Cloudflare

Rationale#

Cloudflare is our SaaS provider for some infrastructure solutions like DNSSEC, DDoS Protection, Rate limiting, Auto-Renewable SSL certificates, Content delivery network, Web Application Firewall, Anti-bot capabilities, among others.

The main reasons why we chose it over other alternatives are:

  1. Creating network and security solutions is very easy, as all its components are seamlessly connected.
  2. It can be fully managed using Terraform.
  3. It provides highly detailed analytics regarding site traffic in terms of both performance and security.
  4. It has the Fastest privacy-focused DNS service on the market.
  5. It supports DNSSEC.
  6. It has easy-to-implement, auto-renewable, auto-validated SSL certificates.
  7. It provides a Web Application Firewall with Preconfigured rules, DDoS mitigation, Rate limiting, Anti-bot capabilities, among others.
  8. It has a CDN with special routing protocols, HTTP/3 support, Customizable cache TTL, and datacenters all over the world. Cache comes automatically configured and is customizable by just changing its default settings.
  9. It provides Workers, a serverless approach for developing applications. We use it for the specific purpose of configuring security headers for all our sites.
  10. It has Page rules that allow to easily implement HTTP redirections, Cache Rules, encryption rules, among others.

Alternatives#

The following alternatives were considered but not chosen for the following reasons:

  1. Akamai: It is not as widely used, resulting in less community support. It is much more expensive and setting up its services seems more complicated when comparing it to Cloudflare.
  2. AWS Certificate Manager: Creating digital certificates required to also manage DNS validation records.
  3. AWS CloudFront: Creating distributions was very slow. Connecting them to a s3 bucket and maintaining such connection was necessary. A Lambda was required in order to support accessing URL's without having to specify index.html at the end. Overall speaking, too much overhead was required to make things work.
  4. AWS Route53: This service does not support DNSSEC, It is not as fast or as flexible as Cloudflare's DNS.
    1. AWS Web Application Firewall: It needs to be connected to a load balancer serving an application, it does not work for static sites. It is not as flexible as Cloudflare's Web Application Firewall.

Usage#

We use Cloudflare for:

  1. Overall network configurations.
  2. DNS Records.
  3. HTTP Redirections.
  4. Managing security headers.
  5. Managing digital certificates.
  6. Managing rate limiting.
  7. Managing CDN Cache.

We do not use the following Cloudflare services:

  1. Argo Tunnel: Pending to review.
  2. Railgun: Only supported on apt and yum.

Guidelines#

  1. Any changes to Cloudflare's infrastructure must be done via Merge Requests modifying its Terraform module.
  2. To learn how to test and apply infrastructure via Terraform, visit the Terraform Guidelines.