Cloudflare
Last updated: Mar 11, 2026
Rationale
Cloudflare is our SaaS provider for some infrastructure solutions like DNSSEC, DDoS Protection, Rate limiting, Auto-Renewable SSL certificates, Content delivery network, Web Application Firewall, Anti-bot capabilities, Zero Trust Network Access, among others.
The main reasons why we chose it over other alternatives are:
- Creating network and security solutions is very easy, as all its components are seamlessly connected.
- It can be fully managed using Terraform.
- It provides highly detailed analytics regarding site traffic in terms of both performance and security.
- It has the Fastest privacy-focused DNS service on the market.
- It supports DNSSEC.
- It has easy-to-implement, auto-renewable, auto-validated SSL certificates.
- It provides a Web Application Firewall with preconfigured rules, DDoS mitigation, rate limiting, anti-bot capabilities, among others.
- It has a CDN with special routing protocols, HTTP/3 support, Customizable cache TTL, and datacenters all over the world. Cache comes automatically configured and is customizable by just changing its default settings.
- It provides Workers, a serverless approach for developing applications. We use it for the specific purpose of configuring security headers for all our sites.
- It has Page rules that allow for easy implementation of HTTP redirections, cache rules, and encryption rules, among others.
- It provides Zero Trust features, which are essential for our Connector and Egress access mechanisms, as well as for allowing Fluid Attacks talent to navigate the Internet safely using Cloudflare WARP.
Alternatives
The following alternatives were considered but not chosen for the following reasons:
- Akamai: It is not as widely used, resulting in less community support. It is much more expensive and setting up its services seems more complicated when comparing it to Cloudflare.
- AWS Certificate Manager: Creating digital certificates required to also manage DNS validation records.
- AWS CloudFront:
Creating distributions was very slow.
Connecting them to an S3 bucket and maintaining such a connection
was necessary.
A Lambda
was required in order to support accessing URLs
without having to specify
index.htmlat the end. Overall speaking, too much overhead was required to make things work. - AWS Route53: This service does not support DNSSEC. It is not as fast or as flexible as Cloudflare's DNS.
- AWS Web Application Firewall: It needs to be connected to a load balancer serving an application; it does not work for static sites. It is not as flexible as Cloudflare's Web Application Firewall.
- Tailscale: It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs, which is essential for the Egress access mechanism. Being able to do so is essential for Fluid Attacks' platform to be able to display ZTNA navigation logs. It does not provide a client for safely navigating the Internet.
- NoPorts: It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It had a much more complex installation process. It did not support Egress IPs, which is essential for the Egress access mechanism. It did not support navigation logging, which is essential for Fluid Attacks' platform to be able to display ZTNA navigation logs. In general, it looks like a very basic solution for establishing SSH, SFTP or RDP connections to personal devices via the Internet. It does not provide a client for safely navigating the Internet.
- ZeroTier: It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs, which is essential for the Egress access mechanism. It did not support navigation logging, which is essential for Fluid Attacks' platform to be able to display ZTNA navigation logs. In general, it looks like a very basic solution for establishing SSH, SFTP or RDP connections to personal devices via the Internet. It does not provide a client for safely navigating the Internet.
- Genians: It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs, which is essential for the Egress access mechanism. It did not support navigation logging, which is essential for Fluid Attacks' platform to be able to display ZTNA navigation logs. It focuses on on-premise architectures and relies on having servers or virtual machines completely focused on managing the ZTNA network, which increases complexity and introduces a single point of failure. Its documentation is way harder to understand compared to other alternatives. Its implementation is way more complex when compared to other alternatives. It does not provide a client for safely navigating the Internet.
Usage
We use Cloudflare for:
- Overall network configurations
- DNS Records
- HTTP Redirections
- Managing security headers
- Managing digital certificates
- Managing rate limiting
- Managing CDN Cache
- Hosting
.comand.iosupported TLDs using Cloudflare Registrar - Allowing Fluid Attacks to connect to applications owned by its clients via Connector or Egress access mechanisms
- Allowing Fluid Attacks employees to navigate the Internet safely using Cloudflare WARP
We do not use the following Cloudflare services:
- Argo Tunnel (pending review).
- Railgun: Only supported on apt and yum.
- Hosting domains with
.coand.laare not supported TLDs. For these domains, we use GoDaddy.