Curated topic

sre

Posts tagged with sre

Cloudflare BlogApr 16, 2026

Building the foundation for running extra-large language models

Why it matters: This article provides a blueprint for optimizing LLM infrastructure by decoupling inference stages. It demonstrates how to maximize expensive GPU utilization and reduce latency for long-context agentic applications through clever software engineering and cache management.

Implemented Prefill Decode (PD) disaggregation to separate compute-bound prefill tasks from memory-bound decode tasks, maximizing GPU efficiency.
Developed a token-aware load balancer that estimates in-flight tokens to spread load evenly across prefill and decode endpoint pools.
Achieved a 3x improvement in intertoken latency, reducing p90 time per token from ~100ms to 20-30ms.
Utilized x-session-affinity headers to improve prompt caching, increasing input token cache hit ratios from 60% to 80%.
Integrated Moonshot AI’s Mooncake Transfer Engine to facilitate efficient KV cache sharing across multiple GPUs for extra-large model instances.
Optimized infrastructure specifically for agentic workflows which involve high input token volumes and long-context system prompts.

#mlp #dist #sre

Read original

Pinterest EngineeringApr 15, 2026

Finding zombies in our systems: A real-world story of CPU bottlenecks

Why it matters: This case study demonstrates how high-level ML workloads can cause low-level kernel starvation, leading to network driver resets. It is a critical lesson in debugging performance bottlenecks that span the entire stack from distributed frameworks to cloud infrastructure drivers.

Pinterest's Ray-based ML training jobs on Kubernetes experienced intermittent crashes linked to AWS ENA network driver resets.
The ENA driver triggered resets after detecting that Tx threads were paused for over five seconds, a symptom of CPU starvation.
Impacted nodes showed high system CPU utilization and significant page faulting, correlating with the network instability.
The investigation focused on the interaction between Ray's high-volume gRPC traffic and the underlying EC2 network infrastructure.
Initial mitigation attempts included optimizing memory allocators and implementing Huge pages to reduce page fault overhead.

#mlp #sre #dist

Read original

Cloudflare BlogApr 15, 2026

Introducing Agent Lee - a new interface to the Cloudflare stack

Why it matters: Agent Lee shifts cloud management from manual navigation to natural language intent. By using TypeScript code generation and secure proxying, it provides a blueprint for building autonomous agents that safely perform complex multi-step infrastructure tasks in production environments.

Agent Lee is an in-dashboard AI assistant that allows users to manage, troubleshoot, and configure Cloudflare resources using natural language.
The system uses 'Codemode' to convert Model Context Protocol (MCP) tools into TypeScript APIs, enabling LLMs to write and chain code for improved accuracy over standard tool calling.
Security is enforced through Durable Objects acting as credentialed proxies, classifying operations as read or write and requiring explicit user approval for any state changes.
The interface features generative UI, dynamically rendering interactive charts and visualizations based on real-time account data and traffic logs.
Built entirely on Cloudflare's public primitives like the Agents SDK and Workers AI, the tool serves 18,000 daily users and executes 250,000 tool calls per day.

#mlp #sre #security

Read original

Cloudflare BlogApr 15, 2026

Rearchitecting the Workflows control plane for the agentic era

Why it matters: As AI agents replace humans as primary triggers for durable execution, systems must scale horizontally. Cloudflare's rearchitecture demonstrates how to evolve from a single-bottleneck coordinator to a distributed model using Durable Objects to handle massive machine-speed workloads.

Transitioned from human-triggered to agent-triggered workloads, necessitating a massive increase in concurrency and creation rates.
Replaced the single 'Account' Durable Object bottleneck with horizontally scalable 'SousChef' and 'Gatekeeper' components per workflow.
Increased concurrent execution limits from 4,500 to 50,000 and instance creation rates to 300 per second per account.
Established the 'Engine' Durable Object as the sole source of truth for instance existence to eliminate inconsistent queuing states.
Executed a seamless live migration of all customer traffic from the V1 control plane to the V2 architecture without downtime.

#dist #sre #mlp

Read original

Cloudflare BlogApr 15, 2026

Why it matters: This API enables seamless domain registration within automated pipelines and AI-driven development environments. By removing manual UI steps, engineers can programmatically provision infrastructure and identity directly from their code editors or CI/CD workflows.

Cloudflare launched the Registrar API in beta, enabling programmatic domain search, availability checking, and registration.
The API is optimized for agentic workflows, allowing AI agents in tools like Cursor or Claude Code to handle domain purchases via Cloudflare MCP.
A three-step machine-friendly process includes Search (cached results), Check (authoritative registry query), and Register (execution).
Registration defaults to account-level contact and payment info with WHOIS privacy protection enabled automatically at no extra cost.
The service maintains Cloudflare's at-cost pricing model with no markups, supporting both standard and premium TLDs.

#sre #mlp

Read original

Cloudflare BlogApr 14, 2026

Managed OAuth for Access: make internal apps agent-ready in one click

Why it matters: AI agents often fail at human-centric login redirects. Managed OAuth provides a standardized, secure way for agents to access protected internal data using user-scoped tokens rather than risky static credentials, ensuring auditability and fine-grained access control without refactoring code.

Cloudflare Access now supports managed OAuth to enable AI agents to authenticate with internal applications without manual intervention.
The system implements RFC 9728 for discovery and RFC 7591 for Dynamic Client Registration, allowing agents to identify authentication requirements automatically.
Agents use the PKCE (Proof Key for Code Exchange) flow to obtain a JWT, ensuring secure delegation of user permissions.
This approach replaces the need for static service tokens or service accounts, which often lead to 'confused deputy' security risks.
Managed OAuth maintains full auditability by attributing all agent actions to the specific human user who authorized the session.
The feature is designed to work with the Model Context Protocol (MCP) and requires no code changes to legacy internal applications.

#security #sre #mlp

Read original

Cloudflare BlogApr 14, 2026

Securing non-human identities: automated revocation, OAuth, and scoped permissions

Why it matters: As AI agents and automation scale, the risk of credential leaks grows. Automated token revocation and granular RBAC ensure non-human identities are secured throughout their lifecycle, preventing unauthorized access and reducing the blast radius of accidental exposures.

Cloudflare is introducing automated revocation for leaked API tokens through a partnership with GitHub's Secret Scanning program.
New API tokens now feature a distinct 'cf' prefix and a checksum to improve detection accuracy and reduce false positives for security scanners.
Cloudflare One customers can use DLP profiles to detect and block tokens across network traffic, email, and SaaS applications.
The platform is enhancing identity management by providing better visibility into OAuth principals and granular, resource-scoped RBAC policies.
These updates specifically target the risks associated with non-human identities, such as AI agents and automated scripts, in modern development workflows.

#security #sre

Read original

Salesforce EngineeringApr 13, 2026

Reducing Agentforce AI Debugging from Two Weeks to Same-Day with Query-Driven Observability

Why it matters: Traditional logs fail to capture the data context of AI responses. This query-driven approach allows engineers to inspect the exact document chunks and embeddings used in production, slashing debugging time from weeks to hours while maintaining strict data isolation.

Salesforce's Einstein Notebooking platform enables secure, production-grade AI debugging for Agentforce and Data 360 systems.
The system addresses the 'black box' nature of AI agents by providing visibility into ingestion, chunking, retrieval, and response generation.
Engineers use Spark-based workflows to query production indexes, including vector, keyword, and hybrid search results directly.
Query-driven observability allows for inspection of document chunks, embeddings, and session-level feedback within a unified notebook environment.
Tenant-scoped access patterns ensure strict data isolation and compliance while investigating real production scenarios.
The approach reduced investigation times from two weeks to a single day for over 60 Agentforce features and 400 million records.

#mlp #data #sre

Read original

Cloudflare BlogApr 13, 2026

Building a CLI for all of Cloudflare

Why it matters: Managing thousands of API endpoints manually is error-prone. Cloudflare's new schema-driven CLI ensures consistency across all products, providing a reliable interface for both humans and AI agents to automate infrastructure-as-code and local development workflows.

Cloudflare is rebuilding the Wrangler CLI to cover its entire API surface of over 3,000 operations across 100+ products.
A new TypeScript-based schema replaces manual updates, serving as a single source of truth for SDKs, CLI commands, and documentation.
The system standardizes command syntax and flags to improve ergonomics for both human developers and AI agents.
A technical preview is now available via the npx cf command, allowing early testing of the unified interface.
The architecture supports complex interactions, including local resource simulation and RPC-based Workers bindings.

#sre #dist

Read original

Cloudflare BlogApr 10, 2026

500 Tbps of capacity: 16 years of scaling our global network

Why it matters: This milestone demonstrates how massive-scale infrastructure can handle record-breaking DDoS attacks (31.4 Tbps) autonomously. It showcases the power of pushing security and compute to the edge using eBPF and XDP, allowing for high-performance, distributed application hosting.

Cloudflare reached 500 Tbps of external capacity across 330+ cities, supporting over 20% of the web.
Autonomous DDoS mitigation uses eBPF and XDP (l4drop) to drop malicious packets at line rate without human intervention.
The 'dosd' daemon samples traffic and broadcasts mitigation rules globally via Quicksilver, a distributed KV store.
Layer 4 load balancing is handled by Unimog, while flowtrackd provides stateful TCP inspection for enterprise traffic.
The network has evolved into a distributed developer platform (Workers) that now supports V8 isolates and edge containers.

#security #dist #sre

Read original

Page 7 of 27

Prev 1...5 6 7 8 9...27 Next