Cloudflare Blog

https://blog.cloudflare.com/

Cloudflare BlogJun 16, 2026

Cloudflare DMARC Management is now generally available

Get unified visibility into your email authentication posture and reach full DMARC enforcement with deeper reporting, record analysis, and SPF audits free for every Cloudflare customer.

Read original

Cloudflare BlogJun 15, 2026

Growing the Cloudflare AI team with talent from Ensemble AI

Why it matters: Reducing AI inference costs and memory overhead is critical for scaling apps. Integrating architectural-level model compression like NdLinear allows Cloudflare to run complex LLMs more efficiently on its global network, improving performance and economic viability for developers.

Cloudflare is integrating the Ensemble AI team to enhance its AI infrastructure and improve inference efficiency.
Ensemble AI developed NdLinear, a drop-in replacement for standard linear layers that reduces parameter counts by operating on multidimensional activations.
The team introduced NdLinear-LoRA, an efficient adaptation method designed to reduce the trainable parameters required for fine-tuning large models.
These architectural optimizations aim to reduce memory, compute, and deployment overhead for LLMs and multimodal models.
The technology will be integrated into Cloudflare Workers AI, complementing existing tools like the Infire inference engine and Unweight tensor compression.
The focus is on improving the economics of AI by optimizing GPU utilization and enabling scalable, globally distributed inference.

#mlp #dist #finops

Read original

Cloudflare BlogJun 12, 2026

Scaling Security Insights: how we achieved a 10x increase in global scanning capacity

Why it matters: This article demonstrates how to scale distributed systems by identifying bottlenecks in message processing, database I/O, and network latency. It provides practical patterns like lane-splitting and batching to handle 10x growth in high-throughput security scanning environments.

Increased scanning throughput 10x by implementing parallel processing in Go microservices to consume Kafka messages in batches via goroutines.
Eliminated head-of-line blocking by splitting consumer groups into 'fast lane' and 'slow lane' paths based on account asset volume.
Optimized database performance by replacing individual row inserts with a hybrid approach using UNNEST and COPY for bulk operations.
Reduced API timeouts and latency by relocating service instances to the same geographic region as the primary Postgres database.
Transitioned from opt-in to automatic scanning for millions of accounts while doubling the frequency of security checks.

#security #dist #sre

Read original

Cloudflare BlogJun 10, 2026

Route public traffic to private applications with Cloudflare

Why it matters: This feature allows engineers to apply enterprise-grade security and performance tools to internal services without public exposure. It simplifies hybrid cloud networking by treating private IPs as standard origins, reducing operational overhead and the risk of misconfigured firewall rules.

Cloudflare launched Application Services for Private Origins, allowing public traffic to reach private IPs without exposing them to the public internet.
The service enables WAF, bot management, rate limiting, and Workers to protect internal APIs, AI backends, and MCP servers.
It integrates with existing Cloudflare WAN and Mesh connectivity, removing the requirement for running connector software like cloudflared on every origin.
Engineers can toggle private network routing for A/AAAA records, supporting RFC 1918, CGNAT, and Unique Local IPv6 address ranges.
The unified routing model simplifies infrastructure by eliminating the need for parallel stacks like public-facing load balancers or complex VPNs.
This architecture treats security as a property of traffic rather than a result of network location, bridging the gap between public and private infrastructure.

#security #sre #dist

Read original

Cloudflare BlogJun 9, 2026

Defend against frontier cyber models: Cloudflare's architecture as customer zero

Why it matters: AI models now automate exploit generation at scale, making the speed of patching insufficient. Engineers must shift toward resilient architectures that prioritize behavioral scoring and Zero Trust containment over reactive signature-based defenses.

Frontier models like Mythos accelerate vulnerability discovery and exploit chain construction, allowing attackers to move faster than traditional patching cycles.
Cloudflare utilizes its own infrastructure as 'customer zero,' applying its security stack to its own code and employees before external release.
Defense is shifting from static signatures to ML-based scoring, using WAF Attack Score to identify and block mutated, AI-generated payloads in real-time.
Zero Trust principles, including mTLS and microsegmentation, are critical for containing the blast radius when a vulnerability is inevitably exploited.
Visibility across 20% of global web traffic allows Cloudforce One to convert network-wide insights into automated threat intelligence and rapid WAF rule deployment.
The architecture around a vulnerability is more important than the speed of the patch, as AI can bypass signature-based detections through rapid adaptation.

#security #mlp

Read original

Cloudflare BlogJun 8, 2026

Turning Cloudflare’s threat indicators into real-time WAF rules

Why it matters: This integration allows engineers to automate security responses using real-time global threat intelligence. By exposing live actor and industry data directly in the WAF, teams can proactively block sophisticated attacks with minimal latency and full Infrastructure as Code support.

Cloudflare now integrates live Threat Events data directly into its WAF engine for proactive, real-time mitigation.
New WAF fields allow filtering by threat actor names, targeted industries, and specific attack types like DDoS or cybercrime.
The always-on detection framework eliminates the log vs. block trade-off by enriching request metadata before action is taken.
Security rules can be managed via UI, API, or Terraform, supporting automated Infrastructure as Code workflows.
Future updates plan to extend matching capabilities beyond IP addresses to include JA3 fingerprints and domain-based indicators.

#security #dist #data

Read original

Cloudflare BlogJun 5, 2026

Your AI bill is out of control. Cloudflare can fix it now.

Why it matters: Uncontrolled AI spend is a major challenge for organizations. These tools provide the observability and governance needed to scale AI usage sustainably by offering granular cost attribution and automated guardrails to prevent unexpected bill shock.

Cloudflare AI Gateway now features dollar-based spend limits to prevent budget overages across multiple AI providers.
A new closed beta introduces identity-driven budgets, integrating with Cloudflare Access to attribute costs to specific users or teams.
Dynamic routing allows for automatic fallback to cheaper models once a primary budget threshold is reached, ensuring service continuity.
The gateway provides unified logging and real-time analytics for token counts and costs across OpenAI, Anthropic, Google, and others.
Administrators can define granular policies based on custom attributes, model types, or identity provider (IdP) groups.

#finops #mlp #security

Read original

Cloudflare BlogJun 4, 2026

VoidZero is joining Cloudflare

Why it matters: Cloudflare’s acquisition of VoidZero secures the future of Vite as a vendor-neutral foundation for the JS ecosystem. By integrating high-performance tools like Oxc and Rolldown, they aim to provide production-parity dev environments and faster feedback loops essential for AI-driven coding.

VoidZero, the team behind Vite, Vitest, Rolldown, and Oxc, is joining Cloudflare to accelerate development of the JavaScript toolchain.
All core projects will remain MIT-licensed, vendor-agnostic, and community-driven, ensuring portability across hosting providers.
Cloudflare is establishing a $1 million Vite ecosystem fund to support maintainers and contributors across the broader community.
The partnership builds on the Vite Environment API, enabling local development within the workerd runtime for production parity.
The acquisition aims to optimize the toolchain for AI-driven development, focusing on fast feedback loops for builds, tests, and linting.

#frontend #culture #dist

Read original

Cloudflare BlogJun 3, 2026

Enforcing the First AS in BGP AS_PATHs

Why it matters: BGP hijacks using forged paths threaten global internet stability. Enforcing First AS checks prevents peers from advertising routes they do not actually transit, closing a security gap that RPKI and ASPA alone may miss. This is vital for maintaining routing integrity and trust.

Recent BGP hijacks involve attackers forging AS_PATHs with unused ASNs to misdirect traffic and conceal their identity.
Analysis of these hijacks reveals implausible routing relationships, such as unused regional ASNs appearing behind global transit providers.
First AS enforcement is a critical BGP security mechanism that verifies a peer's ASN is the first entry in an advertised route.
While RPKI-ROV and ASPA improve security, they can be bypassed if attackers use valid origin ASNs, making First AS checking a necessary defense.
Cloudflare's research indicates that some major networks fail to enforce First AS checks, allowing forged paths to propagate globally.

#security #dist

Read original

Cloudflare BlogJun 1, 2026

How we reduced core unit boot time from hours to minutes

Why it matters: Inefficient boot sequences can paralyze large-scale infrastructure maintenance. This case study highlights how low-level firmware quirks impact fleet-wide automation and demonstrates the importance of explicit configuration over default discovery in bare-metal environments.

Cloudflare's Gen12 core servers experienced boot delays of up to four hours following a firmware update due to inefficient network boot interface probing.
The root cause was a linear search through multiple network boot protocols (IPv4 HTTPS, iPXE, IPv6), with each failed attempt incurring a five-minute timeout.
Because firmware upgrades require multiple sequential reboots, these 20-minute per-boot penalties compounded into hours of idle time across a 2,000-unit fleet.
Engineers optimized the process by explicitly declaring the correct boot interface early in the pre-boot PXE stage, bypassing the automated search.
The solution involved implementing state validation to handle configuration resets post-upgrade and managing vendor-specific NIC string formats.
This optimization restored boot times to minutes, significantly reducing maintenance windows and accelerating the deployment of new capacity.

#sre #dist

Read original

Page 1 of 18

Prev1 2 3...18 Next