Cloudflare Blog

https://blog.cloudflare.com/

Cloudflare BlogMar 24, 2026

Why it matters: This technology enables secure, high-performance execution of AI-generated code. By replacing heavy containers with lightweight V8 isolates, engineers can build responsive, consumer-scale AI agents that operate with minimal latency and significantly lower infrastructure costs.

Cloudflare's Dynamic Worker Loader allows Workers to instantiate new, isolated sandboxes at runtime using AI-generated code.
Built on V8 isolates, these sandboxes start in milliseconds and use minimal memory, performing 100x faster than traditional Linux containers.
The system enables 'Code Mode,' where agents write TypeScript to call APIs directly, reducing token usage by up to 81% compared to standard tool calling.
Dynamic Workers run on the same thread as the parent Worker, ensuring zero-latency execution across Cloudflare's global edge network.
Security is enforced through strict isolation and RPC-based capability sharing, allowing fine-grained control over what the AI-generated code can access.

#mlp #security #dist

Read original

Cloudflare BlogMar 23, 2026

Inside Gen 13: how we built our most powerful server yet

Why it matters: Cloudflare's Gen 13 hardware shows how software shifts, like the Rust-based FL2, enable radical hardware optimizations. By reducing cache dependency, they achieved 2x throughput and 50% better power efficiency, which is critical for scaling global edge networks sustainably.

Gen 13 features the 192-core AMD EPYC Turin 9965 processor, doubling the core count and hardware threads compared to the previous generation.
The hardware refresh leverages Cloudflare's FL2 Rust-based rewrite, which reduces L3 cache dependency and allows for linear scaling with higher core counts.
Memory capacity doubled to 768GB of DDR5-6400 across 12 channels, significantly increasing bandwidth for memory-intensive edge workloads.
Networking throughput increased 4x via dual 100 GbE ports, utilizing Intel E830 or NVIDIA Mellanox ConnectX-6 Dx adapters.
The design achieves a 50% improvement in performance-per-watt and 60% higher throughput per rack while maintaining constant power budgets.
Security is bolstered with new PCIe encryption hardware support and a DC-SCM 2.0-based Hardware Root of Trust (HRoT).

#dist #finops #security

Read original

Cloudflare BlogMar 23, 2026

Launching Cloudflare’s Gen 13 servers: trading cache for cores for 2x edge compute performance

Why it matters: This shift demonstrates how software architecture must evolve to match hardware trends. By rewriting core layers in Rust, Cloudflare decoupled performance from cache locality, enabling the use of high-density CPUs to double edge throughput and improve power efficiency.

Cloudflare's Gen 13 servers adopt AMD EPYC 5th Gen (Turin) processors, doubling core counts to 192 per socket.
The new hardware trades per-core L3 cache (2MB vs 12MB in Gen 12) for massive throughput and 32% better power efficiency.
Legacy NGINX/LuaJIT software (FL1) faced 50% latency regressions on the new chips due to increased DRAM fetch cycles.
The transition to FL2, a Rust-based rewrite of the request handling layer, successfully decoupled performance from cache locality.
FL2 allows Gen 13 to achieve 2x edge compute performance gains while maintaining strict latency SLAs.
Engineers utilized AMD Platform Quality of Service (PQOS) to optimize shared resource allocation across Core Complex Dies (CCDs).

#sre #dist #finops

Read original

Cloudflare BlogMar 19, 2026

Powering the agents: Workers AI now runs large models, starting with Kimi K2.5

Why it matters: Cloudflare is evolving Workers AI into a full-stack agent platform by adding frontier-scale models. By combining large context windows with optimized inference and usage-based pricing, they enable cost-effective, high-performance autonomous agents at enterprise scale.

Workers AI now supports frontier-scale models, starting with Moonshot AI’s Kimi K2.5, featuring a 256k context window and vision support.
The platform leverages custom kernels and the Infire inference engine to optimize GPU utilization and throughput for large-scale LLMs.
New prefix caching functionality reduces latency and costs by reusing processed input tokens in multi-turn agentic conversations.
Cloudflare has transitioned Workers AI to a usage-based pricing model, charging per-token to better accommodate high-volume agent workloads.
The integration combines LLMs with existing primitives like Durable Objects and Workflows to provide a unified environment for autonomous agents.

#mlp #dist #finops

Read original

Cloudflare BlogMar 18, 2026

Introducing Custom Regions for precision data control

Why it matters: This allows engineers to meet strict data sovereignty and compliance requirements without losing global DDoS protection. By decoupling ingestion from processing, teams can precisely control where TLS termination and L7 logic occur, which is critical for regulated industries and AI data privacy.

Cloudflare expanded its Regional Services to include Turkey, UAE, IRAP (Australia), and ISMAP (Japan), totaling 35 managed regions.
Introduced Custom Regions, allowing customers to define precise geographical boundaries for traffic processing using expression-based rules.
The architecture decouples global L3/L4 DDoS mitigation at the edge from regional L7 processing and TLS termination.
Traffic entering outside a specified region is routed via a secure private backbone to an in-region data center before decryption.
Custom Regions support specialized use cases like localizing AI inference, meeting government compliance, and aligning with corporate structures.

#security #dist #data

Read original

Cloudflare BlogMar 16, 2026

Standing up for the open Internet: why we appealed Italy’s "Piracy Shield" fine

Why it matters: This case highlights the technical and legal risks of IP-based blocking. For engineers, it underscores how blunt regulatory tools can disrupt shared infrastructure, causing widespread outages for innocent services and challenging the fundamental architecture of the open Internet.

Cloudflare is appealing a €14 million fine from Italy's AGCOM over its refusal to participate in the Piracy Shield blocking system.
Piracy Shield allows private rightsholders to mandate IP-level blocking within 30 minutes without judicial oversight or transparency.
The system relies on IP address blocking, which leads to significant collateral damage as thousands of legitimate sites often share a single IP.
Documented failures include the accidental blocking of Google Drive, Ukrainian government sites, and various NGOs for extended periods.
Cloudflare argues the scheme violates the EU Digital Services Act (DSA) by lacking proportionality and procedural safeguards.
A 2025 study by the University of Twente confirmed that the system routinely causes persistent collateral blocking of legitimate web services.

#security #culture #dist

Read original

Cloudflare BlogMar 13, 2026

From legacy architecture to Cloudflare One

Why it matters: Migrating legacy infrastructure to Zero Trust is notoriously risky. This approach allows engineers to modernize security for old applications without rewriting code, reducing the attack surface via outbound-only tunnels while maintaining session persistence and operational stability.

Adopts a tiered, risk-aware methodology to move applications based on complexity rather than using a risky 'big bang' migration approach.
Utilizes Cloudflare Access to wrap legacy applications in a Zero Trust layer, enabling MFA and SSO without requiring any code changes.
Employs Cloudflare Tunnel to create outbound-only connections, effectively hiding internal services from the public internet by removing public IP addresses.
Conducts pre-migration audits to map backend dependencies and identity providers, ensuring service continuity during the transition.
Leverages Dynamic Path MTU Discovery (PMTUD) to maintain persistent sessions at the edge even when client IP addresses change.

#security #sre

Read original

Cloudflare BlogMar 13, 2026

From legacy architecture to Cloudflare One

Why it matters: Moving from legacy VPNs to Zero Trust is high-risk. This methodology de-risks the process by treating migration as application modernization, allowing engineers to secure legacy systems with MFA and identity-based access without downtime or code changes.

Cloudflare and CDW advocate for a tiered, risk-aware migration strategy to Zero Trust rather than high-risk 'big bang' VPN replacements.
Legacy applications are modernized by 'wrapping' them in Cloudflare Access, adding MFA and SSO capabilities without requiring code rewrites.
Cloudflare Tunnel establishes outbound-only connections, effectively hiding internal applications from the public internet and preventing lateral movement.
Comprehensive pre-migration audits map backend dependencies and identity providers to ensure service continuity during the transition.
Dynamic Path MTU Discovery (PMTUD) is utilized to maintain persistent sessions for legacy architectures even as client IP addresses change.

#security #sre

Read original

Cloudflare BlogMar 12, 2026

Announcing Cloudflare Account Abuse Protection: prevent fraudulent attacks from bots and humans

Why it matters: Modern threats blend human intent with automated scale, making traditional bot detection insufficient. This suite provides privacy-preserving tools like Hashed User IDs and email risk scoring to stop account takeover and promotion abuse without compromising sensitive user data.

Cloudflare introduced Account Abuse Protection to combat hybrid threats involving both automated bots and human-driven fraud.
New features include disposable email checks and email risk scoring to identify throwaway accounts used for promotion abuse.
Hashed User IDs provide a privacy-preserving way to track suspicious activity by cryptographically hashing usernames per domain.
The suite integrates with existing leaked credential detection, which checks passwords against a database of 16 billion compromised records.
Account Takeover (ATO) detection IDs use behavioral anomaly detection to identify suspicious login patterns unique to each customer.
The solution addresses industrialized fraud where attackers use human-powered farms and AI agents to bypass traditional bot defenses.

#security #dist

Read original

Cloudflare BlogMar 11, 2026

Slashing agent token costs by 98% with RFC 9457-compliant error responses

Why it matters: Engineers building AI agents can now handle network errors programmatically and cost-effectively. By replacing verbose HTML with structured data, Cloudflare enables agents to make deterministic decisions like exponential backoff while slashing operational token costs by 98%.

Cloudflare now serves RFC 9457-compliant structured error responses in JSON and Markdown specifically for AI agents.
The new formats replace heavy HTML error pages, reducing payload size and LLM token consumption by over 98%.
Agents can trigger these responses by sending specific Accept headers such as application/problem+json or text/markdown.
Responses include machine-readable metadata like retryable status, retry_after durations, and specific error categories.
The implementation currently covers all 1xxx-class errors, including rate limits, WAF blocks, and DNS resolution issues.
This system requires no configuration from site owners and maintains standard HTML responses for browser-based traffic.

#dist #mlp #sre

Read original

Page 6 of 15

Prev 1...4 5 6 7 8...15 Next