Cloudflare
Rationale
Cloudflare is our SaaS provider for some infrastructure solutions like DNSSEC, DDoS Protection, Rate limiting, Auto-Renewable SSL certificates, Content delivery network, Web Application Firewall, Anti-bot capabilities, among others.
The main reasons why we chose it over other alternatives are:
- Creating network and security solutions is very easy, as all its components are seamlessly connected.
- It can be fully managed using Terraform.
- It provides highly detailed analytics regarding site traffic in terms of both performance and security.
- It has the Fastest privacy-focused DNS service on the market.
- It supports DNSSEC.
- It has easy-to-implement, auto-renewable, auto-validated SSL certificates.
- It provides a Web Application Firewall with Preconfigured rules, DDoS mitigation, Rate limiting, Anti-bot capabilities, among others.
- It has a CDN with special routing protocols, HTTP/3 support, Customizable cache TTL, and datacenters all over the world. Cache comes automatically configured and is customizable by just changing its default settings.
- It provides Workers, a serverless approach for developing applications. We use it for the specific purpose of configuring security headers for all our sites.
- It has Page rules that allow to easily implement HTTP redirections, Cache Rules, encryption rules, among others.
Alternatives
The following alternatives were considered but not chosen for the following reasons:
- Akamai: It is not as widely used, resulting in less community support. It is much more expensive and setting up its services seems more complicated when comparing it to Cloudflare.
- AWS Certificate Manager: Creating digital certificates required to also manage DNS validation records.
- AWS CloudFront:
Creating distributions was very slow.
Connecting them to a s3 bucket and maintaining such
connection was necessary.
A Lambda
was required in order to support accessing URL's
without having to specify
index.html
at the end. Overall speaking, too much overhead was required to make things work. - AWS Route53: This service does not support DNSSEC, It is not as fast or as flexible as Cloudflare's DNS.
- AWS Web Application Firewall: It needs to be connected to a load balancer serving an application, it does not work for static sites. It is not as flexible as Cloudflare's Web Application Firewall.
Usage
We use Cloudflare for:
- Overall network configurations.
- DNS Records.
- HTTP Redirections.
- Managing security headers.
- Managing digital certificates.
- Managing rate limiting.
- Managing CDN Cache.
- Hosting
.com
and.io
supported TLDs using Cloudflare Registrar
We do not use the following Cloudflare services:
- Argo Tunnel: Pending to review.
- Railgun: Only supported on apt and yum.
- Hosting domains with
.co
and.la
not supported TLDs. For these domains we use GoDaddy.
Guidelines
- Any changes to Cloudflare's infrastructure must be done via Merge Requests modifying its Terraform module.
- To learn how to test and apply infrastructure via Terraform, visit the Terraform Guidelines.