we’ve also introduced a <a href=\"\"><u>Cloudflare Pages Plugin</u></a> and partnered with <a href=\"\"><u>Google Firebase</u></a>, ensuring that developers have easy access to Turnstile.</p><p>Earlier this year, we also launched <a href=\"\"><u>Pre-Clearance</u></a> for Turnstile, integrating it with Cloudflare WAF’s Challenge action, making it easier for customers to use Cloudflare’s Application Security products together. If you want to learn more about how to use Turnstile with Cloudflare’s Bot Management and WAF in more detail, check it out <a href=\"\"><u>here</u></a>!</p><p>We’re incredibly excited about what’s ahead. The introduction of Ephemeral IDs is just one of many innovations on the horizon. We’re committed to making the Internet a safer, more private place for everyone, eliminating the need for frustrating CAPTCHA puzzles while keeping security our top priority. And with our free tier remaining open and unlimited for all, there’s no barrier to getting started with Turnstile today.</p><p>Join us in revolutionizing online security –<b> </b><a href=\"\"><b><u>get started with Turnstile</u></b></a><b> </b>now or dive straight into our<b> </b><a href=\"\"><b><u>how-to guides</u></b></a>. Let’s help make the Internet a better place, together!</p>"],"published_at":[0,"2024-09-23T14:00+01:00"],"updated_at":[0,"2024-10-09T23:05:13.482Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"1Cv5JjXzKWKEA10JdYbXu1"],"name":[0,"Birthday Week"],"slug":[0,"birthday-week"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"1mgoRLcodl1ettELWixzCH"],"name":[0,"Turnstile"],"slug":[0,"turnstile"]}],[0,{"id":[0,"11uq7RpwEtvy8Ic53C6cMR"],"name":[0,"CAPTCHA"],"slug":[0,"captcha"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"4l3WDYLk6bXCyaRc9pRzXa"],"name":[0,"Bots"],"slug":[0,"bots"]}],[0,{"id":[0,"3BWeMuiOShelE7QM48sW9j"],"name":[0,"Privacy"],"slug":[0,"privacy"]}],[0,{"id":[0,"2s3r2BdfPas9oiGbGRXdmQ"],"name":[0,"Network Services"],"slug":[0,"network-services"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Oliver Payne"],"slug":[0,"oliver-payne"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0],"twitter":[0],"facebook":[0]}],[0,{"name":[0,"Sally Lee"],"slug":[0,"sallylee"],"bio":[0,null],"profile_image":[0,""],"location":[0,"San Francisco Bay Area"],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Benedikt Wolters"],"slug":[0,"benedikt"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,""],"twitter":[0,"@worengawins"],"facebook":[0,null]}]]],"meta_description":[0,"As the Internet evolves, Turnstile does too. Introducing Ephemeral IDs — a new dimension in detecting fraudulent activity, bot or human, that links behavior to a specific client instead of an IP address. This makes Turnstile better for everyone, everywhere. \n"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0],"description":[0],"imgPreview":[0,""]}]}],[0,{"id":[0,"7Dgs9IOqQRU1Tj3UKzO8pV"],"title":[0,"Introducing high-definition portrait video support for Cloudflare Stream"],"slug":[0,"introducing-high-definition-portrait-video-support-for-cloudflare-stream"],"excerpt":[0,"Cloudflare Stream is an end-to-end solution for video encoding, storage, delivery, and playback, focused on simplifying all aspects of video for developers. Newly uploaded or ingested portrait videos will now automatically be processed in full HD quality"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"2492-1-Hero\" class=\"kg-image\" width=\"1800\" height=\"1013\" loading=\"lazy\"/>\n </figure><p>Cloudflare Stream is an end-to-end solution for video encoding, storage, delivery, and playback. Our focus has always been on simplifying all aspects of video for developers. This goal continues to motivate us as we introduce first-class portrait (vertical) video support today. Newly uploaded or ingested portrait videos will now automatically be processed in full HD quality.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"why-portrait-video\">Why portrait video</h2>\n <a href=\"#why-portrait-video\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In the past few years, the popularity of portrait video has exploded, motivated by short-form video content applications such as TikTok or YouTube Shorts. However, Cloudflare customers have been confused as to why their portrait videos appear to be lower quality when viewed on portrait-first devices such as smartphones. This is because our video encoding pipeline previously did not support high-quality portrait videos, leading them to be grainy and lower quality. This pain point has now been addressed with the introduction of high-definition portrait video.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"the-current-stream-pipeline\">The current stream pipeline</h2>\n <a href=\"#the-current-stream-pipeline\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>When you <a href=\"\"><u>upload a video to Stream</u></a>, it is first encoded into several different “renditions” (sizes or resolutions) before delivery. This is done in order to enable playback in a wide variety of network conditions, as well as to standardize the way a video is experienced. By using these adaptive bitrate renditions, we are able to offer viewers the highest quality streaming experience which fits their network bandwidth, meaning someone watching a video with a slow mobile connection would be served a 240p video (a resolution of 320x240 pixels) and receive the 1080p (a resolution of 1920x1080 pixels) version when they are watching at home on their fiber Internet connection. This encoding pipeline follows one of two different paths:</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"2492-2\" class=\"kg-image\" width=\"1013\" height=\"1742\" loading=\"lazy\"/>\n </figure><p>The first path is our video on-demand (VOD) encoding pipeline, which generates and stores a set of encoded video segments at each of our standard video resolutions. The other path is our on-the-fly encoding (OTFE) pipeline, which uses the same process as Stream Live to generate resolutions upon user request. Both pipelines work with the set of standard resolutions, which are identified through a constrained target (output) height. This means that we encode every rendition to heights of 240 pixels, 360 pixels, etc. up to 1080 pixels.</p><p>When originally conceived, this encoding pipeline was not designed with portrait video in mind because portrait video was less common. As a result, portrait videos were encoded with lower quality dimensions that were consistent with landscape video encoding. For example, a portrait HD video would have the dimensions 1920x1080 — scaling that down to the height of a landscape HD video would result in the much smaller output of 1080x606. However, current smartphones all have HD displays, making the discrepancy clear when a portrait video is viewed in portrait mode on a phone. With this new change to our encoding pipeline, all newly uploaded portrait videos will now be automatically encoded with constrained target width, using a new set of standard resolutions for portrait video. These resolutions are the same as the current set of landscape resolutions, but with the dimensions reversed: 240x426 up to 1080x1920.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"2492-3\" class=\"kg-image\" width=\"1999\" height=\"665\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"technical-details\">Technical details</h2>\n <a href=\"#technical-details\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As the Stream intern this summer, I was tasked with this project, as well as the expectation of shipping a long-requested change, by the end of my internship. The first step in implementing this change was to familiarize myself with the complex architecture of Stream’s internal systems. After this, I began brainstorming a few different implementation decisions, like how to consistently track orientation through various stages of the pipeline. Following a group discussion to decide which choices would be the most scalable, least complex, and best for users, it was time to write the technical specification.</p><p>Due to the implementation method we chose, making this change involved tracing the life of a video from upload to delivery through both of our encoding pipelines and applying different logic for portrait videos. Previously, all video renditions were identified by their height at each stage of the pipeline, making certain parts of the pipeline completely agnostic to the orientation of a video. With the proposed changes, we would now be using the constraining dimension and orientation to identify a video rendition. Therefore, much of the work involved modifying the different portions of the pipeline to use these new parameters.</p><p>The first area of the pipeline to be modified was the Stream API service, which is the process which handles all Stream API calls. The API service enqueues the rendition encoding jobs for a video after it is uploaded, so it was necessary to introduce a new set of renditions designed for portrait videos, and enqueue the corresponding encoding jobs. The queueing system is handled by our in-house queue management system, which handles jobs generically and therefore did not require any changes.</p><p>Following this, I tackled the on-the-fly encoding pipeline. The area of interest here was the delivery portion of our pipeline, which generated the set of encoding resolutions to pass on to our on-the-fly encoder. Here I also introduced a new set of portrait renditions and the corresponding logic to encode them for portrait videos. This part of the backend is written and hosted on <a href=\"\"><u>Cloudflare Workers</u></a>, which made it very easy and quick to deploy and test changes. </p><p>Finally, we wanted to change how we presented these quality levels to users in the Stream built-in player and thought that using the new constrained dimension rather than always showing the height would feel more familiar. For portrait videos, we now display the size of the <i>constraining dimension</i>, which also means quality selection for portrait videos encoded under our old system now more accurately reflects their quality, too. As an example, a 9:16 portrait video would have been encoded to a maximum size of 608x1080 by the previous pipeline. Now, such a rendition will be marked as 608p rather than the full-quality 1080p, which would be a 1080x1920 rendition.</p><p>Stream as a whole is built on many of our own <a href=\"\"><u>Developer Platform</u></a> products, such as Workers for handling delivery, <a href=\"\"><u>R2</u></a> for rendition storage, <a href=\"\"><u>Workers AI</u></a> for automatic captioning, and <a href=\"\"><u>Durable Objects</u></a> for bitrate observation, all of which enhance our ability to deploy and ship new updates quickly. Throughout my work on this project, I was able to see all of these pieces in action, as well as gain a new understanding of the powerful tools Cloudflare offers for developers. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"results-and-findings\">Results and findings</h2>\n <a href=\"#results-and-findings\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>After the change, portrait videos are now encoded to higher resolutions and visibly appear to be higher quality. To confirm these differences, I analyzed the effect of the pipeline change on four different sample videos using the <a href=\"\"><u>peak-signal-to-noise ratio</u></a> (PSNR, a mathematical representation of image quality). Since the old pipeline produced lower resolution videos, the comparison here is between an upscaled version of the old pipeline rendition and the current pipeline rendition. In the graph below, higher values reflect higher quality relative to the unencoded original video.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"2492-4\" class=\"kg-image\" width=\"1200\" height=\"742\" loading=\"lazy\"/>\n </figure><p></p><p>According to this metric, we see an increase in quality from the pipeline changes as high as 8%. However, the quality increase is most noticeable to the human eye in videos that feature fine details or a high amount of movement, which is not always captured in the PSNR. For example, compare a side-by-side of a frame from the book sample video encoded both ways:</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"2492-5\" class=\"kg-image\" width=\"960\" height=\"540\" loading=\"lazy\"/>\n </figure><p>The difference between the old and new encodings is most clear when zoomed in:</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"2492-6\" class=\"kg-image\" width=\"960\" height=\"540\" loading=\"lazy\"/>\n </figure><p>Here’s another example (sourced from <a href=\"\"><u>Mixkit</u></a>):</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"2492-7\" class=\"kg-image\" width=\"960\" height=\"540\" loading=\"lazy\"/>\n </figure><p>Magnified:</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"2492-8\" class=\"kg-image\" width=\"960\" height=\"540\" loading=\"lazy\"/>\n </figure><p>Of course, watching these example clips is the clearest way to see:</p><ul><li><p>Book intro: <a href=\"\"><u>before</u></a> and <a href=\"\"><u>after</u></a></p></li><li><p>Hair and makeup: <a href=\"\"><u>before</u></a> and <a href=\"\"><u>after</u></a></p></li></ul><p>Maximize the Stream player and look at the quality selector (in the gear menu) to see the new quality level labels – select the highest option to compare. Note the improved sharpness of the text in the book sample as well as the improved detail in the hair and eye shadow of the hair and makeup sample.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"implementation-challenges\">Implementation challenges</h2>\n <a href=\"#implementation-challenges\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Due to the complex nature of our encoding pipelines, there were several technical challenges to making a large change like this. Aside from simply uploading videos, many of the features we offer, like downloads or clipping, require tweaking to produce the correct video renditions. This involved modifying many parts of the encoding pipeline to ensure that portrait video logic was handled. </p><p>There were also some edge cases which were not caught until after release. One release of this feature contained a bug in the on-the-fly encoding logic which caused a subset of new portrait livestream renditions to have negative bitrates, making them unusable. This was due to an internal representation of video renditions’ constraining dimensions being mistakenly used for bitrate observation. We remedied this by increasing the scope of our end-to-end testing to include more portrait video tests and live recording interaction tests.</p><p>Another small bug caused downloading very small videos to sometimes fail. This was because for videos under 240p, our smallest encoding resolution, the non-constraining dimension was not being properly scaled to match the aspect ratio of the video, causing some specific combinations of dimensions to be interpreted as portrait when they should have been landscape, and vice versa. This bug was fixed quickly, but was not initially caught after the release since it required a very specific set of conditions to activate. After this experience, I added a few more unit tests involving small videos.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"thats-a-wrap\">That’s a wrap</h2>\n <a href=\"#thats-a-wrap\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As my internship comes to a close, reflecting on the experience makes me grateful for all the team members who have helped me throughout this time. I am very glad to have shipped this project which addresses a long-standing concern and will have real-world customer impact. Support for high-definition portrait video is now available, and we will continue to make improvements to our video solutions suite. You can see the difference yourself by <a href=\"\"><u>uploading a portrait video to Stream</u></a>! Or, perhaps you’d like to help build a better Internet, too — our <a href=\"\"><u>internship and early talent programs</u></a> are a great way to jumpstart your own journey.</p><p><i>Sample video acknowledgements: The sample video of the book was created by the Stream Product Manager and shows the opening page of </i>The Strange Wonder of Roots<i> by </i><a href=\"\"><i><u>Evan Griffith</u></i></a><i> (HarperCollins). The </i><a href=\"\"><i><u>hair and makeup fashion video</u></i></a><i> was sourced from </i><a href=\"\"><i><u>Mixkit</u></i></a><i>, a great source of free media for video projects.</i></p>"],"published_at":[0,"2024-08-16T14:00+00:00"],"updated_at":[0,"2024-10-10T00:36:55.417Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"7mVMfcxp4tMqKil9jj8BJa"],"name":[0,"Cloudflare Stream"],"slug":[0,"cloudflare-stream"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"3vILtHLIQU7d8BaWzXAPv4"],"name":[0,"Internship Experience"],"slug":[0,"internship-experience"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"4m0TnPrRHWtb7J6Ht4M4oj"],"name":[0,"Video"],"slug":[0,"video"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Alex Huang"],"slug":[0,"sasha"],"bio":[0],"profile_image":[0,""],"location":[0],"website":[0,""],"twitter":[0,""],"facebook":[0]}]]],"meta_description":[0],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0],"description":[0],"imgPreview":[0,""]}]}],[0,{"id":[0,"WiHZr8Fb6WzdVjo0egsWW"],"title":[0,"The backbone behind Cloudflare’s Connectivity Cloud"],"slug":[0,"backbone2024"],"excerpt":[0,"Read through the latest milestones and expansions of Cloudflare's global backbone and how it supports our Connectivity Cloud and our services"],"featured":[0,false],"html":[0,"<p>The modern use of &quot;cloud&quot; arguably traces its origins to the cloud icon, omnipresent in network diagrams for decades. A cloud was used to represent the vast and intricate infrastructure components required to deliver network or Internet services without going into depth about the underlying complexities. At Cloudflare, we embody this principle by providing critical infrastructure solutions in a user-friendly and easy-to-use way. Our logo, featuring the cloud symbol, reflects our commitment to simplifying the complexities of Internet infrastructure for all our users.</p><p>This blog post provides an update about our infrastructure, focusing on our global backbone in 2024, and highlights its benefits for our customers, our competitive edge in the market, and the impact on our mission of helping build a better Internet. Since the time of our last backbone-related <a href=\"\">blog post</a> in 2021, we have increased our backbone capacity (Tbps) by more than 500%, unlocking new use cases, as well as reliability and performance benefits for all our customers.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"a-snapshot-of-cloudflares-infrastructure\">A snapshot of Cloudflare’s infrastructure</h3>\n <a href=\"#a-snapshot-of-cloudflares-infrastructure\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As of July 2024, Cloudflare has data centers in 330 cities across more than 120 countries, each running Cloudflare equipment and services. The goal of delivering Cloudflare products and services everywhere remains consistent, although these data centers vary in the number of servers and amount of computational power.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2432-2\" class=\"kg-image\" width=\"1600\" height=\"1000\" loading=\"lazy\"/>\n </figure><p></p><p>These data centers are strategically positioned around the world to ensure our presence in all major regions and to help our customers comply with local regulations. It is a programmable smart network, where your traffic goes to the best data center possible to be processed. This programmability allows us to keep sensitive data regional, with our <a href=\"\">Data Localization Suite solutions</a>, and within the constraints that our customers impose. Connecting these sites, exchanging data with customers, public clouds, partners, and the broader Internet, is the role of our network, which is managed by our infrastructure engineering and network strategy teams. This network forms the foundation that makes our products lightning fast, ensuring our global reliability, security for every customer request, and helping customers comply with data sovereignty requirements.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"traffic-exchange-methods\">Traffic exchange methods</h3>\n <a href=\"#traffic-exchange-methods\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The Internet is an interconnection of different networks and separate <a href=\"\">autonomous systems</a> that operate by exchanging data with each other. There are multiple ways to exchange data, but for simplicity, we&#39;ll focus on two key methods on how these networks communicate: Peering and IP Transit. To better understand the benefits of our global backbone, it helps to understand these basic connectivity solutions we use in our network.</p><ol><li><p><b>Peering</b>: The voluntary interconnection of administratively separate Internet networks that allows for traffic exchange between users of each network is known as “<a href=\"\">peering</a>”. Cloudflare is one of the <a href=\"\">most peered networks</a> globally. We have peering agreements with ISPs and other networks in 330 cities and across all major </p><p><a href=\"\">Internet Exchanges (IX’s)</a>. Interested parties can register to <a href=\"\">peer with us</a> anytime, or directly connect to our network with a link through a <a href=\"\">private network interconnect (PNI)</a>.</p></li><li><p><b>IP transit</b>: A paid service that allows traffic to cross or &quot;transit&quot; somebody else&#39;s network, typically connecting a smaller Internet service provider (ISP) to the larger Internet. Think of it as paying a toll to access a private highway with your car.</p></li></ol><p>The backbone is a dedicated high-capacity optical fiber network that moves traffic between Cloudflare’s global data centers, where we interconnect with other networks using these above-mentioned traffic exchange methods. It enables data transfers that are more reliable than over the public Internet. For the connectivity within a city and long distance connections we manage our own dark fiber or lease wavelengths using Dense Wavelength Division Multiplexing (DWDM). DWDM is a fiber optic technology that enhances network capacity by transmitting multiple data streams simultaneously on different wavelengths of light within the same fiber. It’s like having a highway with multiple lanes, so that more cars can drive on the same highway. We buy and lease these services from our global carrier partners all around the world.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2432-3\" class=\"kg-image\" width=\"1999\" height=\"750\" loading=\"lazy\"/>\n </figure><p></p>\n <div class=\"flex anchor relative\">\n <h3 id=\"backbone-operations-and-benefits\">Backbone operations and benefits</h3>\n <a href=\"#backbone-operations-and-benefits\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Operating a global backbone is challenging, which is why many competitors don’t do it. We take this challenge for two key reasons: traffic routing control and cost-effectiveness.</p><p>With IP transit, we rely on our transit partners to carry traffic from Cloudflare to the ultimate destination network, introducing unnecessary third-party reliance. In contrast, our backbone gives us full control over routing of both internal and external traffic, allowing us to manage it more effectively. This control is crucial because it lets us optimize traffic routes, usually resulting in the lowest latency paths, as previously mentioned. Furthermore, the cost of serving large traffic volumes through the backbone is, on average, more cost-effective than IP transit. This is why we are doubling down on backbone capacity in regions such as Frankfurt, London, Amsterdam, and Paris and Marseille, where we see continuous traffic growth and where connectivity solutions are widely available and competitively priced.</p><p>Our backbone serves both internal and external traffic. Internal traffic includes customer traffic using our security or performance products and traffic from Cloudflare&#39;s internal systems that shift data between our data centers. <a href=\"\">Tiered caching</a>, for example, optimizes our caching delivery by dividing our data centers into a hierarchy of lower tiers and upper tiers. If lower-tier data centers don’t have the content, they request it from the upper tiers. If the upper tiers don’t have it either, they then request it from the origin server. This process reduces origin server requests and improves cache efficiency. Using our backbone to transport the cached content between lower and upper-tier data centers and the origin is often the most cost-effective method, considering the scale of our network. <a href=\"\">Magic Transit</a> is another example where we attract traffic, by means of BGP anycast, to the Cloudflare data center closest to the end user and implement our DDoS solution. Our backbone transports the clean traffic to our customer’s data center, which they connect through a <a href=\"\">Cloudflare Network Interconnect (CNI)</a>.</p><p>External traffic that we carry on our backbone can be traffic from other origin providers like AWS, Oracle, Alibaba, Google Cloud Platform, or Azure, to name a few. The origin responses from these cloud providers are transported through peering points and our backbone to the Cloudflare data center closest to our customer. By leveraging our backbone we have more control over how we backhaul this traffic throughout our network, which results in more reliability and better performance and less dependency on the public Internet.</p><p>This interconnection between public clouds, offices, and the Internet with a controlled layer of performance, security, programmability, and visibility running on our global backbone is our <a href=\"\">Connectivity Cloud</a>.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"This map is a simplification of our current backbone network and does not show all paths\" class=\"kg-image\" width=\"788\" height=\"543\" loading=\"lazy\"/>\n </figure><p><sub><i>This map is a simplification of our current backbone network and does not show all paths</i></sub></p><p></p>\n <div class=\"flex anchor relative\">\n <h3 id=\"expanding-our-network\">Expanding our network</h3>\n <a href=\"#expanding-our-network\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As mentioned in the introduction, we have increased our backbone capacity (Tbps) by more than 500% since 2021. With the addition of sub-sea cable capacity to Africa, we achieved a big milestone in 2023 by completing our global backbone ring. It now reaches six continents through terrestrial fiber and subsea cables.</p><p>Building out our backbone within regions where Internet infrastructure is less developed compared to markets like Central Europe or the US has been a key strategy for our latest network expansions. We have a shared goal with regional ISP partners to keep our data flow localized and as close as possible to the end user. Traffic often takes inefficient routes outside the region due to the lack of sufficient local peering and regional infrastructure. This phenomenon, known as traffic tromboning, occurs when data is routed through more cost-effective international routes and existing peering agreements.</p><p>Our regional backbone investments in countries like India or Turkey aim to reduce the need for such inefficient routing. With our own in-region backbone, traffic can be directly routed between in-country Cloudflare data centers, such as from Mumbai to New Delhi to Chennai, reducing latency, increasing reliability, and helping us to provide the same level of service quality as in more developed markets. We can control that data stays local, supporting our Data Localization Suite (<a href=\"\">DLS</a>), which helps businesses comply with regional data privacy laws by controlling where their data is stored and processed.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2432-5\" class=\"kg-image\" width=\"1999\" height=\"1125\" loading=\"lazy\"/>\n </figure><p></p>\n <div class=\"flex anchor relative\">\n <h3 id=\"improved-latency-and-performance\">Improved latency and performance</h3>\n <a href=\"#improved-latency-and-performance\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>This strategic expansion has not only extended our global reach but has also significantly improved our overall latency. One illustration of this is that since the deployment of our backbone between Lisbon and Johannesburg, we have seen a major performance improvement for users in Johannesburg. Customers benefiting from this improved latency can be, for example, a financial institution running their APIs through us for real-time trading, where milliseconds can impact trades, or our <a href=\"\">Magic WAN</a> users, where we facilitate site-to-site connectivity between their branch offices.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2432-6\" class=\"kg-image\" width=\"1999\" height=\"455\" loading=\"lazy\"/>\n </figure><p></p><p>The table above shows an example where we measured the round-trip time (RTT) for an uncached origin fetch, from an end-user in Johannesburg to various origin locations, comparing our backbone and the public Internet. By carrying the origin request over our backbone, as opposed to IP transit or peering, local users in Johannesburg get their content up to 22% faster. By using our own backbone to long-haul the traffic to its final destination, we are in complete control of the path and performance. This improvement in latency varies by location, but consistently demonstrates the superiority of our backbone infrastructure in delivering high performance connectivity.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2432-7\" class=\"kg-image\" width=\"1999\" height=\"533\" loading=\"lazy\"/>\n </figure><p></p>\n <div class=\"flex anchor relative\">\n <h3 id=\"traffic-control\">Traffic control</h3>\n <a href=\"#traffic-control\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Consider a navigation system using 1) GPS to identify the route and 2) a highway toll pass that is valid until your final destination and allows you to drive straight through toll stations without stopping. Our backbone works quite similarly.</p><p>Our global backbone is built upon two key pillars. The first is BGP (<a href=\"\">Border Gateway Protocol</a>), the routing protocol for the Internet, and the second is Segment Routing MPLS (<a href=\"\">Multiprotocol label switching</a>), a technique for steering traffic across predefined forwarding paths in an IP network. By default, Segment Routing provides end-to-end encapsulation from ingress to egress routers where the intermediate nodes execute no route lookup. Instead, they forward traffic across an end-to-end virtual circuit, or tunnel, called a label-switched path. Once traffic is put on a label-switched path, it cannot detour onto the public Internet and must continue on the predetermined route across Cloudflare’s backbone. This is nothing new, as many networks will even run a “BGP Free Core” where all the route intelligence is carried at the edge of the network, and intermediate nodes only participate in forwarding from ingress to egress.</p><p>While leveraging Segment Routing Traffic Engineering (SR-TE) in our backbone, we can automatically select paths between our data centers that are optimized for latency and performance. Sometimes the “shortest path” in terms of routing protocol cost is not the lowest latency or highest performance path.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2432-8\" class=\"kg-image\" width=\"1200\" height=\"675\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"supercharged-argo-and-the-global-backbone\">Supercharged: Argo and the global backbone</h3>\n <a href=\"#supercharged-argo-and-the-global-backbone\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><a href=\"\">Argo Smart Routing</a> is a service that uses Cloudflare’s portfolio of backbone, transit, and peering connectivity to find the most optimal path between the data center where a user’s request lands and your back-end origin server. Argo may forward a request from one Cloudflare data center to another on the way to an origin if the performance would improve by doing so. <a href=\"\">Orpheus</a> is the counterpart to Argo, and routes around degraded paths for all customer origin requests free of charge. Orpheus is able to analyze network conditions in real-time and actively avoid reachability failures. Customers with Argo enabled get optimal performance for requests from Cloudflare data centers to their origins, while Orpheus provides error self-healing for all customers universally. By mixing our global backbone using Segment Routing as an underlay with <a href=\"\">Argo Smart Routing</a> and Orpheus as our connectivity overlay, we are able to transport critical customer traffic along the most optimized paths that we have available.</p><p>So how exactly does our global backbone fit together with Argo Smart Routing? <a href=\"\">Argo Transit Selection</a> is an extension of Argo Smart Routing where the lowest latency path between Cloudflare data center hops is explicitly selected and used to forward customer origin requests. The lowest latency path will often be our global backbone, as it is a more dedicated and private means of connectivity, as opposed to third-party transit networks.</p><p>Consider a multinational Dutch pharmaceutical company that relies on Cloudflare&#39;s network and services with our <a href=\"\">SASE solution</a> to connect their global offices, research centers, and remote employees. Their Asian branch offices depend on Cloudflare&#39;s security solutions and network to provide secure access to important data from their central data centers back to their offices in Asia. In case of a cable cut between regions, our network would automatically look for the best alternative route between them so that business impact is limited.</p><p>Argo measures every potential combination of the different provider paths, including our own backbone, as an option for reaching origins with smart routing. Because of our vast interconnection with so many networks, and our global private backbone, Argo is able to identify the most performant network path for requests. The backbone is consistently one of the lowest latency paths for Argo to choose from.</p><p>In addition to high performance, we care greatly about network reliability for our customers. This means we need to be as resilient as possible from fiber cuts and third-party transit provider issues. During a disruption of the <a href=\"\">AAE-1</a> (<a href=\"\">Asia Africa Europe-1</a>) submarine cable, this is what Argo saw between Singapore and Amsterdam across some of our transit provider paths vs. the backbone.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2432-9\" class=\"kg-image\" width=\"1999\" height=\"728\" loading=\"lazy\"/>\n </figure><p>The large (purple line) spike shows a latency increase on one of our third-party IP transit provider paths due to congestion, which was eventually resolved following likely traffic engineering within the provider’s network. We saw a smaller latency increase (yellow line) over other transit networks, but still one that is noticeable. The bottom (green) line on the graph is our backbone, where round-trip time more or less remains flat throughout the event, due to our diverse backbone connectivity between Asia and Europe. Throughout the fiber cut, we remained stable at around 200ms between Amsterdam and Singapore. There was no noticeable network hiccup as was seen on the transit provider paths, so Argo actively leveraged the backbone for optimal performance.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"\" alt=\"BLOG-2432-10\" class=\"kg-image\" width=\"1999\" height=\"1125\" loading=\"lazy\"/>\n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"call-to-action\">Call to action</h3>\n <a href=\"#call-to-action\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As Argo improves performance in our network, Cloudflare Network Interconnects (<a href=\"\">CNIs</a>) optimize getting onto it. We encourage our Enterprise customers to use our free CNI’s as on-ramps onto our network whenever practical. In this way, you can fully leverage our network, including our robust backbone, and increase overall performance for every product within your Cloudflare Connectivity Cloud. In the end, our global network is our main product and our backbone plays a critical role in it. This way we continue to help build a better Internet, by improving our services for everybody, everywhere.</p><p>If you want to be part of our mission, join us as a Cloudflare network on-ramp partner to offer secure and reliable connectivity to your customers by integrating directly with us. Learn more about our on-ramp partnerships and how they can benefit your business <a href=\"\">here</a>.</p>"],"published_at":[0,"2024-08-06T14:00+00:00"],"updated_at":[0,"2025-01-09T09:12:37.792Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"5OywGP63AdM9Umyvaku8OP"],"name":[0,"Connectivity Cloud"],"slug":[0,"connectivity-cloud"]}],[0,{"id":[0,"7jhcqd4x1lAMEMo1QGlEtg"],"name":[0,"Anycast"],"slug":[0,"anycast"]}],[0,{"id":[0,"2yFKl3hLxFwbTWa5uOYASE"],"name":[0,"Argo Smart Routing"],"slug":[0,"argo"]}],[0,{"id":[0,"2ex4qPO8DtkhiPUOhPcvNV"],"name":[0,"Athenian Project"],"slug":[0,"athenian-project"]}],[0,{"id":[0,"5O7yCWW0RgXMAc5MVjwcGS"],"name":[0,"BGP"],"slug":[0,"bgp"]}],[0,{"id":[0,"3Fo5JgRZ6Fh2HHzhEr7AKn"],"name":[0,"Better Internet"],"slug":[0,"better-internet"]}],[0,{"id":[0,"3TaNOBp8EhAE6eCfshf1tK"],"name":[0,"Cloudflare Network"],"slug":[0,"cloudflare-network"]}],[0,{"id":[0,"7qTIAO0WLKVKPVrj8q1vpD"],"name":[0,"Magic Transit"],"slug":[0,"magic-transit"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Shozo Moritz Takaya"],"slug":[0,"shozo"],"bio":[0,"As the Backbone Portfolio Manager for EMEA I am part of the Global Network Strategy Team and am responsible for connecting our 330+ colocations with the Cloudflare backbone. Feel free to reach out! \n"],"profile_image":[0,""],"location":[0,"Munich, Germany"],"website":[0,""],"twitter":[0],"facebook":[0]}],[0,{"name":[0,"Bryton Herdes"],"slug":[0,"bryton"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,""],"twitter":[0,"@next_hopself"],"facebook":[0,null]}]]],"meta_description":[0,"Read through the latest milestones and expansions of Cloudflare's global backbone and how it supports our Connectivity Cloud and our services. Understand how our traffic engineering tools interact with our backbone and underlying network infrastructure. See how our network interconnects public clouds, offices, and the Internet, delivering superior performance, security, programmability, and visibility to our customers worldwide."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"LOC: The backbone behind Cloudflare's connectivity cloud"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"Translated for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"The backbone behind Cloudflare’s Connectivity Cloud"],"description":[0,"This blog post provides an update about our infrastructure, focusing on our global backbone in 2024, and highlights its benefits for our customers, our competitive edge in the market, and the impact on our mission of helping build a better Internet."],"imgPreview":[0,""]}]}],[0,{"id":[0,"Mmf9yB6m0SRgCJfyxvYK8"],"title":[0,"Meta Llama 3.1 now available on Workers AI"],"slug":[0,"meta-llama-3-1-available-on-workers-ai"],"excerpt":[0,"Cloudflare is excited to be a launch partner with Meta to introduce Workers AI support for Llama 3.1"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"Meta Llama 3.1 now available on Workers AI\" class=\"kg-image\" width=\"1999\" height=\"1125\" loading=\"lazy\"/>\n \n </figure><p>At Cloudflare, we’re big supporters of the open-source community – and that extends to our approach for <a href=\"\">Workers AI</a> models as well. Our strategy for our Cloudflare AI products is to provide a top-notch developer experience and toolkit that can help people build applications with open-source models.</p><p>We’re excited to be one of Meta’s launch partners to make their newest <a href=\"\">Llama 3.1 8B model</a> available to all Workers AI users on Day 1. You can run their latest model by simply swapping out your model ID to <code>@cf/meta/llama-3.1-8b-instruct</code> or test out the model on our <a href=\"\">Workers AI Playground</a>. Llama 3.1 8B is free to use on Workers AI until the model graduates out of beta.</p><p>Meta’s Llama collection of models have consistently shown high-quality performance in areas like general knowledge, steerability, math, tool use, and multilingual translation. Workers AI is excited to continue to distribute and serve the Llama collection of models on our serverless inference platform, powered by our globally distributed GPUs.</p><p>The Llama 3.1 model is particularly exciting, as it is released in a higher precision (bfloat16), incorporates function calling, and adds support across 8 languages. Having multilingual support built-in means that you can use Llama 3.1 to write prompts and receive responses directly in languages like English, French, German, Hindi, Italian, Portuguese, Spanish, and Thai. Expanding model understanding to more languages means that your applications have a bigger reach across the world, and it’s all possible with just one model.</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">const answer = await;@cf/meta/llama-3.1-8b-instruct&#039;, {\n stream: true,\n messages: [{\n &quot;role&quot;: &quot;user&quot;,\n &quot;content&quot;: &quot;Qu&#039;est-ce que ç&#039;est verlan en français?&quot;\n }],\n});</pre></code>\n <p>Llama 3.1 also introduces native function calling (also known as tool calls) which allows LLMs to generate structured JSON outputs which can then be fed into different APIs. This means that function calling is supported out-of-the-box, without the need for a fine-tuned variant of Llama that specializes in tool use. Having this capability built-in means that you can use one model across various tasks.</p><p>Workers AI recently announced <a href=\"/embedded-function-calling\">embedded function calling</a>, which is now usable with Meta Llama 3.1 as well. Our embedded function calling gives developers a way to run their inference tasks far more efficiently than traditional architectures, leveraging Cloudflare Workers to reduce the number of requests that need to be made manually. It also makes use of our open-source <a href=\"\">ai-utils</a> package, which helps you orchestrate the back-and-forth requests for function calling along with other helper methods that can automatically generate tool schemas. Below is an example function call to Llama 3.1 with embedded function calling that then stores key-values in Workers KV.</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">const response = await runWithTools(env.AI, &quot;@cf/meta/llama-3.1-8b-instruct&quot;, {\n messages: [{ role: &quot;user&quot;, content: &quot;Greet the user and ask them a question&quot; }],\n tools: [{\n name: &quot;Store in memory&quot;,\n description: &quot;Store everything that the user talks about in memory as a key-value pair.&quot;,\n parameters: {\n type: &quot;object&quot;,\n properties: {\n key: {\n type: &quot;string&quot;,\n description: &quot;The key to store the value under.&quot;,\n },\n value: {\n type: &quot;string&quot;,\n description: &quot;The value to store.&quot;,\n },\n },\n required: [&quot;key&quot;, &quot;value&quot;],\n },\n function: async ({ key, value }) =&gt; {\n await env.KV.put(key, value);\n\n return JSON.stringify({\n success: true,\n });\n }\n }]\n})</pre></code>\n <p>We’re excited to see what you build with these new capabilities. As always, use of the new model should be conducted with Meta’s <a href=\"\">Acceptable Use Policy</a> and <a href=\"\">License</a> in mind. Take a look at our <a href=\"\">developer documentation</a> to get started!</p>"],"published_at":[0,"2024-07-23T16:15:55.000+01:00"],"updated_at":[0,"2024-10-09T23:28:47.900Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"1Wf1Dpb2AFicG44jpRT29y"],"name":[0,"Workers AI"],"slug":[0,"workers-ai"]}],[0,{"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"name":[0,"AI"],"slug":[0,"ai"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3txfsA7N73yBL9g3VPBLL0"],"name":[0,"Open Source"],"slug":[0,"open-source"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Michelle Chen"],"slug":[0,"michelle"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@_mchenco"],"facebook":[0,null]}],[0,{"name":[0,"Nikhil Kothari"],"slug":[0,"nikhil"],"bio":[0,"Director, Strategic Partnerships"],"profile_image":[0,""],"location":[0,"San Francisco"],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Cloudflare is excited to be a launch partner with Meta to introduce Workers AI support for Llama 3.1."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Meta Llama 3.1 now available on Workers AI Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Meta Llama 3.1 now available on Workers AI"],"description":[0,"Cloudflare is excited to be a launch partner with Meta to introduce Workers AI support for Llama 3.1."],"imgPreview":[0,""]}]}],[0,{"id":[0,"28DvCOWrN5gKA9IBZqrdc3"],"title":[0,"Embedded function calling in Workers AI: easier, smarter, faster"],"slug":[0,"embedded-function-calling"],"excerpt":[0,"Introducing a new way to do function calling in Workers AI by running function code alongside your inference. Plus, a new @cloudflare/ai-utils package to make getting started as simple as possible"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"Embedded function calling in Workers AI: easier, smarter, faster\" class=\"kg-image\" width=\"1800\" height=\"1013\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"introducing-embedded-function-calling-and-a-new-ai-utils-package\">Introducing embedded function calling and a new ai-utils package</h2>\n <a href=\"#introducing-embedded-function-calling-and-a-new-ai-utils-package\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Today, we’re excited to announce a novel way to do function calling that co-locates LLM inference with function execution, and a new ai-utils package that upgrades the developer experience for function calling.</p><p>This is a follow-up to our <a href=\"\">mid-June announcement for traditional function calling</a>, which allows you to leverage a Large Language Model (LLM) to intelligently generate structured outputs and pass them to an API call. Function calling has been largely adopted and standardized in the industry as a way for AI models to help perform actions on behalf of a user.</p><p>Our goal is to make building with AI as easy as possible, which is why we’re introducing a new <a href=\"\">@cloudflare/ai-utils</a> npm package that allows developers to get started quickly with embedded function calling. These helper tools drastically simplify your workflow by actually executing your function code and dynamically generating tools from OpenAPI specs. We’ve also open-sourced our ai-utils package, which you can find on <a href=\"\">GitHub</a>. With both embedded function calling and our ai-utils, you’re one step closer to creating intelligent AI agents, and from there, the possibilities are endless.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"why-cloudflares-ai-platform\">Why Cloudflare’s AI platform?</h2>\n <a href=\"#why-cloudflares-ai-platform\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>OpenAI has been the gold standard when it comes to having performant model inference and a great developer experience. However, they mostly support their closed-source models, while we want to also promote the open-source ecosystem of models. One of our goals with Workers AI is to match the developer experience you might get from OpenAI, but with open-source models.</p><p>There are other open-source inference providers out there like <a href=\"\">Azure</a> or <a href=\"\">Bedrock</a>, but most of them are focused on serving inference and the underlying infrastructure, rather than being a developer toolkit. While there are external libraries and frameworks like AI SDK that help developers build quickly with simple abstractions, they rely on upstream providers to do the actual inference. With <a href=\"\">Workers AI</a>, it’s the best of both worlds – we offer open-source model inference and a killer developer experience out of the box.</p><p>With the release of embedded function calling and ai-utils today, we’ve advanced how we do inference for function calling and improved the developer experience by making it dead simple for developers to start building AI experiences.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"how-does-traditional-function-calling-work\">How does traditional function calling work?</h2>\n <a href=\"#how-does-traditional-function-calling-work\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Traditional LLM function calling allows customers to specify a set of function names and required arguments along with a prompt when running inference on an LLM. The LLM returns the names and arguments for the functions that the customer can then make to perform actions. These actions give LLMs the ability to do things like fetch fresh data not present in the training dataset and &quot;perform actions&quot; based on user intent.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1786\" height=\"990\" loading=\"lazy\"/>\n \n </figure><p>Traditional function calling requires multiple back-and-forth requests passing through the network in order to get to the final output. This includes requests to your origin server, an inference provider, and external APIs. As a developer, you have to orchestrate all the back-and-forths and handle all the requests and responses. If you were building complex agents with multi-tool calls or recursive tool calls, it gets infinitely harder. Fortunately, this doesn’t have to be the case, and we’ve solved it for you.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"embedded-function-calling\">Embedded function calling</h2>\n <a href=\"#embedded-function-calling\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>With Workers AI, our inference runtime is the Workers platform, and the Workers platform can be seen as a global compute network of distributed functions (RPCs). With this model, we can run inference using Workers AI, and supply not only the function names and arguments, but also the runtime function code to be executed. Rather than performing multiple round-trips across networks, the LLM inference and function can run in the same execution environment, cutting out all the unnecessary requests.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1996\" height=\"690\" loading=\"lazy\"/>\n \n </figure><p>Cloudflare is one of the few inference providers that is able to do this because we offer more than just inference – our developer platform has compute, storage, inference, and more, all within the same Workers runtime.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"we-made-it-easy-for-you-with-a-new-ai-utils-package\">We made it easy for you with a new ai-utils package</h3>\n <a href=\"#we-made-it-easy-for-you-with-a-new-ai-utils-package\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>And to make it as simple as possible, we created a <a href=\"\"><code>@cloudflare/ai-utils</code></a> package that you can use to get started. These powerful abstractions cut down on the logic you have to implement to do function calling – it just works out of the box.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"runwithtools\">runWithTools</h3>\n <a href=\"#runwithtools\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><code>runWithTool</code>s is our method that you use to do embedded function calling. You pass in your AI binding (env.AI), model, prompt messages, and tools. The tools array includes the description of the function, similar to traditional function calling, but you also pass in the function code that needs to be executed. This method makes the inference calls and executes the function code in one single step. <code>runWithTools</code> is also able to handle multiple function calls, recursive tool calls, validation for model responses, streaming for the final response, and other features.</p><p>Another feature to call out is a helper method called <code>autoTrimTools</code> that automatically selects the relevant tools and trims the tools array based on the names and descriptions. We do this by adding an initial LLM inference call to intelligently trim the tools array before the actual function-calling inference call is made. We found that <code>autoTrimTools</code> helped decrease the number of total tokens used in the entire process (especially when there’s a large number of tools provided) because there’s significantly fewer input tokens used when generating the arguments list. You can choose to use <code>autoTrimTools</code> by setting it as a parameter in the <code>runWithTools</code> method.</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">const response = await runWithTools(env.AI,&quot;@hf/nousresearch/hermes-2-pro-mistral-7b&quot;,\n {\n messages: [{ role: &quot;user&quot;, content: &quot;What&#039;s the weather in Austin, Texas?&quot;}],\n tools: [\n {\n name: &quot;getWeather&quot;,\n description: &quot;Return the weather for a latitude and longitude&quot;,\n parameters: {\n type: &quot;object&quot;,\n properties: {\n latitude: {\n type: &quot;string&quot;,\n description: &quot;The latitude for the given location&quot;\n },\n longitude: {\n type: &quot;string&quot;,\n description: &quot;The longitude for the given location&quot;\n }\n },\n required: [&quot;latitude&quot;, &quot;longitude&quot;]\n },\n\t // function code to be executed after tool call\n function: async ({ latitude, longitude }) =&gt; {\n const url = `${env.WEATHERAPI_TOKEN}&amp;q=${latitude},${longitude}`\n const res = await fetch(url).then((res) =&gt; res.json())\n\n return JSON.stringify(res)\n }\n }\n ]\n },\n {\n streamFinalResponse: true,\n maxRecursiveToolRuns: 5,\n trimFunction: autoTrimTools,\n verbose: true,\n strictValidation: true\n }\n)</pre></code>\n \n <div class=\"flex anchor relative\">\n <h3 id=\"createtoolsfromopenapispec\">createToolsFromOpenAPISpec</h3>\n <a href=\"#createtoolsfromopenapispec\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>For many use cases, users will need to make a request to an external API call during function calling to get the output needed. Instead of having to hardcode the exact API endpoints in your tools array, we made a helper function that takes in an OpenAPI spec and dynamically generates the corresponding tool schemas and API endpoints you’ll need for the function call. You call <code>createToolsFromOpenAPISpec</code> from within runWithTools and it’ll dynamically populate everything for you.</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">const response = await runWithTools(env.AI, &quot;@hf/nousresearch/hermes-2-pro-mistral-7b&quot;, {\n messages: [{ role: &quot;user&quot;,content: &quot;Can you name me 5 repos created by Cloudflare&quot;}],\n tools: [\n ...(await createToolsFromOpenAPISpec( &quot;;\n ))\n ]\n})</pre></code>\n \n <div class=\"flex anchor relative\">\n <h2 id=\"putting-it-all-together\">Putting it all together</h2>\n <a href=\"#putting-it-all-together\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>When you make a function calling inference request with <code>runWithTools</code> and <code>createToolsFromOpenAPISpec</code>, the only thing you need is the prompts – the rest is automatically handled. The LLM will choose the correct tool based on the prompt, the runtime will execute the function needed, and you’ll get a fast, intelligent response from the model. By leveraging our Workers runtime’s bindings and RPC calls along with our global network, we can execute everything from a single location close to the user, enabling developers to easily write complex agentic chains with fewer lines of code.</p><p>We’re super excited to help people build intelligent AI systems with our new embedded function calling and powerful tools. Check out our <a href=\"\">developer docs</a> on how to get started, and let us know what you think on <a href=\"\">Discord</a>.</p>"],"published_at":[0,"2024-06-27T18:00:09.000+01:00"],"updated_at":[0,"2024-10-09T23:28:32.524Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"1Wf1Dpb2AFicG44jpRT29y"],"name":[0,"Workers AI"],"slug":[0,"workers-ai"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3txfsA7N73yBL9g3VPBLL0"],"name":[0,"Open Source"],"slug":[0,"open-source"]}],[0,{"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"name":[0,"AI"],"slug":[0,"ai"]}],[0,{"id":[0,"3vILtHLIQU7d8BaWzXAPv4"],"name":[0,"Internship Experience"],"slug":[0,"internship-experience"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Harley Turan"],"slug":[0,"harley"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,""],"twitter":[0,"@hturan"],"facebook":[0,null]}],[0,{"name":[0,"Dhravya Shah"],"slug":[0,"dhravya"],"bio":[0,"18, passionate dev who ships (a lot) Building a better (intern)et at Cloudflare AI. building 2x acquired founder. reader, guitarist, space enthusiast"],"profile_image":[0,""],"location":[0,"Austin, Texas"],"website":[0,""],"twitter":[0,"@dhravyashah"],"facebook":[0,null]}],[0,{"name":[0,"Michelle Chen"],"slug":[0,"michelle"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@_mchenco"],"facebook":[0,null]}]]],"meta_description":[0,"Introducing a new way to do function calling in Workers AI by running function code alongside your inference. Plus, a new @cloudflare/ai-utils package to make getting started as simple as possible. "],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Embedded function calling in Workers AI: easier, smarter, faster Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Embedded function calling in Workers AI: easier, smarter, faster"],"description":[0,"Introducing a new way to do function calling in Workers AI by running function code alongside your inference. Plus, a new @cloudflare/ai-utils package to make getting started as simple as possible. "],"imgPreview":[0,""]}]}],[0,{"id":[0,"2EZrHNgKqLkaTGqoRM9pMS"],"title":[0,"Using machine learning to detect bot attacks that leverage residential proxies"],"slug":[0,"residential-proxy-bot-detection-using-machine-learning"],"excerpt":[0,"Cloudflare's Bot Management team has released a new Machine Learning model for bot detection (v8), focusing on bots and abuse from residential proxies"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"Using machine learning to detect bot attacks that leverage residential proxies\" class=\"kg-image\" width=\"1999\" height=\"1125\" loading=\"lazy\"/>\n \n </figure><p>Bots using residential proxies are a major source of frustration for security engineers trying to fight online abuse. These engineers often see a similar pattern of abuse when well-funded, modern botnets target their applications. Advanced bots bypass country blocks, <a href=\"\">ASN</a> blocks, and rate-limiting. Every time, the bot operator moves to a new IP address space until they blend in perfectly with the “good” traffic, mimicking real users’ behavior and request patterns. Our new Bot Management machine learning model (v8) identifies residential proxy abuse without resorting to IP blocking, which can cause false positives for legitimate users. </p>\n <div class=\"flex anchor relative\">\n <h2 id=\"background\">Background</h2>\n <a href=\"#background\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>One of the main sources of Cloudflare’s <a href=\"\">bot score</a> is our bot detection machine learning model which analyzes, on average, over 46 million HTTP requests per second in real time. Since our first Bot Management ML model was released in 2019, we have continuously evolved and improved the model. Nowadays, our models leverage features based on request fingerprints, behavioral signals, and global statistics and trends that we see across our network.</p><p>Each iteration of the model focuses on certain areas of improvement. This process starts with a rigorous R&amp;D phase to identify the emerging patterns of <a href=\"\">bot attacks</a> by reviewing <a href=\"\">feedback from our customers</a> and reports of missed attacks. In v8, we mainly focused on two areas of abuse. First, we analyzed the campaigns that leverage residential IP proxies, which are proxies on residential networks commonly used to launch widely distributed attacks against high profile targets. In addition to that, we improved model accuracy for detecting attacks that originate from cloud providers.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"residential-ip-proxies\">Residential IP proxies</h3>\n <a href=\"#residential-ip-proxies\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Proxies allow attackers to hide their identity and distribute their attack. Moreover, IP address rotation allows attackers to directly bypass traditional defenses such as IP reputation and IP rate limiting. Knowing this, defenders use a plethora of signals to identify malicious use of proxies. In its simplest forms, IP reputation signals (e.g., data center IP addresses, known open proxies, etc.) can lead to the detection of such distributed attacks.</p><p>However, in the past few years, bot operators have started favoring proxies operating in residential network IP address space. By using residential IP proxies, attackers can masquerade as legitimate users by sending their traffic through residential networks. Nowadays, residential IP proxies are offered by companies that facilitate access to large pools of IP addresses for attackers. Residential proxy providers claim to offer 30-100 million IPs belonging to residential and mobile networks across the world. Most commonly, these IPs are sourced by partnering with free VPN providers, as well as including the proxy SDKs into popular browser extensions and mobile applications. This allows residential proxy providers to gain a foothold on victims’ devices and abuse their residential network connections.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1572\" height=\"1547\" loading=\"lazy\"/>\n \n </figure><p>Figure 1: Architecture of a residential proxy network</p><p>Figure 1 depicts the architecture of a residential proxy. By subscribing to these services, attackers gain access to an authenticated proxy gateway address commonly using the HTTPS/<a href=\"\">SOCKS5</a> proxy protocol. Some residential proxy providers allow their users to select the country or region for the proxy exit nodes. Alternatively, users can choose to keep the same IP address throughout their session or rotate to a new one for each outgoing request. Residential proxy providers then identify active exit nodes on their network (on devices that they control within residential networks across the world) and route the proxied traffic through them.</p><p>The large pool of IP addresses and the diversity of networks poses a challenge to traditional bot defense mechanisms that rely on IP reputation and rate limiting. Moreover, the diversity of IPs enables the attackers to rotate through them indefinitely. This shrinks the window of opportunity for bot detection systems to effectively detect and stop the attacks. Effective defense against residential proxy attacks should be able to detect this type of bot traffic either based on single request features to stop the attack immediately, or identify unique fingerprints from the browsing agent to track and mitigate the bot traffic regardless of the IP source. Overly broad blocking actions, such as IP block-listing, by definition, would result in blocking legitimate traffic from residential networks where at least one device is acting as a residential proxy node.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"ml-model-training\">ML model training</h3>\n <a href=\"#ml-model-training\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>At its heart, our model is built using a chain of modules that work together. Initially, we fetch and prepare training and validation datasets from our Clickhouse data storage. We use datasets with high confidence labels as part of our training. For model validation, we use datasets consisting of missed attacks reported by our customers, known sources of bot traffic (e.g., <a href=\"\">verified bots</a>), and high confidence detections from other bot management modules (e.g., heuristics engine). We orchestrate these steps using Apache Airflow, which enables us to customize each stage of the ML model training and define the interdependencies of our training, validation, and reporting modules in the form of directed acyclic graphs (DAGs).</p><p>The first step of training a new model is fetching labeled training data from our data store. Under the hood, our dataset definitions are SQL queries that will materialize by fetching data from our Clickhouse cluster where we store feature values and calculate aggregates from the traffic on our network. Figure 2 depicts these steps as train and validation dataset fetch operations. Introducing new datasets can be as straightforward as writing the SQL queries to filter the desired subset of requests.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"2000\" height=\"429\" loading=\"lazy\"/>\n \n </figure><p>Figure 2: Airflow DAG for model training and validation</p><p>After fetching the datasets, we train our <a href=\"\">Catboost model</a> and tune its <a href=\"\">hyper parameters</a>. During evaluation, we compare the performance of the newly trained model against the current default version running for our customers. To capture the intricate patterns in subsets of our data, we split certain validation datasets into smaller slivers called specializations. For instance, we use the detections made by our heuristics engine and managed rulesets as ground truth for bot traffic. To ensure that larger sources of traffic (large <a href=\"\">ASNs</a>, different HTTP versions, etc.) do not mask our visibility into patterns for the rest of the traffic, we define specializations for these sources of traffic. As a result, improvements in accuracy of the new model can be evaluated for common patterns (e.g., HTTP/1.1 and HTTP/2) as well as less common ones. Our model training DAG will provide a breakdown report for the accuracy, score distribution, feature importance, and <a href=\"\">SHAP explainers</a> for each validation dataset and its specializations.</p><p>Once we are happy with the validation results and model accuracy, we evaluate our model against a checklist of steps to ensure the correctness and validity of our model. We start by ensuring that our results and observations are reproducible over multiple non-overlapping training and validation time ranges. Moreover, we check for the following factors:</p><ul><li><p>Check for the distribution of feature values to identify irregularities such as missing or skewed values.</p></li><li><p>Check for overlaps between training and validation datasets and feature values.</p></li><li><p>Verify the diversity of training data and the balance between labels and datasets.</p></li><li><p>Evaluate performance changes in the accuracy of the model on validation datasets based on their order of importance.</p></li><li><p>Check for model overfitting by evaluating the feature importance and SHAP explainers.</p></li></ul><p>After the model passes the readiness checks, we deploy it in shadow mode. We can observe the behavior of the model on live traffic in log-only mode (i.e., without affecting the <a href=\"\">bot score</a>). After gaining confidence in the model&#39;s performance on live traffic, we start onboarding beta customers, and gradually switch the model to active mode all while closely <a href=\"/monitoring-machine-learning-models-for-bot-detection\">monitoring the real-world performance of our new model</a>.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"ml-features-for-bot-detection\">ML features for bot detection</h3>\n <a href=\"#ml-features-for-bot-detection\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Each of our models uses a set of features to make inferences about the incoming requests. We compute our features based on single request properties (single request features) and patterns from multiple requests (i.e., inter-request features). We can categorize these features into the following groups:</p><ul><li><p><b>Global features:</b> inter-request features that are computed based on global aggregates for different types of fingerprints and traffic sources (e.g., for an ASN) seen across our global network. Given the relatively lower cardinality of these features, we can scalably calculate global aggregates for each of them.</p></li><li><p><b>High cardinality features:</b> inter-request features focused on fine-grained aggregate data from local traffic patterns and behaviors (e.g., for an individual IP address)</p></li><li><p><b>Single request features:</b> features derived from each individual request (e.g., user agent).</p></li></ul><p>Our Bot Management system (named <a href=\"/scalable-machine-learning-at-cloudflare\">BLISS</a>) is responsible for fetching and computing these feature values and making them available on our servers for inference by active versions of our ML models.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"detecting-residential-proxies-using-network-and-behavioral-signals\">Detecting residential proxies using network and behavioral signals</h2>\n <a href=\"#detecting-residential-proxies-using-network-and-behavioral-signals\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Attacks originating from residential IP addresses are commonly characterized by a spike in the overall traffic towards sensitive endpoints on the target websites from a large number of residential ASNs. Our approach for detecting residential IP proxies is twofold. First, we start by comparing direct vs proxied requests and looking for network level discrepancies. Revisiting Figure 1, we notice that a request routed through residential proxies (red dotted line) has to traverse through multiple hops before reaching the target, which affects the network latency of the request.</p><p>Based on this observation alone, we are able to characterize residential proxy traffic with a high true positive rate (i.e., all residential proxy requests have high network latency). While we were able to replicate this in our lab environment, we quickly realized that at the scale of the Internet, we run into numerous exceptions with false positive detections (i.e., non-residential proxy traffic with high latency). For instance, countries and regions that predominantly use satellite Internet would exhibit a high network latency for the majority of their requests due to the use of <a href=\"\">performance enhancing proxies</a>.</p><p>Realizing that relying solely on network characteristics of connections to detect residential proxies is inadequate given the diversity of the connections on the Internet, we switched our focus to the behavior of residential IPs. To that end, we observe that the IP addresses from residential proxies express a distinct behavior during periods of peak activity. While this observation singles out highly active IPs over their peak activity time, given the pool size of residential IPs, it is not uncommon to only observe a small number of requests from the majority of residential proxy IPs.</p><p>These periods of inactivity can be attributed to the temporary nature of residential proxy exit nodes. For instance, when the client software (i.e., browser or mobile application) that runs the exit nodes of these proxies is closed, the node leaves the residential proxy network. One way to filter out periods of inactivity is to increase the monitoring time and punish each IP address that exhibits residential proxy behavior for a period of time. This block-listing approach, however, has certain limitations. Most importantly, by relying only on IP-based behavioral signals, we would block traffic from legitimate users that may unknowingly run mobile applications or browser extensions that turn their devices into proxies. This is further detrimental for mobile networks where many users share their IPs behind <a href=\"\">CGNATs</a>. Figure 3 demonstrates this by comparing the share of direct vs proxied requests that we received from active residential proxy IPs over a 24-hour period. Overall, we see that 4 out of 5 requests from these networks belong to direct and benign connections from residential devices.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"Figure 3: Percentage of direct vs proxied requests from residential proxy IPs.\" class=\"kg-image\" width=\"1528\" height=\"655\" loading=\"lazy\"/>\n \n </figure><p>Figure 3: Percentage of direct vs proxied requests from residential proxy IPs.</p><p>Using this insight, we combined behavioral and latency-based features along with new datasets to train a new <a href=\"\">machine learning model</a> that detects residential proxy traffic on a per-request basis. This scheme allows us to block residential proxy traffic while allowing benign residential users to visit Cloudflare-protected websites from the same residential network.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"detection-results-and-case-studies\">Detection results and case studies</h2>\n <a href=\"#detection-results-and-case-studies\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We started testing v8 in shadow mode in March 2024. Every hour, v8 is classifying more than 17 million unique IPs that participate in residential proxy attacks. Figure 4 shows the geographic distribution of IPs with residential proxy activity belonging to more than 45 thousand ASNs in 237 countries/regions. Among the most commonly requested endpoints from residential proxies, we observe patterns of account takeover attempts, such as requests to /login, /auth/login, and /api/login. </p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"Figure 4: Countries and regions with residential network activity. Size of markers are proportionate to the number of IPs with residential proxy activity.\" class=\"kg-image\" width=\"1929\" height=\"1166\" loading=\"lazy\"/>\n \n </figure><p>Figure 4: Countries and regions with residential network activity. Size of markers are proportionate to the number of IPs with residential proxy activity.</p><p>Furthermore, we see significant improvements when evaluating our new machine learning model on previously missed attacks reported by our customers. In one case, v8 was able to correctly classify 95% of requests from distributed residential proxy attacks targeting the voucher redemption endpoint of the customer’s website. In another case, our new model successfully detected a previously missed <a href=\"\">content scraping attack</a> evident by increased detection during traffic spikes depicted in Figure 5. We are continuing to monitor the behavior of residential proxy attacks in the wild and work with our customers to ensure that we can provide robust detection against these distributed attacks.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"2000\" height=\"1042\" loading=\"lazy\"/>\n \n </figure><p>Figure 5: Spikes in bot requests from residential proxies detected by ML v8</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"improving-detection-for-bots-from-cloud-providers\">Improving detection for bots from cloud providers</h2>\n <a href=\"#improving-detection-for-bots-from-cloud-providers\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In addition to residential IP proxies, bot operators commonly use cloud providers to host and run bot scripts that attack our customers. To combat these attacks, we improved our ground truth labels for cloud provider attacks in our latest ML training datasets. Early results show that v8 detects 20% more bots from cloud providers, with up to 70% more bots detected on zones that are marked as <a href=\"\">under attack</a>. We further plan to expand the list of cloud providers that v8 detects as part of our ongoing updates.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"check-out-ml-v8\">Check out ML v8</h2>\n <a href=\"#check-out-ml-v8\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>For existing Bot Management customers we recommend <a href=\"\">toggling “Auto-update machine learning model”</a> to instantly gain the benefits of ML v8 and its residential proxy detection, and to stay up to date with our future ML model updates. If you’re not a Cloudflare Bot Management customer, <a href=\"\">contact our sales team</a> to try out <a href=\"\">Bot Management</a>.</p>"],"published_at":[0,"2024-06-24T14:00:17.000+01:00"],"updated_at":[0,"2024-10-09T23:28:30.478Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"1HAYmR545ufVxM2rQzz0SE"],"name":[0,"Machine Learning"],"slug":[0,"machine-learning"]}],[0,{"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"name":[0,"AI"],"slug":[0,"ai"]}],[0,{"id":[0,"20vHTWOyktCxyL9jUb7aQY"],"name":[0,"Proxying"],"slug":[0,"proxying"]}],[0,{"id":[0,"4l3WDYLk6bXCyaRc9pRzXa"],"name":[0,"Bots"],"slug":[0,"bots"]}],[0,{"id":[0,"267TTPMscUWABgYgHSH4ye"],"name":[0,"Bot Management"],"slug":[0,"bot-management"]}],[0,{"id":[0,"36Dg2NwTgUHhrlE0FRpSdJ"],"name":[0,"Application Services"],"slug":[0,"application-services"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Bob AminAzad"],"slug":[0,"bob-aminazad"],"bio":[0,null],"profile_image":[0,""],"location":[0,"New York"],"website":[0,""],"twitter":[0,"@imsilverfoxy"],"facebook":[0,null]}],[0,{"name":[0,"Santiago Vargas"],"slug":[0,"santiago"],"bio":[0,null],"profile_image":[0,""],"location":[0,"New York"],"website":[0,""],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Adam Martinetti"],"slug":[0,"adam-martinetti"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@adamemcf"],"facebook":[0,null]}]]],"meta_description":[0,"Cloudflare's Bot Management team has released a new Machine Learning model for bot detection (v8), focusing on bots and abuse from residential proxies"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Using machine learning to detect bot attacks that leverage residential proxies Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Using machine learning to detect bot attacks that leverage residential proxies"],"description":[0,"Cloudflare's Bot Management team has released a new Machine Learning model for bot detection (v8), focusing on bots and abuse from residential proxies"],"imgPreview":[0,""]}]}],[0,{"id":[0,"79pYyuiPCqjfXnecuHIhTK"],"title":[0,"Introducing Stream Generated Captions, powered by Workers AI"],"slug":[0,"stream-automatic-captions-with-ai"],"excerpt":[0,"With one click, users can now generate video captions effortlessly using Stream’s newest feature: AI-generated captions for on-demand videos and recordings of live streams"],"featured":[0,false],"html":[0,"<p></p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1801\" height=\"1013\" loading=\"lazy\"/>\n \n </figure><p>With one click, customers can now generate video captions effortlessly using Stream’s newest feature: AI-generated captions for on-demand videos and recordings of live streams. As part of Cloudflare’s mission to help build a better Internet, this feature is available to all Stream customers at no additional cost.</p><p>This solution is designed for simplicity, eliminating the need for third-party transcription services and complex workflows. For videos lacking accessibility features like captions, manual transcription can be time-consuming and impractical, especially for large video libraries. Traditionally, it has involved specialized services, sometimes even dedicated teams, to transcribe audio and deliver the text along with video, so it can be displayed during playback. As captions become more widely expected for a variety of reasons, including ethical obligation, legal compliance, and changing audience preferences, we wanted to relieve this burden.</p><p>With <a href=\"\">Stream’s integrated solution</a>, the caption generation process is seamlessly integrated into your existing video management workflow, saving time and resources. Regardless of when you uploaded a video, you can easily add automatic captions to enhance accessibility. Captions can now be generated within the Cloudflare Dashboard or via an API request, all within the familiar and unified Stream platform.</p><p>This feature is designed with utmost consideration for privacy and data protection. Unlike other third-party transcription services that may share content with external entities, your data remains securely within Cloudflare&#39;s ecosystem throughout the caption generation process. Cloudflare does not utilize your content for model training purposes. For more information about data protection, review <a href=\"\">Your Data and Workers AI</a>.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"getting-started\">Getting Started</h2>\n <a href=\"#getting-started\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Starting June 20th, 2024, this beta is available for all Stream customers as well as subscribers of the Professional and Business plans, which include 100 minutes of video storage.</p><p>To get started, upload a video to Stream (from the Cloudflare <a href=\"\">Dashboard</a> or via <a href=\"\">API</a>).</p><!--kg-card-begin: html--><div style=\"position: relative; padding-top: 56.25%;\">\n <iframe\n src=\"\"\n loading=\"lazy\"\n style=\"border: none; position: absolute; top: 0; left: 0; height: 100%; width: 100%;\"\n allow=\"accelerometer; gyroscope; autoplay; encrypted-media; picture-in-picture;\"\n allowfullscreen=\"true\"\n ></iframe>\n</div><!--kg-card-end: html--><p>Next, navigate to the &quot;Captions&quot; tab on the video, click “Add Captions,” then select the language and “Generate captions with AI.” Finally, click save and within a few minutes, the new captions will be visible in the captions manager and automatically available in the player, too. Captions can also be <a href=\"\">generated via the API</a>.</p><p>Captions are usually generated in a few minutes. When captions are ready, the Stream player will automatically be updated to offer them to users. The HLS and DASH manifests are also updated so third party players that support text tracks can display them as well.</p><p>On-demand videos and recordings of live streams, regardless of when they were created, are supported. While in beta, only English captions can be generated, and videos must be shorter than 2 hours. The quality of the transcription is best on videos with clear speech and minimal background noise.</p><p>We&#39;ve been pleased with how well the AI model transcribes different types of content during our tests. That said, there are times when the results aren&#39;t perfect, and another method might work better for some use cases. It&#39;s important to check if the accuracy of the generated captions are right for your needs.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"technical-details\">Technical Details</h2>\n <a href=\"#technical-details\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <div class=\"flex anchor relative\">\n <h3 id=\"built-using-workers-ai\">Built using Workers AI</h3>\n <a href=\"#built-using-workers-ai\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The Stream engineering team built this new feature using <a href=\"\">Workers AI</a>, allowing us to access the <a href=\"\">Whisper</a> model – an open source Automatic Speech Recognition model – with a single API call. Using Workers AI radically simplified the AI model deployment, integration, and scaling with an out-of-the-box solution. We eliminated the need for our team to handle infrastructure complexities, enabling us to focus solely on building the automated captions feature.</p><p>Writing software that utilizes an AI model can involve several challenges. First, there’s the difficulty of configuring the appropriate hardware infrastructure. AI models require substantial computational resources to run efficiently and require specialized hardware, like GPUs, which can be expensive and complex to manage. There’s also the daunting task of deploying AI models at scale, which involve the complexities of balancing workload distribution, minimizing latency, optimizing throughput, and maintaining high availability. Not only does Workers AI solve the pain of managing underlying infrastructure, it also automatically scales as needed.</p><p>Using Workers AI transformed a daunting task into a Worker that transcribes audio files with less than 30 lines of code.</p>\n <pre class=\"language-typescript\"><code class=\"language-typescript\">import { Ai } from &#039;@cloudflare/ai&#039;\n\n\nexport interface Env {\n AI: any\n}\n\n\nexport type AiVTTOutput = {\n vtt?: string\n}\n\n\nexport default {\n async fetch(request: Request, env: Env) {\n const blob = await request.arrayBuffer()\n\n\n const ai = new Ai(env.AI)\n const input = {\n audio: [ Uint8Array(blob)],\n }\n\n\n try {\n const response: AiVTTOutput = (await\n &#039;@cf/openai/whisper-tiny-en&#039;,\n input\n )) as any\n return Response.json({ vtt: response.vtt })\n } catch (e) {\n const errMsg =\n e instanceof Error\n ? `${}\\n${e.message}\\n${e.stack}`\n : &#039;unknown error type&#039;\n return new Response(`${errMsg}`, {\n status: 500,\n statusText: &#039;Internal error&#039;,\n })\n }\n },\n}</pre></code>\n \n <div class=\"flex anchor relative\">\n <h3 id=\"quickly-captioning-videos-at-scale\">Quickly captioning videos at scale</h3>\n <a href=\"#quickly-captioning-videos-at-scale\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The Stream team wanted to ensure this feature is fast and performant at scale, which required engineering work to process a high volume of videos regardless of duration.</p><p>First, our team needed to pre-process the audio prior to running <a href=\"\">AI inference</a> to ensure the input is compatible with Whisper’s input format and requirements.</p><p>There is a wide spectrum of variability in video content, from a short grainy video filmed on a phone to a multi-hour high-quality Hollywood-produced movie. Videos may be silent or contain an action-driven cacophony. Also, Stream’s on-demand videos include recordings of live streams which are packaged differently from videos uploaded as whole files. With this variability, the audio inputs are stored in an array of different container formats, with different durations, and different file sizes. We ensured our audio files were properly formatted to be compatible with Whisper’s requirements.</p><p>One aspect for pre-processing is ensuring files are a sensible duration for optimized inference. Whisper has an “sweet spot” of 30 seconds for the duration of audio files for transcription. As they note in this <a href=\"\">Github discussion</a>: “<i>Too short, and you’d lack surrounding context. You’d cut sentences more often. A lot of sentences would cease to make sense. Too long, and you’ll need larger and larger models to contain the complexity of the meaning you want the model to keep track of.</i>” Fortunately, Stream already splits videos into smaller segments to ensure fast delivery during playback on the web. We wrote functionality to concatenate those small segments into 30-second batches prior to sending to Workers AI.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1440\" height=\"677\" loading=\"lazy\"/>\n \n </figure><p>To optimize processing speed, our team parallelized as many operations as possible. By concurrently creating the 30-second audio batches and sending requests to Workers AI, we take full advantage of the scalability of the Workers AI platform. Doing this greatly reduces the time it takes to generate captions, but adds some additional complexity. Because we are sending requests to Workers AI in parallel, transcription responses may arrive out-of-order. For example, if a video is one minute in duration, the request to generate captions for the second 30 seconds of a video may complete before the request for the first 30 seconds of the video. The captions need to be sequential to align with the video, so our team had to maintain an understanding of the audio batch order to ensure our final combined <a href=\"\">WebVTT caption file</a> is properly synced with the video. We sort the incoming Workers AI responses and re-order timestamps for a final accurate transcript.</p><p>The end result is the ability to generate captions for longer videos quickly and efficiently at scale.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"try-it-now\">Try it now</h2>\n <a href=\"#try-it-now\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We are excited to bring this feature to open beta for all of our subscribers as well as <a href=\"\">Pro</a> and <a href=\"\">Business</a> plan customers today! Get started by <a href=\"\">uploading a video to Stream</a>. Review <a href=\"\">our documentation</a> for tutorials and current beta limitations. Up next, we will be focused on adding more languages and supporting longer videos.</p>"],"published_at":[0,"2024-06-20T14:00:29.000+01:00"],"updated_at":[0,"2024-10-10T00:21:05.643Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"1Wf1Dpb2AFicG44jpRT29y"],"name":[0,"Workers AI"],"slug":[0,"workers-ai"]}],[0,{"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"name":[0,"AI"],"slug":[0,"ai"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"7mVMfcxp4tMqKil9jj8BJa"],"name":[0,"Cloudflare Stream"],"slug":[0,"cloudflare-stream"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Mickie Betz"],"slug":[0,"mickie"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Ben Krebsbach"],"slug":[0,"ben-krebsbach"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Taylor Smith"],"slug":[0,"tsmith"],"bio":[0,null],"profile_image":[0,""],"location":[0,"Austin, TX"],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,null],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Introducing Stream Generated Captions, powered by Workers AI Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Introducing Stream Generated Captions, powered by Workers AI"],"description":[0,null],"imgPreview":[0,""]}]}],[0,{"id":[0,"7J3IpMFd3rIppWBtB8bsZN"],"title":[0,"Cloudflare acquires BastionZero to extend Zero Trust access to IT infrastructure"],"slug":[0,"cloudflare-acquires-bastionzero"],"excerpt":[0,"We’re excited to announce that BastionZero, a Zero Trust infrastructure access platform, has joined Cloudflare. This acquisition extends our Zero Trust Network Access (ZTNA) flows with native access management for infrastructure like servers, Kubernetes clusters, and databases"],"featured":[0,false],"html":[0,"<p></p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"900\" loading=\"lazy\"/>\n \n </figure><p>We’re excited to <a href=\"\">announce</a> that <a href=\"\">BastionZero</a>, a Zero Trust infrastructure access platform, has joined Cloudflare. This acquisition extends our Zero Trust Network Access (ZTNA) flows with native access management for infrastructure like servers, Kubernetes clusters, and databases.</p><p>Security teams often prioritize application and Internet access because these are the primary vectors through which users interact with corporate resources and external threats infiltrate networks. Applications are typically the most visible and accessible part of an organization&#39;s digital footprint, making them frequent targets for cyberattacks. Securing application access through methods like Single Sign-On (SSO) and Multi-Factor Authentication (MFA) can yield immediate and tangible improvements in user security.</p><p>However, infrastructure access is equally critical and many teams still rely on <a href=\"\">castle-and-moat</a> style network controls and local resource permissions to protect infrastructure like servers, databases, Kubernetes clusters, and more. This is difficult and fraught with risk because the security controls are fragmented across hundreds or thousands of targets. Bad actors are increasingly focusing on targeting infrastructure resources as a way to take down huge swaths of applications at once or steal sensitive data. We are excited to extend Cloudflare One’s Zero Trust Network Access to natively protect infrastructure with user- and device-based policies along with multi-factor authentication.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"application-vs-infrastructure-access\">Application vs. infrastructure access</h2>\n <a href=\"#application-vs-infrastructure-access\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Application access typically involves interacting with web-based or client-server applications. These applications often support modern authentication mechanisms such as Single Sign-On (SSO), which streamline user authentication and enhance security. SSO integrates with identity providers (IdPs) to offer a seamless and secure login experience, reducing the risk of password fatigue and credential theft.</p><p>Infrastructure access, on the other hand, encompasses a broader and more diverse range of systems, including servers, databases, and network devices. These systems often rely on protocols such as SSH (Secure Shell), RDP (Remote Desktop Protocol), and Kubectl (Kubernetes) for administrative access. The nature of these protocols introduces additional complexities that make securing infrastructure access more challenging.</p><ul><li><p><b>SSH Authentication:</b> SSH is a fundamental tool for accessing Linux and Unix-based systems. SSH access is typically facilitated through public key authentication, through which a user is issued a public/private key pair that a target system is configured to accept. These keys must be distributed to trusted users, rotated frequently, and monitored for any leakage. If a key is accidentally leaked, it can grant a bad actor direct control over the SSH-accessible resource.</p></li><li><p><b>RDP Authentication:</b> RDP is widely used for remote access to Windows-based systems. While RDP supports various authentication methods, including password-based and certificate-based authentication, it is often targeted by brute force and credential stuffing attacks.</p></li><li><p><b>Kubernetes Authentication:</b> Kubernetes, as a container orchestration platform, introduces its own set of authentication challenges. Access to Kubernetes clusters involves managing roles, service accounts, and kubeconfig files along with user certificates.</p></li></ul>\n <div class=\"flex anchor relative\">\n <h2 id=\"infrastructure-access-with-cloudflare-one-today\">Infrastructure access with Cloudflare One today</h2>\n <a href=\"#infrastructure-access-with-cloudflare-one-today\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare One facilitates <a href=\"\">Zero Trust Network Access</a> (ZTNA) for infrastructure resources with an approach superior to traditional VPNs. An administrator can define a set of identity, device, and network-aware policies that dictate if a user can access a specific IP address, hostname, and/or port combination. This allows you to create policies like “Only users in the identity provider group ‘developers’ can access resources over port 22 (default SSH port) in our corporate network,” which is already much finer control than a VPN with basic firewall policies would allow.</p><p>However, this approach still has limitations, as it relies on a set of assumptions about how corporate infrastructure is provisioned and managed. If an infrastructure resource is configured outside of the assumed network structure, e.g. SSH over a non-standard port is allowed, all network-level controls may be bypassed. This leaves only the native authentication protections of the specific protocol protecting that resource and is often how leaked SSH keys or database credentials can lead to a wider system outage or breach.</p><p>Many organizations will leverage more complex network structures like a bastion host model or complex Privileged Access Management (PAM) solutions as an added defense-in-depth strategy. However, this leads to significantly more cost and management overhead for IT security teams and sometimes complicates challenges related to least-privileged access. Tools like bastion hosts or PAM solutions end up eroding least-privilege over time because policies expand, change, or drift from a company’s security stance. This leads to users incorrectly retaining access to sensitive infrastructure.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"how-bastionzero-fits-in\">How BastionZero fits in</h2>\n <a href=\"#how-bastionzero-fits-in\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>While our goal for years has been to help organizations of any size replace their VPNs as simply and quickly as possible, BastionZero expands the scope of Cloudflare’s VPN replacement solution beyond apps and networks to provide the same level of simplicity for extending Zero Trust controls to infrastructure resources. This helps security teams centralize the management of even more of their hybrid IT environment, while using standard Zero Trust practices to keep DevOps teams productive and secure. Together, Cloudflare and BastionZero can help organizations replace not only VPNs but also bastion hosts; SSH, Kubernetes, or database key management systems; and redundant PAM solutions.</p><p>BastionZero provides native integration to major infrastructure access protocols and targets like SSH, RDP, Kubernetes, database servers, and more to ensure that a target resource is configured to accept connections for that specific user, instead of relying on network level controls. This allows administrators to think in terms of resources and targets, not IP addresses and ports. Additionally, BastionZero is built on <a href=\"\">OpenPubkey</a>, an open source library that binds identities to cryptographic keys using OpenID Connect (OIDC). With OpenPubkey, SSO can be used to grant access to infrastructure. BastionZero uses multiple roots of trust to ensure that your SSO does not become a single point of compromise for your critical servers and other infrastructure.</p><p>BastionZero will add the following capabilities to Cloudflare’s SASE platform:</p><ul><li><p><b>The elimination of long-lived keys/credentials</b> through frictionless infrastructure privileged access management (PAM) capabilities that modernize credential management (e.g., SSH keys, kubeconfig files, database passwords) through a new ephemeral, decentralized approach.</p></li><li><p><b>A DevOps-based approach for securing SSH connections</b> to support least privilege access that records sessions and logs every command for better visibility to support compliance requirements. Teams can operate in terms of auto-discovered targets, not IP addresses or networks, as they define just-in-time access policies and automate workflows.</p></li><li><p><b>Clientless RDP</b> to support access to desktop environments without the overhead and hassle of installing a client on a user’s device.</p></li></ul>\n <div class=\"flex anchor relative\">\n <h2 id=\"whats-next-for-bastionzero\">What’s next for BastionZero</h2>\n <a href=\"#whats-next-for-bastionzero\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The BastionZero team will be focused on integrating their infrastructure access controls directly into Cloudflare One. During the third and fourth quarters of this year, we will be announcing a number of new features to facilitate Zero Trust infrastructure access via Cloudflare One. All functionality delivered this year will be included in the Cloudflare One free tier for organizations with less than 50 users. We believe that everyone should have access to world-class security controls.</p><p>We are looking for early beta testers and teams to provide feedback about what they would like to see with respect to infrastructure access. If you are interested in learning more, please sign up <a href=\"\">here</a>.</p>"],"published_at":[0,"2024-05-30T13:12:02.000+01:00"],"updated_at":[0,"2024-10-09T23:28:20.452Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"013htAspXBEMdE76Afcyq2"],"name":[0,"Acquisitions"],"slug":[0,"acquisitions"]}],[0,{"id":[0,"J61Eszqn98amrYHq4IhTx"],"name":[0,"Zero Trust"],"slug":[0,"zero-trust"]}],[0,{"id":[0,"2UI24t7uddD0CIIUJCu1f4"],"name":[0,"SASE"],"slug":[0,"sase"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"6c9EM6c5poinGKIR6xldFo"],"name":[0,"Cloudflare Access"],"slug":[0,"cloudflare-access"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"4Z2oveL0P0AeqGa5lL4Vo1"],"name":[0,"Cloudflare One"],"slug":[0,"cloudflare-one"]}],[0,{"id":[0,"5OywGP63AdM9Umyvaku8OP"],"name":[0,"Connectivity Cloud"],"slug":[0,"connectivity-cloud"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Kenny Johnson"],"slug":[0,"kenny"],"bio":[0,"Cloudflare Zero Trust PM\nAustin TX"],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@KennyJohnsonATX"],"facebook":[0,null]}],[0,{"name":[0,"Michael Keane"],"slug":[0,"michael-keane"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"We’re excited to announce that BastionZero, a Zero Trust infrastructure access platform, has joined Cloudflare. This acquisition extends our Zero Trust Network Access (ZTNA) flows with native access management for infrastructure like servers, Kubernetes clusters, and databases."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Cloudflare acquires BastionZero to extend Zero Trust access to IT infrastructure Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Cloudflare acquires BastionZero to extend Zero Trust access to IT infrastructure"],"description":[0,"We’re excited to announce that BastionZero, a Zero Trust infrastructure access platform, has joined Cloudflare. This acquisition extends our Zero Trust Network Access (ZTNA) flows with native access management for infrastructure like servers, Kubernetes clusters, and databases."],"imgPreview":[0,""]}]}],[0,{"id":[0,"6H88aYtewMC4Snq51FUaxK"],"title":[0,"New Consent and Bot Management features for Cloudflare Zaraz"],"slug":[0,"new-consent-and-bot-management-features-for-cloudflare-zaraz"],"excerpt":[0,"Zaraz Consent Management now supports Google Consent Mode v2 and is compliant with the IAB Europe Transparency and Consent Framework. Zaraz also added Bot Management support for keeping your analytics data clean"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"New Consent and Bot Management features for Cloudflare Zaraz\" class=\"kg-image\" width=\"1201\" height=\"675\" loading=\"lazy\"/>\n \n </figure><p>Managing consent online can be challenging. After you’ve figured out the necessary regulations, you usually need to configure some Consent Management Platform (CMP) to load all third-party tools and scripts on your website in a way that respects these demands. <a href=\"\">Cloudflare Zaraz</a> manages the loading of all of these third-party tools, so it was only natural that in April 2023 we announced the <a href=\"/consent-manager\">Cloudflare Zaraz CMP</a>: the simplest way to manage consent in a way that seamlessly integrates with your third-party tools manager.</p><p>As more and more third-party tool vendors are required to handle consent properly, our CMP has evolved to integrate with these new technologies and standardization efforts. Today, we’re happy to announce that the Cloudflare Zaraz CMP is now compatible with the Interactive Advertising Bureau Transparency and Consent Framework (IAB TCF) requirements, and fully supports Google’s Consent Mode v2 signals. Separately, we’ve taken efforts to improve the way Cloudflare Zaraz handles traffic coming from online bots.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"iab-tcf-compatibility\">IAB TCF Compatibility</h2>\n <a href=\"#iab-tcf-compatibility\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Earlier this year, Google announced that websites that would like to use AdSense and other advertising solutions in the European Economic Area (EEA), the UK, and Switzerland, will be <a href=\"\">required to use a CMP that is approved by IAB Europe</a>, an association for digital marketing and advertising. Their <a href=\"\">Transparency and Consent Framework</a> sets guidelines for how CMPs should operate. Since March 2024, the Cloudflare Zaraz CMP is compliant with these guidelines, and Zaraz users in Europe can use Google’s advertising products without any restrictions.</p><p>Since the IAB TCF requirements can make the consent modal a little complex for users, we have made this compliance mode an opt-in feature. See the <a href=\"\">official documentation</a> for information on how to enable it.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"google-consent-mode-v2\">Google Consent Mode v2</h2>\n <a href=\"#google-consent-mode-v2\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Another <a href=\"\">new requirement from Google</a> was the need to send “Consent Signals”. These signals are part of what is also known as “Consent Mode”, and later, <a href=\"\">Consent Mode v2</a>. Together with each event sent to Google Analytics and Google Ads, they tell the Google servers about the consent status of the current visitor – did they agree to have their data used for personalized advertising? Did they accept <a href=\"\">cookies</a>? These and other questions are answered by Consent Mode v2, telling the Google servers how to treat the data it receives.</p><p>Consent Mode v2 usually requires setting two values for each consent category – a default value and an updated one. The default value represents the consent status (granted or denied) a certain category (e.g. using cookies) has before the user has submitted their personal preferences. Usually, and especially within the EU, the default value would be `denied`. Once the user submits their preferences, Consent Mode v2 sends an additional “updated” value that represents the choice the user made.</p><p>Implementing Consent Mode v2 is quick and easy with Cloudflare Zaraz, although the specific implementation depends on your CMP. Examples, including integration with the Cloudflare Zaraz CMP, are available in our <a href=\"\">official documentation</a>.</p><p>We believe that better standardization around online consent benefits everyone, and we are glad to be working on tools that respect users&#39; privacy and improve online user experience.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"bot-management\">Bot Management</h2>\n <a href=\"#bot-management\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We also recently integrated better Bot Management support within Cloudflare Zaraz. You often want crawlers to be able to access your website, but you don’t want them to trigger your analytics and conversion pixels. Using the Bot Management feature in the <a href=\"\">Cloudflare Zaraz Settings page</a> allows you to fine tune which requests will make it to Cloudflare Zaraz and which ones will be skipped. Since <a href=\"/zaraz-announces-new-pricing/\">Zaraz pricing</a> is based on the total number of Zaraz Events, this can also be useful if you want more control over your Cloudflare Zaraz costs, ensuring you will not be paying for events triggered by bots. Like all other Cloudflare Zaraz features, these new features are also available to users on all plans, including the <a href=\"\">free plan</a>. For us, it is part of making sure that everyone can benefit from a faster, safer, and more private way to manage third parties online. If you haven’t started using Cloudflare Zaraz already, now is a great time. Go to <a href=\"\">the Cloudflare dashboard</a> and set it up in just a few clicks.</p>"],"published_at":[0,"2024-05-15T14:00:50.000+01:00"],"updated_at":[0,"2024-10-09T23:28:19.435Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"5KsuE8WNLu5C4uyvr4XWCV"],"name":[0,"Zaraz"],"slug":[0,"zaraz"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"3BWeMuiOShelE7QM48sW9j"],"name":[0,"Privacy"],"slug":[0,"privacy"]}],[0,{"id":[0,"4l3WDYLk6bXCyaRc9pRzXa"],"name":[0,"Bots"],"slug":[0,"bots"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Yo'av Moshe"],"slug":[0,"yoav"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@yoavmoshe"],"facebook":[0,null]}]]],"meta_description":[0,"Zaraz Consent Management now supports Google Consent Mode v2 and is compliant with the IAB Europe Transparency and Consent Framework. Zaraz also added Bot Management support for keeping your analytics data clean"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"New Consent and Bot Management features for Cloudflare Zaraz Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"New Consent and Bot Management features for Cloudflare Zaraz"],"description":[0,"Zaraz Consent Management now supports Google Consent Mode v2 and is compliant with the IAB Europe Transparency and Consent Framework. Zaraz also added Bot Management support for keeping your analytics data clean"],"imgPreview":[0,""]}]}],[0,{"id":[0,"3FHdMMB8JzNt8hkAYDcqVL"],"title":[0,"Meta Llama 3 available on Cloudflare Workers AI"],"slug":[0,"meta-llama-3-available-on-cloudflare-workers-ai"],"excerpt":[0,"We are thrilled to give developers around the world the ability to build AI applications with Meta Llama 3 using Workers AI. We are proud to be a launch partner with Meta for their newest 8B Llama 3 model"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"Meta Llama 3 available on Cloudflare Workers AI\" class=\"kg-image\" width=\"1800\" height=\"1013\" loading=\"lazy\"/>\n \n </figure><p>We are thrilled to give developers around the world the ability to build AI applications with Meta Llama 3 using Workers AI. We are proud to be a launch partner with Meta for their newest 8B Llama 3 model, and excited to continue our partnership to bring the best of open-source models to our inference platform.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"workers-ai\">Workers AI</h2>\n <a href=\"#workers-ai\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><a href=\"/workers-ai\">Workers AI’s initial launch</a> in beta included support for Llama 2, as it was one of the most requested open source models from the developer community. Since that initial launch, we’ve seen developers build all kinds of innovative applications including knowledge sharing <a href=\"\">chatbots</a>, creative <a href=\"\">content generation</a>, and automation for <a href=\"\">various workflows</a>. </p><p>At Cloudflare, we know developers want simplicity and flexibility, with the ability to build with multiple AI models while optimizing for accuracy, performance, and cost, among other factors. Our goal is to make it as easy as possible for developers to use their models of choice without having to worry about the complexities of hosting or deploying models.</p><p>As soon as we learned about the development of Llama 3 from our partners at Meta, we knew developers would want to start building with it as quickly as possible. Workers AI’s serverless inference platform makes it extremely easy and cost-effective to start using the latest large language models (LLMs). Meta’s commitment to developing and growing an open AI-ecosystem makes it possible for customers of all sizes to use AI at scale in production. All it takes is a few lines of code to run inference to Llama 3:</p>\n <pre class=\"language-js\"><code class=\"language-js\">export interface Env {\n // If you set another name in wrangler.toml as the value for &#039;binding&#039;,\n // replace &quot;AI&quot; with the variable name you defined.\n AI: any;\n}\n\nexport default {\n async fetch(request: Request, env: Env) {\n const response = await;@cf/meta/llama-3-8b-instruct&#039;, {\n messages: [\n{role: &quot;user&quot;, content: &quot;What is the origin of the phrase Hello, World?&quot;}\n\t ]\n }\n );\n\n return new Response(JSON.stringify(response));\n },\n};</pre></code>\n \n <div class=\"flex anchor relative\">\n <h2 id=\"built-with-meta-llama-3\">Built with Meta Llama 3</h2>\n <a href=\"#built-with-meta-llama-3\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Llama 3 offers leading performance on a wide range of industry benchmarks. You can learn more about the architecture and improvements on Meta’s <a href=\"\">blog post</a>. Cloudflare Workers AI supports <a href=\"\">Llama 3 8B</a>, including the instruction fine-tuned model.</p><p>Meta’s testing shows that Llama 3 is the most advanced open LLM today on <a href=\"\">evaluation benchmarks</a> such as MMLU, GPQA, HumanEval, GSM-8K, and MATH. Llama 3 was trained on an increased number of training tokens (15T), allowing the model to have a better grasp on language intricacies. Larger context windows doubles the capacity of Llama 2, and allows the model to better understand lengthy passages with rich contextual data. Although the model supports a context window of 8k, we currently only support 2.8k but are looking to support 8k context windows through quantized models soon. As well, the new model introduces an efficient new <a href=\"\">tiktoken</a>-based tokenizer with a vocabulary of 128k tokens, encoding more characters per token, and achieving better performance on English and multilingual benchmarks. This means that there are 4 times as many parameters in the embedding and output layers, making the model larger than the previous Llama 2 generation of models.</p><p>Under the hood, Llama 3 uses <a href=\"\">grouped-query attention</a> (GQA), which improves inference efficiency for longer sequences and also renders their 8B model architecturally equivalent to <a href=\"\">Mistral-7B</a>. For tokenization, it uses byte-level <a href=\"\">byte-pair encoding (BPE)</a>, similar to OpenAI’s GPT tokenizers. This allows tokens to represent any arbitrary byte sequence — even those without a valid utf-8 encoding. This makes the end-to-end model much more flexible in its representation of language, and leads to improved performance.</p><p>Along with the base Llama 3 models, Meta has released a suite of offerings with tools such as <a href=\"\">Llama Guard 2, Code Shield, and CyberSec Eval 2,</a> which we are hoping to release on our Workers AI platform shortly.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"try-it-out-now\">Try it out now</h2>\n <a href=\"#try-it-out-now\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Meta Llama 3 8B is available in the <a href=\"\">Workers AI Model Catalog</a> today! Check out the <a href=\"\">documentation here</a> and as always if you want to share your experiences or learn more, join us in the <a href=\"\">Developer Discord</a>.</p>"],"published_at":[0,"2024-04-18T21:58:33.000+01:00"],"updated_at":[0,"2024-10-09T23:28:10.767Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"ANSDxKYau0oCxzoCuOxt9"],"name":[0,"Llama"],"slug":[0,"llama"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"1Wf1Dpb2AFicG44jpRT29y"],"name":[0,"Workers AI"],"slug":[0,"workers-ai"]}],[0,{"id":[0,"6hbkItfupogJP3aRDAq6v8"],"name":[0,"Cloudflare Workers"],"slug":[0,"workers"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Michelle Chen"],"slug":[0,"michelle"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,"@_mchenco"],"facebook":[0,null]}],[0,{"name":[0,"Davina Zamanzadeh"],"slug":[0,"davina"],"bio":[0,null],"profile_image":[0,""],"location":[0,"California"],"website":[0,""],"twitter":[0,"@davzaman"],"facebook":[0,null]}],[0,{"name":[0,"Isaac Rehg"],"slug":[0,"isaac-rehg"],"bio":[0,null],"profile_image":[0,""],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Nikhil Kothari"],"slug":[0,"nikhil"],"bio":[0,"Director, Strategic Partnerships"],"profile_image":[0,""],"location":[0,"San Francisco"],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"We are thrilled to give developers around the world the ability to build AI applications with Meta Llama 3 using Workers AI. We are proud to be a launch partner with Meta for their newest 8B Llama 3 model"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Meta Llama 3 available on Cloudflare Workers AI Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Meta Llama 3 available on Cloudflare Workers AI"],"description":[0,"We are thrilled to give developers around the world the ability to build AI applications with Meta Llama 3 using Workers AI. We are proud to be a launch partner with Meta for their newest 8B Llama 3 model"],"imgPreview":[0,""]}]}],[0,{"id":[0,"61fYHTMclwlBGOBNMC5Ehj"],"title":[0,"Improving authoritative DNS with the official release of Foundation DNS"],"slug":[0,"foundation-dns-launch"],"excerpt":[0,"We are launching Foundation DNS – our new enterprise-grade authoritative DNS offering. As our new enterprise authoritative DNS offering, Foundation DNS was designed to enhance the reliability, security, flexibility, and analytics of our authoritative DNS service"],"featured":[0,false],"html":[0,"<p>We are very excited to announce the official release of <a href=\"/foundation-dns\">Foundation DNS</a>, with new advanced nameservers, even more resilience, and advanced analytics to meet the complex requirements of our enterprise customers. Foundation DNS is one of Cloudflare&#39;s largest leaps forward in our authoritative DNS offering since its launch in 2010, and we know our customers are interested in an enterprise-ready authoritative DNS service with the highest level of performance, reliability, security, flexibility, and advanced analytics.</p><p>Starting today, every new enterprise contract that includes authoritative DNS will have access to the Foundation DNS feature set and existing enterprise customers will have Foundation DNS features made available to them over the course of this year. If you are an existing enterprise customer already using our authoritative DNS services, and you’re interested in getting your hands on Foundation DNS earlier, just reach out to your account team, and they can enable it for you. Let’s get started…</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"why-is-dns-so-important\">Why is DNS so important?</h2>\n <a href=\"#why-is-dns-so-important\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>From an end user perspective, DNS makes the Internet usable. <a href=\"\">DNS</a> is the phone book of the Internet which translates hostnames like <code></code> into IP addresses that our browsers, applications, and devices use to connect to services. Without DNS, users would have to remember IP addresses like <code></code> or <code>2606:4700:58::adf5:3b93</code> every time they wanted to visit a website on their mobile device or desktop – imagine having to remember something like that instead of just <code></code>. DNS is used in every end user application on the Internet, from social media to banking to healthcare portals. People&#39;s usage of the Internet is entirely reliant on DNS.</p><p>From a business perspective, DNS is the very first step in reaching websites and connecting to applications. Devices need to know where to connect in order to reach services, authenticate users, and provide the information being requested. Resolving DNS queries quickly can be the difference between a website or application being perceived as responsive or not and can have a real impact on user experience.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1796\" height=\"806\" loading=\"lazy\"/>\n \n </figure><p>When DNS outages occur, the impacts are obvious. Imagine your go-to ecommerce site not loading, just like what happened with the <a href=\"/how-the-dyn-outage-affected-cloudflare\">outage Dyn experienced in 2016</a>, which took down multiple popular ecommerce sites among others. Or, if you are part of a company, and customers aren’t able to reach your website to purchase the goods or services you are selling, a DNS outage will literally lose you money. DNS is often taken for granted, but make no mistake, you’ll notice it when it’s not working properly. Thankfully, if you use Cloudflare authoritative DNS, these are problems you don’t worry about very much.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"there-is-always-room-for-improvement\">There is always room for improvement</h2>\n <a href=\"#there-is-always-room-for-improvement\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare has been providing authoritative DNS services for over a decade. Our authoritative DNS service hosts millions of domains across many different <a href=\"\">top level domains (TLDs)</a>. We have customers of all sizes, from single domains with just a few records to customers with tens of millions of records spread across multiple domains. Our enterprise customers, rightfully, demand the highest level of performance, reliability, security, and flexibility from our DNS service, along with detailed analytics. While our customers love our authoritative DNS, we recognize there is always room for improvement in some of those categories. To that end, we set off to make some major improvements to our DNS architecture, with new features as well as structural changes. We are proudly calling this improved offering Foundation DNS.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"meet-foundation-dns\">Meet Foundation DNS</h2>\n <a href=\"#meet-foundation-dns\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As our new enterprise authoritative DNS offering, Foundation DNS was designed to enhance the reliability, security, flexibility, and analytics of our existing authoritative DNS service. Before we dive into all the specifics of Foundation DNS, here is a quick summary of what Foundation DNS brings to our authoritative DNS offering:</p><ul><li><p><b>Advanced nameservers</b> bring DNS reliability to the next level.</p></li><li><p><b>New zone-level DNS settings</b> provide more flexible configuration of DNS specific settings.</p></li><li><p><b>Unique DNSSEC keys per account and zone</b> provide additional security and flexibility for DNSSEC.</p></li><li><p><b>GraphQL-based DNS analytics</b> provide even more insights into your DNS queries.</p></li><li><p><b>A new release process</b> ensures enterprise customers have the utmost stability and reliability.</p></li><li><p><b>Simpler DNS pricing</b> with more generous quotas for DNS-only zones and DNS records.</p></li></ul><p>Now, let’s dive deeper into each of these new Foundation DNS features:</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"advanced-nameservers\">Advanced nameservers</h3>\n <a href=\"#advanced-nameservers\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>With Foundation DNS, we’re introducing advanced nameservers with a specific focus on enhancing reliability for your enterprise. You might be familiar with our standard authoritative nameservers which come as a pair per zone and use names within the domain. Here’s an example:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">$ dig ns +noall +answer \\t86400\tIN\tNS\\\t86400\tIN\tNS\</pre></code>\n <p>Now, let’s look at the same zone using Foundation DNS advanced nameservers:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">$ dig ns +noall +answer \\t86400\tIN\tNS\\\t86400\tIN\tNS\\\t86400\tIN\tNS\</pre></code>\n <p>Advanced nameservers improve reliability in a few different ways. The first improvement comes from the Foundation DNS authoritative servers being spread across multiple TLDs. This provides protection from larger scale DNS outages and DDoS attacks that could potentially affect DNS infrastructure further up the tree, including TLD name servers. Foundation DNS authoritative nameservers are now located across multiple branches of the global DNS tree structure, further insulating our customers from these potential outages and attacks.</p><p>You might also have noticed that there is an additional nameserver listed with Foundation DNS. While this is an improvement, it&#39;s not for the reason you might think it is. If we resolve each one of these nameservers to their respective IP addresses, we can make this a little easier to understand. Let’s do that here starting with our standard nameservers:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">$ dig +noall +answer\ 86353 IN A\ 86353 IN A\ 86353 IN A\n\n$ dig +noall +answer\ 86353 IN A\ 86353 IN A\ 86353 IN A</pre></code>\n <p>There are six total IP addresses for the two nameservers. As it turns out, this is all DNS resolvers actually care about when querying authoritative nameservers. DNS resolvers usually don’t track the actual <a href=\"\">domain names</a> of authoritative servers; they simply maintain an unordered list of IP addresses that they can use to resolve queries for a given domain. So with our standard authoritative nameservers, we give resolvers six IP addresses to use to resolve DNS queries. Now, let&#39;s look at the IP addresses for our Foundation DNS advanced nameservers:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">$ dig +noall +answer\ 300 IN A\ 300 IN A\ 300 IN A\n\n$ dig +noall +answer\ 300 IN A\ 300 IN A\ 300 IN A\n\n$ dig +noall +answer\ 300 IN A\ 300 IN A\ 300 IN A</pre></code>\n <p>Would you look at that! Foundation DNS provides the same IP addresses for each of the authoritative nameservers that we provide to a zone. So in this case, we have only provided three IP addresses for resolvers to use to resolve DNS queries. And you might be wondering,“isn’t six better than three? Isn’t this a downgrade?” It turns out more isn’t always better. Let’s talk about why.</p><p>You are probably aware of Cloudflare’s use of <a href=\"\">Anycast</a> and, as you might assume, our DNS services leverage Anycast to ensure that our authoritative DNS servers are available globally and as close as possible to users and resolvers across the Internet. Our standard nameservers are all advertised out of every Cloudflare data center by a single Anycast group. If we zoom in on Europe, you can see that in a standard nameserver deployment, both nameservers are advertised from every data center.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"909\" loading=\"lazy\"/>\n \n </figure><p>We can take those six IP addresses from our standard nameservers above and perform a lookup for their &quot;hostname.bind&quot; TXT record which will show us the airport code or physical location of the closest data center where our DNS queries are being resolved from. This output helps explain the reason why more isn’t always better.</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">$ dig @ ch txt hostname.bind +short\n&quot;LHR&quot;\n\n$ dig @ ch txt hostname.bind +short\n&quot;LHR&quot;\n\n$ dig @ ch txt hostname.bind +short\n&quot;LHR&quot;\n\n$ dig @ ch txt hostname.bind +short\n&quot;LHR&quot;\n\n$ dig @ ch txt hostname.bind +short\n&quot;LHR&quot;\n\n$ dig @ ch txt hostname.bind +short\n&quot;LHR&quot;</pre></code>\n <p>As you can see, when queried from near London, all six of those IP addresses route to the same London (LHR) data center. Meaning that when a resolver in London is resolving DNS queries for a domain using Cloudflare’s standard authoritative DNS, no matter which nameserver IP address is being queried, they are always connecting to the same physical location.</p><p>You might be asking, “So what? What does that mean to me?” Let’s look at an example. If you wanted to resolve a domain using Cloudflare standard nameservers from London, and I am using a public resolver that is also located in London, the resolver will always connect to the Cloudflare LHR data center regardless of which nameserver it&#39;s trying to reach. It doesn’t have any other option, because of Anycast.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1228\" height=\"294\" loading=\"lazy\"/>\n \n </figure><p>Because of Anycast, should the LHR data center go offline completely, all the traffic intended for LHR would be routed to other nearby data centers and resolvers would continue to function normally. However, in the unlikely scenario where the LHR data center was online, but our DNS services aren’t able to respond to DNS queries, the resolver would have no way to resolve these DNS queries since they can’t reach out to any other data center. We could have 100 IP addresses, and it would not help us in this scenario. Eventually, cached responses will expire, and the domain will eventually stop being resolved.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1228\" height=\"294\" loading=\"lazy\"/>\n \n </figure><p>Foundation DNS advanced nameservers are changing the way we use Anycast by leveraging two Anycast groups, which breaks the previous paradigm of every authoritative nameserver IP being advertised from every data center. Using two Anycast groups means that Foundation DNS authoritative nameservers actually have different physical locations from one another, rather than all being advertised from each data center. Here is how that same region would look using two Anycast groups:</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"880\" loading=\"lazy\"/>\n \n </figure><p>Let’s go back and finish our comparison of six authoritative IP addresses for standard authoritative DNS vs three IP addresses for Foundation DNS now that it&#39;s understood that Foundation DNS is using two Anycast groups for advertising nameservers. Let’s see where Foundation DNS servers are being advertised from for our example:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">$ dig @ ch txt hostname.bind +short\n&quot;LHR&quot;\n\n$ dig @ ch txt hostname.bind +short\n&quot;LHR&quot;\n\n$ dig @ ch txt hostname.bind +short\n&quot;MAN&quot;</pre></code>\n <p>Look at that! One of our three nameserver IP addresses is being advertised out of a different data center, Manchester (MAN), making Foundation DNS more reliable and resilient for the previously mentioned outage scenario. It&#39;s worth mentioning that in some cities, Cloudflare operates out of multiple data centers which will result in all three queries returning the same airport code. While we guarantee that at least one of those IP addresses is being advertised out of a different data center, we understand some customers may want to test for themselves. In those cases, an additional query can show that IP addresses are being advertised out of different data centers.</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">$ dig @ +nsid | grep NSID:\n; NSID: 39 34 6d 33 39 (&quot;94m39&quot;)</pre></code>\n <p>In the &quot;<b>94m30</b>&quot; returned in the response, the number before the &quot;<b>m</b>&quot; represents the data center that answered the query. As long as that number is different in one of the three responses, you know that one of your Foundation DNS authoritative nameservers is being advertised out of a different physical location.</p><p>With Foundation DNS leveraging two Anycast groups, the previous outage scenario is handled seamlessly. DNS resolvers monitor requests to all the authoritative nameservers returned for a given domain, but primarily use the nameserver that is providing the fastest responses.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1228\" height=\"616\" loading=\"lazy\"/>\n \n </figure><p>With this configuration, DNS resolvers are able to send requests to two different Cloudflare data centers, so, should a failure happen at one physical location, queries are then automatically sent to the second data center where they can be properly resolved.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1228\" height=\"616\" loading=\"lazy\"/>\n \n </figure><p>Foundation DNS advanced nameservers are a big step forward in reliability for our enterprise customers. We welcome our enterprise customers to enable advanced nameservers for existing zones today. Migrating to Foundation DNS won’t involve any downtime either because even after Foundation DNS advanced nameservers are enabled for a zone, the previous standard authoritative DNS nameservers will continue to function and respond to queries for the zone. Customers don’t need to plan for a cutover or other service-impacting event to migrate to Foundation DNS advanced nameservers.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"610\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"new-zone-level-dns-settings\">New zone-level DNS settings</h3>\n <a href=\"#new-zone-level-dns-settings\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Historically, we have received regular requests from our enterprise customers to adjust specific DNS settings that were not exposed via our API or dashboard, such as enabling secondary DNS overrides. When customers wanted these settings adjusted, they had to reach out to their account teams, who would change the configurations. With Foundation DNS, we are exposing the most commonly requested settings via the <a href=\"\">API</a> and dashboard to give our customers increased flexibility with their Cloudflare authoritative DNS solution.</p><p>Enterprise customers can now configure the following DNS settings on their zones:</p><!--kg-card-begin: html--><style type=\"text/css\">\ {border-collapse:collapse;border-color:#ccc;border-spacing:0;}\ td{background-color:#fff;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;overflow:hidden;padding:10px 5px;word-break:normal;}\ th{background-color:#f0f0f0;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\ .tg-buh4{background-color:#f9f9f9;text-align:left;vertical-align:top}\ .tg-p7vi{background-color:#C9DAF8;font-weight:bold;text-align:left;vertical-align:top}\ .tg-68av{background-color:#f9f9f9;color:#15C;text-align:left;vertical-align:top}\ .tg-zb5k{color:#15C;text-align:left;vertical-align:top}\ .tg-0lax{text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\" width=\"100%\">\n<thead>\n <tr>\n <th class=\"tg-p7vi\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Setting</span></th>\n <th class=\"tg-p7vi\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Zone Type</span></th>\n <th class=\"tg-p7vi\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Description</span></th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-68av\"><a href=\"\"><span style=\"font-weight:400;font-style:normal;color:#15C;background-color:transparent\">Foundation DNS advanced nameservers</span></a></td>\n <td class=\"tg-buh4\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Primary and secondary zones</span></td>\n <td class=\"tg-buh4\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Allows you to enable advanced nameservers on your zone.</span></td>\n </tr>\n <tr>\n <td class=\"tg-zb5k\"><a href=\"\"><span style=\"font-weight:400;font-style:normal;color:#15C;background-color:transparent\">Secondary DNS override</span></a></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Secondary zones</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Allows you to enable </span><a href=\"\"><span style=\"font-weight:400;font-style:normal;color:#15C;background-color:transparent\">Secondary DNS Override</span></a><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\"> on your zone in order to proxy HTTP/S traffic through Cloudflare.</span></td>\n </tr>\n <tr>\n <td class=\"tg-68av\"><a href=\"\"><span style=\"font-weight:400;font-style:normal;color:#15C;background-color:transparent\">Multi-provider DNS</span></a></td>\n <td class=\"tg-buh4\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Primary and secondary zones</span></td>\n <td class=\"tg-buh4\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Allows you to have multiple authoritative DNS providers while using Cloudflare as a primary nameserver.</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html-->\n <div class=\"flex anchor relative\">\n <h3 id=\"unique-dnssec-keys-per-account-and-zone\">Unique DNSSEC keys per account and zone</h3>\n <a href=\"#unique-dnssec-keys-per-account-and-zone\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><a href=\"\">DNSSEC</a>, which stands for <a href=\"\">Domain Name System Security Extensions</a>, adds security to a domain or zone by providing a way to check that the response you receive for a DNS query is authentic and hasn&#39;t been modified. DNSSEC prevents <a href=\"\">DNS cache poisoning (DNS spoofing)</a> which helps ensure that DNS resolvers are responding to DNS queries with the correct IP addresses.</p><p>Since we <a href=\"/introducing-universal-dnssec\">launched Universal DNSSEC</a> in 2015, we’ve made quite a few improvements, like adding support for <a href=\"\">pre-signed DNSSEC for secondary zones</a> and <a href=\"\">multi-signer DNSSEC</a>. By default, Cloudflare signs DNS records on the fly (live signing) as we respond to DNS queries. This allows Cloudflare to host a DNSSEC-secured domain while dynamically allocating IP addresses for the proxied origins. It also enables certain load balancing use cases since the IP addresses served in the DNS response in these cases change based on steering.</p><p>Cloudflare uses the <a href=\"/dnssec-done-right\">Elliptic Curve algorithm ECDSA P-256</a>, which is stronger than most RSA keys used today. It uses less CPU to generate signatures, making them more efficient to generate on the fly. Usually two keys are used as part of DNSSEC, the Zone Signing Key (ZSK) and the Key Signing Key (KSK). At the simplest level, the ZSK is used for signing the DNS records that are served in response to queries and the KSK is used to sign the <a href=\"\">DNSKEYs</a>, including the ZSK to ensure its authenticity.</p><p>Today, Cloudflare uses a shared ZSK and KSK globally for all DNSSEC signing, and since we use such a strong cryptographic algorithm, we know how secure this key set is and as such, do not believe there is a need to regularly rotate the ZSK or KSK – at least for security reasons. There are customers, however, that have policies that require the rotation of these keys at certain intervals. Because of this, we’ve added the ability for our new Foundation DNS advanced nameservers to rotate both their ZSK and KSK as needed per account or per zone. This will first be available via the API and subsequently through the Cloudflare dashboard. So now, customers with strict policy requirements around their DNSSEC key rotation can meet those requirements with Cloudflare Foundation DNS.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"graphql-based-dns-analytics\">GraphQL-based DNS analytics</h3>\n <a href=\"#graphql-based-dns-analytics\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>For those who are not familiar with it, <a href=\"\">GraphQL</a> is a query language for APIs and a runtime for executing those queries. It allows clients to request exactly what they need, no more, no less, enabling them to aggregate data from multiple sources through a single API call, and supports real-time updates through subscriptions.</p><p>As you might know, Cloudflare has had a <a href=\"\">GraphQL API</a> for a while now, but as part of Foundation DNS we are adding a new DNS dataset to that API that is only available with our new Foundation DNS advanced nameservers.</p><p>The new DNS dataset in our GraphQL API can be used to fetch information about the DNS queries a zone has received. This faster and more powerful alternative to our current <a href=\"\">DNS Analytics API</a> allows you to query data from large time periods quickly and efficiently without running into limits or timeouts. The GraphQL API is more flexible with regard to which queries it accepts, and exposes more information than the DNS Analytics API.</p><p>For example, you can run this query to fetch the mean and 90th percentile processing time of your queries, grouped by source IP address, in 15 minute buckets. A query like this would be useful to see which IPs are querying your records most often for a given time range:</p>\n <pre class=\"language-json\"><code class=\"language-json\">{\n &quot;query&quot;: &quot;{\n viewer {\n zones(filter: { zoneTag: $zoneTag }) {\n dnsAnalyticsAdaptiveGroups(\n filter: $filter\n limit: 10\n orderBy: [datetime_ASC]\n ) {\n avg {\n processingTimeUs\n }\n quantiles {\n processingTimeUsP90\n }\n dimensions {\n datetimeFifteenMinutes\n sourceIP\n }\n }\n }\n }\n }&quot;,\n &quot;variables&quot;: {\n &quot;zoneTag&quot;: &quot;&lt;zone-tag&gt;&quot;,\n &quot;filter&quot;: {\n &quot;datetime_geq&quot;: &quot;2024-05-01T00:00:00Z&quot;,\n &quot;datetime_leq&quot;: &quot;2024-06-01T00:00:00Z&quot;\n }\n }\n}</pre></code>\n <p>Previously, a query like this wouldn’t have been possible for several reasons. The first is that we have added new fields like <b>sourceIP</b>, which allows us to filter data based on which client IP addresses (usually resolvers) are making DNS queries. The second is that the GraphQL API query is able to process and return data from much larger time ranges. A DNS zone with sufficiently large amounts of queries was previously only able to query across a few days of traffic, while the new GraphQL API can provide data for a period of up to 31 days. We are planning further enhancements to that range, as well as how far back historical data can be stored and queried.</p><p>The GraphQL API also allows us to add a new DNS analytics section to the Cloudflare dashboard. Customers will be able to track the most queried records, see which data centers are answering those queries, see how many queries are being made, and much more.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"791\" loading=\"lazy\"/>\n \n </figure><p>The new DNS dataset in our GraphQL API and the new DNS analytics page work together to help our DNS customers to monitor, analyze, and troubleshoot their Foundation DNS deployments.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"new-release-process\">New release process</h3>\n <a href=\"#new-release-process\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare’s Authoritative DNS product receives software updates roughly once a week. Cloudflare has a sophisticated release process that helps prevent regressions from affecting production traffic. While uncommon, it&#39;s possible to have issues only surface once the new release is subject to the volume and uniqueness of production traffic.</p><p>Because our enterprise customers desire stability even more than new features, new releases will be subject to a two-week soak time with our standard nameservers before our Foundation DNS advanced nameservers are upgraded. After two weeks with no issues, the Foundation DNS advanced nameservers will be upgraded as well.</p><p>Zones using Foundation DNS advanced nameservers will see increased reliability as they are better protected against regressions in new software releases.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"simpler-dns-pricing\">Simpler DNS pricing</h3>\n <a href=\"#simpler-dns-pricing\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Historically, Cloudflare has charged for authoritative DNS based on monthly DNS queries and the number of domains in the account. Our enterprise DNS customers are often interested in DNS-only zones, which are DNS zones hosted in Cloudflare that do not use our reverse proxy (layer 7) services such as our CDN, WAF, or Bot Management. With Foundation DNS, we’re making pricing simpler for the vast majority of those customers by <b>including 10,000 DNS only domains</b> by default. This change means most customers will only pay for the number of DNS queries they consume.</p><p>We’re also <b>including 1 million DNS records</b> across all domains in an account. But that doesn’t mean we can’t support more. In fact, the biggest single zone on our platform has over 3.9 million records, while our largest DNS account is just shy of 30 million DNS records spread across multiple zones. With Cloudflare DNS, there is no trouble handling even the largest deployments.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"there-is-more-to-come\">There is more to come</h2>\n <a href=\"#there-is-more-to-come\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We are just getting started. In the future, we will add more exclusive features to Foundation DNS. One example is a highly requested feature: <b>per-record scoped API tokens and user permissions</b>. This will allow you to configure permissions on an even more granular level. For example, you could specify that a particular member of your account is only allowed to create and manage records of the type TXT and MX, so they don’t accidentally delete or edit address records impacting web traffic to your domain. Another example would be to specify permissions based on subdomain to further restrict the scope of specific users.</p><p>If you’re an existing enterprise customer and want to use Foundation DNS, get in touch with your account team to provision Foundation DNS on your account.</p>"],"published_at":[0,"2024-04-12T14:00:12.000+01:00"],"updated_at":[0,"2024-11-20T18:50:21.442Z"],"feature_image":[0,""],"tags":[1,[[0,{"id":[0,"5fZHv2k9HnJ7phOPmYexHw"],"name":[0,"DNS"],"slug":[0,"dns"]}],[0,{"id":[0,"28ScICxPHuxYNbpZIqd6xS"],"name":[0,"Foundation DNS"],"slug":[0,"foundation-dns"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Hannes Gerhart"],"slug":[0,"hannes"],"bio":[0,null],"profile_image":[0,""],"location":[0,"Berlin, Germany"],"website":[0,""],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Chris Ward"],"slug":[0,"cw"],"bio":[0,"Hi everyone! I am a technical marketing engineer at Cloudflare who loves to understand how things work. I have worked in the IT, networking, and collaboration (voice/video) space for almost 20 years. "],"profile_image":[0,""],"location":[0,"Boston, MA"],"website":[0,""],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"We are launching Foundation DNS – our new enterprise-grade authoritative DNS offering. As our new enterprise authoritative DNS offering, Foundation DNS was designed to enhance the reliability, security, flexibility, and analytics of our authoritative DNS service."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Improving authoritative DNS with the official release of Foundation DNS Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,""],"metadata":[0,{"title":[0,"Improving authoritative DNS with the official release of Foundation DNS"],"description":[0,"We are launching Foundation DNS – our new enterprise-grade authoritative DNS offering. As our new enterprise authoritative DNS offering, Foundation DNS was designed to enhance the reliability, security, flexibility, and analytics of our authoritative DNS service."],"imgPreview":[0,""]}]}]]],"translations":[0,{"":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"":[0,"Careers"],"":[0,"Company"],"":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"":[0,"Community"],"footer.resources":[0,"Resources"],"":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"MorePosts","value":true}" await-children> <div class="w-100 bt-l b--gray8"> <h3 data-testid="more-posts-title" class="orange fw5 f4 ph3 mt4">MORE POSTS</h3> </div> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-09-26T14:00+01:00">September 26, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Making Workers AI faster and more efficient: Performance optimization with KV cache compression and speculative decoding</h6></a> <p class="gray1 lh-copy">With a new generation of data center accelerator hardware and using optimization techniques such as KV cache compression and speculative decoding, we’ve made large language model (LLM)<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Isaac Rehg</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Jesse Kipp</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Birthday Week</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Cloudflare Workers</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developers</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developer Platform</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-09-26T14:00+01:00">September 26, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Zero-latency SQLite storage in every Durable Object</h6></a> <p class="gray1 lh-copy">Traditional cloud storage is inherently slow because it is accessed over a network and must synchronize many clients. But what if we could instead put your application code deep into the storage layer<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Kenton Varda</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Birthday Week</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Cloudflare Workers</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Durable Objects</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developers</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-09-25T14:00+01:00">September 25, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Introducing Speed Brain: helping web pages load 45% faster</h6></a> <p class="gray1 lh-copy">We are excited to announce the latest leap forward in speed – Speed Brain. Speed Brain uses the Speculation Rules API to prefetch content for the user's likely next navigations. The goal is to download a web page to the browser before a user navigates to it, allowing pages to loa<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Alex Krivit</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Suleman Ahmad</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">William Woodhead</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Birthday Week</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Speed & Reliability</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Research</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Cache</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Speed Brain</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-09-24T14:00+01:00">September 24, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Automatically generating Cloudflare’s Terraform provider</h6></a> <p class="gray1 lh-copy">The Cloudflare Terraform provider used to be manually maintained. With the help of our existing OpenAPI code generation pipeline, we’re now automatically generating the provider for better <!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Jacob Bednarz</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Birthday Week</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">API</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">SDK</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Terraform</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Open API</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-09-23T14:00+01:00">September 23, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Introducing Ephemeral IDs: a new tool for fraud detection</h6></a> <p class="gray1 lh-copy">As the Internet evolves, Turnstile does too. Introducing Ephemeral IDs — a new dimension in detecting fraudulent activity, bot or human, that links behavior to a specific client instead of an IP address. This makes Turnstile better for everyone, everywhere. <!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Oliver Payne</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Sally Lee</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Benedikt Wolters</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Birthday Week</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Turnstile</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">CAPTCHA</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Security</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-08-16T14:00+00:00">August 16, 2024 2:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Introducing high-definition portrait video support for Cloudflare Stream</h6></a> <p class="gray1 lh-copy">Cloudflare Stream is an end-to-end solution for video encoding, storage, delivery, and playback, focused on simplifying all aspects of video for developers. Newly uploaded or ingested portrait videos will now automatically be processed in full HD quality<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Alex Huang</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Cloudflare Stream</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developers</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developer Platform</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Internship Experience</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-08-06T14:00+00:00">August 06, 2024 2:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">The backbone behind Cloudflare’s Connectivity Cloud</h6></a> <p class="gray1 lh-copy">Read through the latest milestones and expansions of Cloudflare's global backbone and how it supports our Connectivity Cloud and our services<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Shozo Moritz Takaya</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Bryton Herdes</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Connectivity Cloud</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Anycast</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Argo Smart Routing</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Athenian Project</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">BGP</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-07-23T16:15:55.000+01:00">July 23, 2024 3:15 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Meta Llama 3.1 now available on Workers AI</h6></a> <p class="gray1 lh-copy">Cloudflare is excited to be a launch partner with Meta to introduce Workers AI support for Llama 3.1<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Michelle Chen</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Nikhil Kothari</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Workers AI</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">AI</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developer Platform</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developers</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-06-27T18:00:09.000+01:00">June 27, 2024 5:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Embedded function calling in Workers AI: easier, smarter, faster</h6></a> <p class="gray1 lh-copy">Introducing a new way to do function calling in Workers AI by running function code alongside your inference. Plus, a new @cloudflare/ai-utils package to make getting started as simple as possible<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Harley Turan</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Dhravya Shah</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Michelle Chen</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Workers AI</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developer Platform</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developers</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Open Source</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-06-24T14:00:17.000+01:00">June 24, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Using machine learning to detect bot attacks that leverage residential proxies</h6></a> <p class="gray1 lh-copy">Cloudflare's Bot Management team has released a new Machine Learning model for bot detection (v8), focusing on bots and abuse from residential proxies<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Bob AminAzad</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Santiago Vargas</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Adam Martinetti</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Machine Learning</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">AI</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Proxying</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Bots</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-06-20T14:00:29.000+01:00">June 20, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Introducing Stream Generated Captions, powered by Workers AI</h6></a> <p class="gray1 lh-copy">With one click, users can now generate video captions effortlessly using Stream’s newest feature: AI-generated captions for on-demand videos and recordings of live streams<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Mickie Betz</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Ben Krebsbach</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Taylor Smith</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Developer Platform</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developers</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Workers AI</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">AI</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-05-30T13:12:02.000+01:00">May 30, 2024 12:12 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Cloudflare acquires BastionZero to extend Zero Trust access to IT infrastructure</h6></a> <p class="gray1 lh-copy">We’re excited to announce that BastionZero, a Zero Trust infrastructure access platform, has joined Cloudflare. This acquisition extends our Zero Trust Network Access (ZTNA) flows with native access management for infrastructure like servers, Kubernetes clusters, and databases<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Kenny Johnson</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Michael Keane</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Acquisitions</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Zero Trust</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">SASE</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Security</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Cloudflare Access</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-05-15T14:00:50.000+01:00">May 15, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">New Consent and Bot Management features for Cloudflare Zaraz</h6></a> <p class="gray1 lh-copy">Zaraz Consent Management now supports Google Consent Mode v2 and is compliant with the IAB Europe Transparency and Consent Framework. Zaraz also added Bot Management support for keeping your analytics data clean<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Yo'av Moshe</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Zaraz</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Privacy</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Bots</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developer Platform</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-04-18T21:58:33.000+01:00">April 18, 2024 8:58 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Meta Llama 3 available on Cloudflare Workers AI</h6></a> <p class="gray1 lh-copy">We are thrilled to give developers around the world the ability to build AI applications with Meta Llama 3 using Workers AI. We are proud to be a launch partner with Meta for their newest 8B Llama 3 model<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Michelle Chen</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Davina Zamanzadeh</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Isaac Rehg</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Nikhil Kothari</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">Llama</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developers</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Developer Platform</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Workers AI</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Cloudflare Workers</a> </div> </div> </article> <article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"> <p class="f3 fw5 gray1" data-iso-date="2024-04-12T14:00:12.000+01:00">April 12, 2024 1:00 PM</p><a href="" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Improving authoritative DNS with the official release of Foundation DNS</h6></a> <p class="gray1 lh-copy">We are launching Foundation DNS – our new enterprise-grade authoritative DNS offering. As our new enterprise authoritative DNS offering, Foundation DNS was designed to enhance the reliability, security, flexibility, and analytics of our authoritative DNS service<!-- -->...</p> <ul class="flex pl0 fw6 f2"> <span>By<!-- --> </span> <li class="list flex items-center"> <div class="author-name-tooltip"> <a href="" class="fw5 f2 black no-underline">Hannes Gerhart</a> </div></li> <li class="list flex items-center"> <div class="author-name-tooltip"> <span class="fw5 f2 black no-underline">, </span><a href="" class="fw5 f2 black no-underline">Chris Ward</a> </div></li> </ul> <div class="flex flex-row flex-wrap"> <div> <a href="" class="no-underline f1 fw2 blue3 underline-hover">DNS</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Foundation DNS</a> </div> <div> <span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="" class="no-underline f1 fw2 blue3 underline-hover">Product News</a> </div> </div> </article><!--astro:end--> </astro-island> <div class="pagination mw-100 center mv5 ph3 w-100 tc"> <div class="center w-50-l w-100"> <div class="flex items-center justify-center justify-around-m "> <ul class="flex list ml3" style="padding-inline-start:inherit"> <li class="gray"><a class="no-underline underline-hover dib-m dib-l mr1 gray3 " href="">1</a></li> <li class=""><a class="no-underline underline-hover dib-m dib-l mr1 blue3" href="">2</a></li> <li class="ml">…</li> <li><a class="no-underline underline-hover dib-m dib-l mr3 blue3" href="">32</a></li> </ul><span><a class="no-underline blue3 underline-hover" data-testid="pagination-toggle-next" href="" rel="prev"><span class="underline-hover dn dib-m dib-l">Older Posts</span> →</a></span> </div> </div> </div> </main> <footer class="pt4 pb4 pl1 pr1 main-footer"> <div class="mw8 center dn db-l ph3"> <div class="flex flex-row justify-between"> <div class="main-footer__menu-group"> <ul id="getting-started-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="getting-started-menu">Getting Started<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="free-plans" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Free plans</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="enterprise" class="f1 blue3 no-underline underline-hover" rel="noreferrer">For enterprises</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="compare-plans" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Compare plans</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="get-a-recommendation" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Get a recommendation</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="request-a-demo" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Request a demo</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="contact-sales" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Contact Sales</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="company-menu" class="list pl0"> <li class="pt1 pb1 f1" data-submenu="company-menu">Resources<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="learning-center" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Learning Center</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="analysts-report" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Analyst reports</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="overview" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare Radar</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="tv" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare TV</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="case-studies" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Case Studies</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="webinars" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Webinars</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="white-papers" class="f1 blue3 no-underline underline-hover" rel="noreferrer">White Papers</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="developer-docs" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Developer docs</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="theNet" class="f1 blue3 no-underline underline-hover" rel="noreferrer">theNet</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="sales-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="sales-menu">Solutions<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="connectivity-cloud" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Connectivity cloud</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="zero-trust" class="f1 blue3 no-underline underline-hover" rel="noreferrer">SSE and SASE services</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="application-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Application services</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="network-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Network services</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="developer-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Developer services</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="community-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="community-menu">Community<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="community_hub" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Community Hub</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="galileo" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Project Galileo</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="athenian" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Athenian Project</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="cloudflare-for-campaigns" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare for Campaigns</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="critical-infrastructure-defense-project" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Critical Infrastructure Defense Project</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="connect-2024" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Connect 2024</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="support-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="support-menu">Support<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="help-center" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Help center</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="status" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare Status</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="compliance" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Compliance</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="gdpr" class="f1 blue3 no-underline underline-hover" rel="noreferrer">GDPR</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="trust-and-safety" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Trust & Safety</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="company-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="company-menu">Company<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="overview" class="f1 blue3 no-underline underline-hover" rel="noreferrer">About Cloudflare</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="our_team" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Our team</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="investor-relations" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Investor relations</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="press" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Press</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="careers" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Careers</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="diversity-equity-inclusion" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Diversity, equity & inclusion</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="impact-ESG" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Impact/ESG</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="network_map" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Network Map</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="press-kit" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Logos & press kit</a></li> <li class="pt1 pb1"><a href="" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="partners" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Become a partner</a></li> </ul> </div> </div> </div> <div class="mw8 center ph3"> <div class="flex flex-row flex-wrap justify-center md:justify-between items-center pt4"> <div class="flex flex-row space-x-4 items-start w-25-l pb4 pb0-l"> <a target="_blank" rel="noreferrer" href="" class="w-8"><img class="w-8" src="" alt="facebook"></a><a target=" _blank" rel="noreferrer" href="" class="w-8"><img class="w-8" src="" alt="X"></a><a target="_blank" rel="noreferrer" href="" class="w-8"><img class="w-8" src="" alt="linkedin"></a><a target="_blank" rel="noreferrer" href="" class="w-8"><img class="w-8" src="" alt="youtube"></a><a target="_blank" rel="noreferrer" href="" class="w-8"><img class="w-8" src="" alt="instagram"></a> </div> <div class="w-70-l tr-l tl-ns"> <div> <span class="main-footer__copyright f1">© <!-- -->2025<!-- --> Cloudflare, Inc.<!-- --> </span><span class="main-footer__copyright f1">|</span><a href="" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Privacy Policy<!-- --> </a><span class="main-footer__copyright f1">|</span><a href="" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Terms of Use<!-- --> </a><span class="main-footer__copyright f1">|</span><a href="" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Report Security Issues<!-- --> </a><span class="main-footer__copyright f1">|</span><img class="mw2 ph1" src="/images/privacy-options.svg" alt="Privacy Options"><a href="" id="ot-sdk-btn" class="ot-sdk-show-settings main-footer__copyright f1 no-underline underline-hover"><span class="brandGray5">Cookie Preferences</span> </a><span class="main-footer__copyright f1">|</span><a href="" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Trademark<!-- --> </a> </div> </div> </div> </div> </footer> <script defer src="" integrity="sha512-ZpsOmlRQV6y907TI0dKBHq9Md29nnaEIPlkf84rnaERnq6zvWvPUqr2ft8M1aS28oN72PdrCzSjY4U6VaAw1EQ==" data-cf-beacon="{"rayId":"913925038fac9855","version":"2025.1.0","serverTiming":{"name":{"cfExtPri":true,"cfL4":true,"cfSpeedBrain":true,"cfCacheStatus":true}},"token":"2bc156e5f250476cb274d269511ffb57","b":1}" crossorigin="anonymous"></script> <script>function gtElInit() {var lib = new google.translate.TranslateService();lib.translatePage('pl', 'de', function () {});}</script> <script src="" type="text/javascript"></script> </body> </html>