Cloudflare Blog

https://blog.cloudflare.com/

Cloudflare BlogNov 13, 2025

Finding the grain of sand in a heap of Salt

Why it matters: This article is crucial for SREs and infrastructure engineers dealing with large-scale configuration management. It demonstrates how to build systems that automate root cause analysis for CM failures, significantly reducing release delays and operational toil.

Cloudflare tackled the challenge of quickly identifying root causes for Salt configuration management failures across thousands of servers with high change volumes.
Salt, a CM tool, employs a master/minion architecture and declarative state system to manage large fleets and ensure consistent configurations.
Cloudflare's deployment pipeline for Salt changes incorporates blast radius protection and guardrails, designed to "fail safe" by halting deployments upon configuration failure.
While preventing customer impact, these halts necessitate human intervention for root cause analysis, leading to significant SRE toil and release delays.
A new architectural solution enables self-service root cause identification by correlating Salt failures with git commits, external services, and ad hoc releases.
This system has successfully reduced software release delays by over 5% and minimized repetitive triage for SRE teams.

#sre #dist

Read original

Cloudflare BlogNov 12, 2025

Connecting to production: the architecture of remote bindings

Why it matters: This feature significantly enhances local development for Cloudflare Workers, allowing engineers to test against real production data and services without deploying. It streamlines workflows, accelerates iteration, and ensures higher confidence in code changes before deployment.

Cloudflare's remote bindings enable local Worker development to connect directly to deployed production resources like R2 and D1, eliminating the need for full deployments during testing.
This feature significantly enhances the developer experience by allowing engineers to test local code changes against real data and services, accelerating iteration speed and improving confidence.
The new approach unifies the development workflow, replacing the older `wrangler dev --remote` mode with a per-binding `remote: true` option within the standard local development environment.
Architecturally, remote bindings leverage Cloudflare's existing production binding mechanisms, treating them as service bindings rather than creating new API wrappers.
This design avoids the complexity of replicating entire binding API surfaces and ensures compatibility with operations that lack direct HTTP API equivalents, streamlining implementation and maintenance.

#dist #sre

Read original

Cloudflare BlogNov 10, 2025

A closer look at Python Workflows, now in beta

Why it matters: This enables Python developers to build robust, long-running, multi-step applications on Cloudflare Workflows, simplifying complex orchestrations for AI/ML, data pipelines, and task automation. It leverages Python's ecosystem and Cloudflare's durable execution.

Cloudflare Workflows now support Python, enabling developers to orchestrate long-running, multi-step applications using their preferred language, addressing previous TypeScript-only limitations.
This expands Cloudflare's Python support, building on earlier integrations like CPython and Pyodide packages in Workers.
Python Workflows are ideal for automating complex processes such as LLM training, data pipelines, and AI agent development, simplifying architecture and improving reliability.
The implementation leverages Cloudflare Workers' direct Python runtime support and Pyodide's Foreign Function Interface for seamless interoperability with JavaScript-based durable execution APIs.
Workflows provide built-in error handling, retry behavior, and state persistence, crucial for idempotent operations.

#data #mlp #dist

Read original

Cloudflare BlogNov 7, 2025

DIY BYOIP: a new way to Bring Your Own IP prefixes to Cloudflare

Why it matters: This matters because it automates a complex, insecure, and time-consuming BYOIP onboarding process using RPKI, significantly improving routing security and operational efficiency for engineers managing IP address space in the cloud. It offers greater control and faster deployment.

Cloudflare introduced a self-serve BYOIP API, automating the 4-6 week manual process for customers to onboard IP prefixes.
The new system leverages Resource Public Key Infrastructure (RPKI) for robust routing security and automated ownership validation, replacing manual LOA reviews.
Self-serve generates LOAs on customers' behalf, ensuring route acceptance and enhancing security through RPKI ROA and IRR/rDNS checks.
Initial scope is limited to BYOIP prefixes from Cloudflare's AS 13335, utilizing widely available Route Origin Authorization (ROA) objects.
This advancement provides customers with greater control and configurability over their IP space, improving IP address management on Cloudflare's network.

#dist #security #sre

Read original

Cloudflare BlogNov 6, 2025

Async QUIC and HTTP/3 made easy: tokio-quiche is now open-source

Why it matters: This library simplifies integrating high-performance QUIC and HTTP/3 into Rust applications, leveraging Cloudflare's battle-tested solution. It accelerates adoption of modern, efficient internet protocols.

Cloudflare open-sourced tokio-quiche, an asynchronous Rust library integrating their quiche QUIC implementation with the Tokio runtime.
This battle-tested library powers critical Cloudflare services, including iCloud Private Relay and WARP's MASQUE client, handling millions of HTTP/3 requests per second.
tokio-quiche simplifies QUIC and HTTP/3 integration by abstracting complex I/O, overcoming the challenges of sans-io libraries.
It leverages an actor model for state machine management, featuring an IO loop actor and an ApplicationOverQuic trait for protocol flexibility.
The library includes H3Driver variants (ServerH3Driver, ClientH3Driver) to facilitate building HTTP/3 applications.
Its release aims to lower the barrier to entry for HTTP/3 adoption and foster its development across the industry.

#dist #sre

Read original

Cloudflare BlogNov 6, 2025

Extract audio from your videos with Cloudflare Stream

Why it matters: Engineers can now efficiently process video content for audio-specific tasks, saving significant computational resources and simplifying AI/ML and content moderation workflows. This streamlines development and reduces infrastructure costs.

Cloudflare Stream now enables efficient audio extraction from videos, reducing processing costs and complexity for audio-centric workflows.
This feature is crucial for AI/ML applications like transcription, translation, and speech recognition, as well as content moderation.
Audio can be extracted on-the-fly using Media Transformations by adding "mode=audio" to the URL, allowing for clipping specific sections.
Users can also download persistent M4A audio files directly from Stream-managed content.
A Workers AI example demonstrates transcribing audio with Whisper and translating it with M2M100.
The implementation involved extending Cloudflare's existing Video-on-Demand (VOD) and On-the-Fly-Encoding (OTFE) pipelines.

#data #mlp #dist

Read original

Cloudflare BlogNov 5, 2025

How Workers VPC Services connects to your regional private networks from anywhere in the world

Why it matters: This service dramatically simplifies connecting serverless functions to private networks, enabling truly global, cross-cloud applications. It enhances security by providing granular, deploy-time verified access control, reducing traditional networking complexity and cloud lock-in.

Cloudflare Workers VPC Services allow Workers to securely connect to APIs and databases in regional private networks from anywhere globally.
This simplifies cross-cloud application development by using Cloudflare Tunnels, eliminating complex VPC peering and network configurations.
The Workers binding model provides explicit, deploy-time verified access control, exposing only specific services to Workers, not the entire private network.
This design enhances security, making Workers immune to Server-Side Request Forgery (SSRF) attacks.
The system routes requests via Cap'n Proto RPC, a Binding Worker, and the Iris Service across Cloudflare's global network to the private service.
Workers VPC is in beta and available at no additional cost, fostering distributed application development without traditional cloud lock-in.

#dist #security

Read original

Cloudflare BlogNov 4, 2025

Building a better testing experience for Workflows, our durable execution engine for multi-step applications

Why it matters: This update dramatically improves the developer experience for Cloudflare Workflows by enabling isolated, granular, and local testing. It eliminates previous debugging challenges and the need to disable isolated storage, making Workflows a reliable and testable solution for complex applications.

Cloudflare Workflows, a durable execution engine, previously lacked robust testing capabilities, making debugging complex multi-step applications difficult.
The prior testing approach forced developers to disable isolated storage for entire projects, leading to flaky tests and hindering Workflow adoption.
New APIs (`introspectWorkflowInstance`, `introspectWorkflow`) are introduced via `cloudflare:test` and `vitest-pool-workers` (v0.9.0+) for comprehensive, isolated, and local testing.
These APIs enable mocking step results, injecting events, and controlling Workflow instances, significantly improving visibility and debuggability.
Utilizing `await using` and Explicit Resource Management ensures isolated storage for each test, preventing state leakage and promoting reliable test environments.
The update provides fast, reliable, and offline test runs, enhancing the developer experience and making Workflows a more viable option for well-tested Cloudflare applications.

#dist #sre

Read original

Cloudflare BlogNov 3, 2025

Fresh insights from old data: corroborating reports of Turkmenistan IP unblocking and firewall testing

Why it matters: This article shows how passive network telemetry, like TCP resets and timeouts, can corroborate geopolitical events such as nation-state IP unblocking and firewall testing. It's crucial for understanding internet censorship and infrastructure changes globally.

Cloudflare Radar data confirms reports of Turkmenistan unblocking over 3 billion IP addresses in mid-June 2024, marked by a surge in HTTP requests.
Analysis of TCP resets and timeouts from Turkmenistan revealed significant increases and pattern shifts starting June 13, 2024, suggesting potential firewall testing.
These ungraceful TCP connection closures, observed across different connection stages, are consistent with the behavior of a large-scale firewall system.
Individual network analysis, particularly for AS20661 (TurkmenTelecom), mirrored the overall trends, emphasizing the impact of these changes.
The study demonstrates that passive observation of network data can provide crucial insights into nation-state internet filtering and infrastructure changes.

#data #security

Read original

Cloudflare BlogOct 31, 2025

BGP zombies and excessive path hunting

Why it matters: BGP zombies and excessive path hunting disrupt Internet routing, leading to packet loss, increased latency, and network instability. Understanding these phenomena is crucial for network engineers to maintain reliable and efficient global connectivity.

BGP zombies are routes that remain active in the Internet's Default-Free Zone despite being withdrawn, causing traffic misdirection and operational issues.
These zombies typically arise from slow BGP route processing, software bugs, or missed prefix withdrawals.
Path hunting is the process where BGP routers search for the best path after a more-specific prefix is withdrawn, falling back to a less-specific one.
The Minimum Route Advertisement Interval (MRAI) intentionally delays BGP updates, extending the duration of path hunting and increasing the chance of zombies.
Zombies can lead to packets being trapped in loops or taking inefficient routes, impacting network performance and reliability.
Cloudflare observes BGP zombies affecting BYOIP on-demand customers using Magic Transit.

#sre #dist

Read original

Page 8 of 10

Prev 1...6 7 8 9 10 Next