Cloudflare Blog

Why it matters: DNSSEC failures at the TLD level can cause massive internet outages. Understanding mitigation strategies like 'serve stale' and Negative Trust Anchors is crucial for SREs and network engineers to maintain availability during upstream cryptographic failures.

DENIC published incorrect DNSSEC signatures for the .de TLD, causing validating resolvers to return SERVFAIL for millions of domains.
DNSSEC ensures data integrity through a chain of trust; a failure at the TLD level breaks validation for all child zones.
Cloudflare utilized 'serve stale' (RFC 8767) to continue providing cached records past their TTL, mitigating immediate user impact.
The incident caused a massive spike in query volume as clients repeatedly retried failed DNS requests.
Cloudflare implemented Negative Trust Anchors (NTA) per RFC 7646 to temporarily bypass validation for the .de zone while the registry fixed the issue.

#sre #security

Read original

Cloudflare BlogMay 1, 2026

Code Orange: Fail Small is complete. The result is a stronger Cloudflare network

Why it matters: This initiative demonstrates how large-scale platforms can mitigate global outages by treating configuration as code, implementing progressive rollouts, and ensuring emergency access remains independent of the primary network infrastructure. It's a blueprint for high-availability systems.

Introduced Snapstone, a new internal system for health-mediated, progressive configuration rollouts with automated rollback capabilities.
Implemented 'fail stale' and 'fail open/close' strategies across critical services to ensure traffic delivery even during configuration failures.
Adopted customer cohort segmentation for system updates, deploying changes to less critical segments first to minimize blast radius.
Enhanced 'break glass' procedures by establishing emergency access pathways independent of Cloudflare’s own Zero Trust infrastructure.
Standardized risk reviews and operational patterns to prevent configuration drift and ensure long-term infrastructure resilience.

#sre #dist #security

Read original

Cloudflare BlogMay 1, 2026

Introducing Dynamic Workflows: durable execution that follows the tenant

Why it matters: It enables platforms to run user-defined, durable logic without static deployments. By combining dynamic compute with durable execution, developers can build complex agentic systems and SaaS platforms where every tenant has unique, long-running business logic in isolated sandboxes.

Cloudflare introduced Dynamic Workflows to enable durable execution for multi-tenant applications where code is provided at runtime.
The system bridges the gap between Cloudflare Workflows' durable execution and Dynamic Workers' isolated, on-demand compute primitives.
A 'Worker Loader' pattern routes workflow lifecycle events to the correct tenant's isolated sandbox using a lightweight TypeScript library.
Supports standard Workflow features including step.do(), hibernation, retries, and long-running sleeps within dynamically loaded code.
Tenants can write idiomatic Workflows code without awareness of the underlying dispatch and routing logic handled by the platform.
This architecture allows SaaS platforms and AI agent frameworks to execute unique, user-defined logic without requiring static deployments.

#dist #mlp

Read original

Cloudflare BlogApr 30, 2026

Post-quantum encryption for Cloudflare IPsec is generally available

Why it matters: It allows engineers to secure WAN traffic against future quantum threats using existing Cisco and Fortinet hardware. By standardizing on hybrid ML-KEM, it provides a scalable, interoperable path to post-quantum security without requiring specialized, non-scalable QKD hardware.

Cloudflare has announced the general availability of post-quantum encryption for its IPsec WAN Network-as-a-Service.
The implementation utilizes a hybrid ML-KEM (FIPS 203) approach, combining classical Diffie-Hellman with post-quantum algorithms for the IKEv2 handshake.
Interoperability is confirmed with major hardware vendors, including Cisco 8000 Series routers and Fortinet FortiOS 7.6.6+.
This update protects against 'harvest-now-decrypt-later' attacks by securing data plane traffic with quantum-resistant session keys.
The software-based approach avoids the scalability and hardware limitations of Quantum Key Distribution (QKD) by running on standard processors.

#security #dist

Read original

Cloudflare BlogApr 30, 2026

Agents can now create Cloudflare accounts, buy domains, and deploy

Why it matters: This integration removes manual friction from infrastructure setup, allowing AI agents to handle end-to-end deployment. By standardizing service discovery, identity, and payments, it enables fully autonomous DevOps workflows while maintaining human-in-the-loop oversight.

Cloudflare and Stripe have co-designed a new protocol allowing AI agents to autonomously provision accounts, register domains, and deploy software.
The system utilizes Stripe as an identity provider to automatically create or link Cloudflare accounts without manual dashboard intervention.
Agents can discover infrastructure services via a REST API catalog, enabling them to select and configure necessary resources for a project.
Integrated payment tokenization allows agents to handle paid subscriptions and domain purchases on behalf of the user.
The workflow supports Cloudflare’s Code Mode MCP server and Agent Skills to enhance the agent's ability to interact with Cloudflare APIs.
Human-in-the-loop oversight is maintained for granting permissions and accepting terms of service, while eliminating manual API token management.

#sre #finops #mlp

Read original

Cloudflare BlogApr 28, 2026

Shutdowns, power outages, and conflict: a review of Q1 2026 Internet disruptions

Why it matters: Monitoring global disruptions helps engineers distinguish between application bugs and systemic infrastructure failures. These events underscore the importance of multi-region redundancy and the technical mechanisms, like BGP and filtering, that govern global internet reachability.

Uganda's election-related shutdown reduced domestic traffic from 72 Gbps to 1 Gbps, demonstrating the impact of state-mandated mobile network suspensions.
Iran's first Q1 shutdown involved a massive loss of announced IPv6 address space, specifically impacting ISPs like Asiatech and RASANA.
Technical analysis suggests Iran's second shutdown utilized filtering rather than BGP route withdrawals, as IP space remained announced despite traffic drops.
Physical infrastructure failures, including three grid collapses in Cuba and cable damage in Congo, caused significant regional connectivity gaps.
Military actions in Ukraine and the Middle East directly impacted hyperscaler cloud infrastructure and regional network stability.

#dist #security #data

Read original

Cloudflare BlogApr 22, 2026

Making Rust Workers reliable: panic and abort recovery in wasm‑bindgen

Why it matters: This update solves sandbox poisoning where a single Rust panic could crash an entire Wasm instance. By upstreaming recovery to wasm-bindgen, engineers get better reliability for stateful workloads like Durable Objects and improved error handling across the Rust-JS boundary.

Cloudflare improved Rust Worker reliability by contributing panic and abort recovery mechanisms to the upstream wasm-bindgen toolchain.
Implemented panic=unwind support using the WebAssembly Exception Handling proposal, allowing Rust destructors to run and preserving instance state for stateful workloads.
Updated the walrus parser and wasm-bindgen descriptor interpreter to support Wasm try/catch instructions and proper stack unwinding.
Introduced extern C-unwind for exports and the MaybeUnwindSafe trait for closures to ensure safe error propagation across the Rust-JavaScript boundary.
Developed abort recovery to detect fatal traps like OOM, preventing the re-execution of poisoned Wasm modules and ensuring clean reinitialization for subsequent requests.

#sre #dist

Read original

Cloudflare BlogApr 21, 2026

Moving past bots vs. humans

Why it matters: As AI agents blur the lines between human and bot traffic, engineers must pivot from binary detection to behavioral security. This shift is crucial for protecting resources, ensuring fair data usage, and maintaining the economic viability of the open web.

Traditional bot detection based on human interaction patterns is becoming obsolete as AI agents and automation tools mimic or bypass standard browser behaviors.
The shift from binary human vs. bot classification to intent-based analysis is necessary to manage resource allocation and content distribution effectively.
AI agents disrupt the historical balance between publishers and users by fetching raw data without rendering pages, bypassing ad monetization and attribution.
Modern web protection must focus on specific outcomes like attack mitigation and crawler load proportionality rather than abstract humanity.
Emerging standards like HTTP message signatures for bot authentication and private rate limiting help identify legitimate automated traffic.

#security #dist #mlp

Read original

Cloudflare BlogApr 20, 2026

Orchestrating AI Code Review at scale

Why it matters: Scaling AI code reviews requires moving beyond simple prompts to multi-agent orchestration. This architecture demonstrates how to integrate LLMs into CI/CD pipelines reliably, handling large-scale diffs and specialized domain knowledge while maintaining high signal-to-noise ratios.

Cloudflare replaced naive AI summarization with a multi-agent orchestration system built on OpenCode to reduce code review bottlenecks.
The architecture uses a composable plugin system with distinct lifecycle phases to isolate VCS logic from AI provider configurations.
Seven specialized agents cover domains like security and performance, managed by a coordinator that deduplicates findings and judges severity.
To handle massive merge requests, the system passes prompts via stdin to avoid Linux kernel ARG_MAX limits and E2BIG errors.
The implementation leverages the Model Context Protocol (MCP) to allow agents to interact with GitLab APIs for context and commenting.
The system is CI-native and has been deployed across tens of thousands of internal merge requests to improve engineering resiliency.

#mlp #sre #security

Read original

Cloudflare BlogApr 20, 2026

The AI engineering stack we built internally — on the platform we ship

Why it matters: Cloudflare demonstrates how to build a production-grade AI engineering stack using its own infrastructure. It provides a blueprint for using MCP, AI Gateway, and sandboxed execution to boost developer velocity while maintaining security and cost control at scale.

Cloudflare integrated AI into its engineering stack using its own platform, resulting in 93% adoption across R&D and a near doubling of weekly merge requests.
The architecture leverages AI Gateway for centralized LLM routing, cost tracking, and zero-trust security across multiple model providers.
Internal developers use MCP (Model Context Protocol) servers to give AI agents access to internal tools, documentation, and infrastructure.
The stack utilizes Workers AI for low-latency inference on open-weight models, reducing reliance on external frontier model providers.
New tools like the Sandbox SDK and Agents SDK provide isolated environments and stateful sessions for agent-generated code execution.
A Knowledge Layer using Backstage and AGENTS.md files helps agents understand complex internal systems and service dependencies.

#mlp #culture #security

Read original

Page 3 of 18

Prev 1 2 3 4 5...18 Next