Why is Cloudflare Pages' bandwidth unlimited?
(mattsayar.com)594 points by MattSayar 3 days ago
594 points by MattSayar 3 days ago
I think there are a few other benefits (even if that was the main benefit/driving force behind the decision).
When you have low-paying (or zero-paying) customers, you need to make your system easy. When you're enterprise-only, you can pay for stuff like dedicated support reps. A company is paying you $1M+/year and you hire someone at $75,000 who is dedicated to a few clients. Anything that's confusing is just "Oh, put in a chat to Joe." It isn't the typical support experience: it's someone that knows you and your usage of the system. By contrast, Cloudflare had to make sure that its system was easy enough to use that free customers would be able to easily (cheaply) make sense of it. Even if you're going to give enterprise customers white-glove service, it's always nice for them when systems are easy and pleasant to use.
When you're carrying so much free traffic, you have to be efficient. It pushes you to actually make systems that can handle scale and diverse situations without just throwing money at the problem. It's easy for companies to get bloated/lazy when they're fat off enterprise contracts - and that isn't a good recipe for long-term success.
Finally, it's a good way to get mindshare. I used Cloudflare for years just proxying my personal blog that got very little traffic. When my employer was thinking about switching CDNs, myself and others who had used Cloudflare personally kinda pushed the "we should really be looking at Cloudflare." Free customers may never give you a dollar - but they might know someone or work for someone who will give you millions. Software engineers love things that they can use for free and that has often paid dividends for companies behind those free things.
I built my website on Cloudflare Pages and ended up using basically their entire suite of tools - Pages, D1, Analytics, Rules, Functions. The DX was pretty good because all of these features worked well together.
Cloudflare offered all of this for free because it gets them positive mentions (like the one you’re reading right now) and they’re educating a bunch of developers on their entire product portfolio. And what does it cost to host my blog that 1000-2000 views a month? Literally nothing.
This approach is good as long as the tech stack is open source and portable to other platforms. Otherwise, no matter how good a company/CEO seems ATM, you are ultimately at their mercy if they decide to raise prices significantly.
By using an open, interoperable tech stack, you maintain the freedom to switch to another cloud provider at will.
This shared fluid power also creates a compelling reason for cloud providers to remain honest and competitive in their dealings with customers.
You don't get it.
For most companies free users are just a source of potential paid customers. Such companies squeeze the free users to force them to upgrade. For Cloudflare the millions of free users strengthen their negotiating power with ISPs around the world. We provide value to Cloudflare just by being Cloudflare customers. It is possible that Cloudflare might get a CEO who doesn't understand this, but possible doesn't mean likely.
In any case, I've built my website with Astro, pulling in the Cloudflare integration as a dependency. If I wanted to switch to Vercel or Netlify or whatever else, Astro makes it easy. As for database, others offer managed Sqlite.
If all else fails, I'll ditch the few dynamic parts of the website and deploy the bulk of the site as static html to Github Pages or something.
I feel like there might be an additional motivation too, which is that this investment in a better internet (free SSL for everyone before LetsEncrypt came around, generous free tiers for users, etc. etc.) means that Cloudflare builds a reputation of being a steward of the ecosystem while also benefitting indirectly from wider adoption of good, secure practices.
In some ways it's analogous to investing in your local community and arguably paying tax: it's rare that you would directly and personally benefit from this, but if the environment you live in improves from it, crime is reduced, more to do, etc. then you can enjoy a better quality of life.
Have they made a better internet? Many would say that made it worse.
Reminds me of the School -> Pro pipeline where companies sell cheaply or even give away their software to learning institutions so that students who go pro are familiar with their tools and then later recommend it for their work.
That’s absolutely true for things like MS Office and Adobe - but it also works in the other direction: I’m sure making kids use Java for AP computer-science or for undergrad contributed to its uncool status today.
Autocad 10-12 back in college. Cost thousands of dollars in 80s/90s dollars, Not officially allowed to copy, but in reality effortless to copy and run at home for free.
There were other products aiming to be just as good at the same time that were actually protected with dongles and such.
The one that everyone could run at home is the one that took over the world.
This is exactly our thinking with authentik (open source IdP), and it's played out in practice so far. Enterprise sales conversations are so much easier when they start with "we all use you in our homelabs already." We're much more focused on giving those individual users a positive early experience (in hopes that some small percentage will really pay off down the road) than in extracting a few dollars from each of them.
I had this exact conversation with a Cloudflare rep a year or two ago, after I told her how I user their free DNS service. She said, "that free service was the best thing we ever did". And we wound up buying their bot management and DDOS services.
I went back and reread that reply by Matthew. Essentially, nothing has changed; the free customers are very important to us for all the reasons that he outlined. See also this blog post on us and free customers from 2024: https://blog.cloudflare.com/cloudflares-commitment-to-free/
> I don't think they care much about few "Pro" upgrades here and there. The real money, and their focus as a company, is in enterprise contracts.
Cloudflare's enterprise customer acquisition strategy seems to be offering free or extremely cheap flat-rate plans with "no limits", then when a customer gets a sizeable amount of traffic they will try to sell them an enterprise plan and cut them off if they don't buy (see https://robindev.substack.com/p/cloudflare-took-down-our-web...). IMO this is pretty shrewd, as it means that companies can't do real price comparisons between Cloudflare and other CDNs until they already have all their infrastructure plugged into Cloudflare.
That particular story / case had a lot more context to it that we weren't given. I wouldn't be ready to place any kind of merit on it without hearing more. I also think given the OP's industry it's likely there were issues with IP reputation. Could it have been handled differently? Probably. In this case I think it would have been smarter to just part ways upfront and let the client know it's not going to work out. I suspect the contract was designed to say.. we don't see the value in this relationship.. but at this price we'll make it work type deal. I don't think that's the right way to go, but I hardly believe this is how they operate.
I've used their free -> enterprise services in multiple companies and clients. Haven't had a single bad experience with them yet. Always helpful, if a bit delayed at times.
It doesn't seem like Cloudflare has any problems with online gambling, especially since the first email the author got from Cloudflare came from someone in their "Gaming & iGaming" division. There's people in this thread in other industries who have had similar experiences with them.
IMO the biggest problems are how Cloudflare kept inventing excuses like "issues with account settings" to get the customer on the phone with their sales team, and the mixing of "trust and safety" with sales (like deleting their account for ToS violations after the CEO mentioned talking to a competing CDN).
Yep, and if you contact their sales directly because you've been bitten before and tell them your traffic they will be happy to tell you that yes, other than a short trial you have to pay them for huge bandwidth from month one. It's actually surprising to me people would believe it's fully free. Like think for a bit that if that was the case Netflix would just move to Cloudflare free tier and Cloudflare would go bankrupt immediately.
Like think for a bit that if that was the case Netflix would just move to Cloudflare free tier and Cloudflare would go bankrupt immediately.
Cloudflare's free tier specifically excludes video. See https://www.cloudflare.com/service-specific-terms-applicatio...:
Content Delivery Network (Free, Pro, or Business) Cloudflare’s content delivery network (the “CDN”) Service can be used to cache and serve web pages and websites. Unless you are an Enterprise customer, Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN. Cloudflare reserves the right to disable or limit your access to or use of the CDN, or to limit your End Users’ access to certain of your resources through the CDN, if you use or are suspected of using the CDN without such Paid Services to serve video or a disproportionate percentage of pictures, audio files, or other large files. We will use reasonable efforts to provide you with notice of such action.
I haven't heard about this in particular but based entirely on your depiction here it sounds more like fraud to me.
If I was paying a flat rate for a no limit plan, that company tried to sell me an Enterprise plan which I declined, then they cut me off, we'd be in court as soon as the clerk would schedule it.
I remember this story and it missed the entire point.
The customer ( a casino) was using dubious actions in different countries which impacted Cloudflare's IP trust. Tldr: Cloudflare didn't want an IP ban in their IP's due to government regulation.
The fix was to bring their own IP which is an Enterprise feature, as they weren't allowed to use Cloudflare's IPs anymore.
> Bandwidth Chicken & Egg: in order to get the unit economics around bandwidth to offer competitive pricing at acceptable margins you need to have scale, but in order to get scale from paying users you need competitive pricing. Free customers early on helped us solve this chicken & egg problem.
I'm not really sure how this works.
Suppose you have paying customers and for that you need X amount of bandwidth. If you add a bunch of free customers then you need X + Y bandwidth. But the price of X + Y is never going to be lower than the price of X, is it? So even if the unit cost is lower, the total cost is still higher and you haven't produced any additional revenue in exchange, so how can this produce any net profit?
If you send 10Gbit/s to an ISP you have to pay for transit to reach it. But if you send 100Gbit/s+ the ISP suddenly is willing to not only peer for free with you but may even host the servers for you in their data center for free. [0][1][2] So yes being bigger can absolutely save you costs.
[0]: https://www.cloudflare.com/partners/peering-portal/
[1]: https://openconnect.netflix.com/en/
[2]: https://support.google.com/interconnect/answer/9058809?hl=en
Don't forget about the Bandwidth Alliance, which is agreements for free or cheap egress between peers.
Can't you just send random generated packets. Or by requesting content from other hosting provider with free or cheap egress. Or sending to another hosting provider.
The thing with ISPs is the small guys are more likely to have to pay, and the smaller you are the more likely you are to pay more.
If you are a Tier 1 ISP, everyone is willing to pay you to carry their traffic and other Tier 1s just make peering agreements with you.
If you're johnscheapvps.com, you're likely to pay all your upstream ISPs for your traffic. If you're GCP or, say, digitalocean.com, everyone would love to be paying you to get faster access to all the sites hosted on your platform (and because paying you is probably going to be cheaper than their regular upstream)
Imagine you're an ISP. If your customer has slow bandwidth to some random website, they will blame the website. If they have a slow connection to YouTube, they will blame you.
So YouTube gets more favorable terms on transit bandwidth than the random site does.
it may be, especially if the ISP in question just does direct peering with you, your unit cost can drop to ~ $0/MB, and you stop paying Cogent/Verizion/HE unit cost for facilitating the connection from you to the ISP.
Works for the ISP too, one off cost for them to drop there side of the bill down
The point is that that you get your paid offering down to a lower price point because you have the volume to get the cheaper peering deals. Because your paid offering is cheap you get even more volume from paying customers which offsets the loss you made.
And this works IME
I use Cloudflare for hobby projects 90% of the time because it’s free. That dramatically increases the likelihood I advocate for their offerings in the enterprise
Cloudflare generally seems to have a really smart strategy team. There's a really excellent Stratechery article about Cloudflare's strategy team more generally:
(Stratechery is down now, but the web archive is up.) https://web.archive.org/web/20250108182845/https://strateche...
I've always wondered if there is an accounting benefit for them. Can the free tier be charged as 'marketing'? No idea how you would internally break up the costs, but it could make your margins look better.
Another likely reason: the process of metering bandwidth accurately enough to use as input for a billing process costs money. On their distributed setup it's probably seriously expensive to do accurate bandwidth metering per site. Probably more expensive than they expect to make by pricing bandwidth.
Let’s say you’re looking to break into the Fun as a Service market. The incumbent offers 100 hours of Fun per year as a free service and charges enterprise prices above that. If you want to start a Fun as a Service competitor, to have any chance of competing for new signups you also have to front 100 hours/year for anyone who wants to try it at a 100% loss, before you can even start making money.
It’s the same principle behind predatory pricing, which is illegal but rarely enforced. The goal is to make it too expensive for new players to enter the market, or to force existing competitors out.
That's not the complete story.
Cloudflare's main income is DDOS, which is incoming traffic they pay for.
They pay for that pipeline (which you pay for up and down traffic), so they have a generous free CDN because they already pay for it.
( Unrelated to workers, ... )
I think this is the important part
> Today we continue to see that benefit in regions where our diversity of customers helps convince regional telecoms to peer with us locally, continuing to drive down our unit costs of bandwidth
If you can peer your traffic you can send it for free.
So lots of small customers, despite not paying anything, is helping to reduce bandwidth costs for Cloudflare to zero.
If they've reduced bandwidth costs to zero then they can afford to give it away for free.
I can tell you from personal experience that getting some ISPs to peer with you is hard unless you are exchanging lots of traffic already.
This is a clever playbook that has made Cloudflare a tier 1 ISP in an age when that is extremely difficult.
> Cloudflare had decided long ago that they wanted to work at an incredible scale.
This reminds me of the story of how Jeff Bezos bought relentless.com. The rest is history. https://pluralistic.net/2022/11/28/enshittification/
It's not really free. One day, you get a call from their sales team saying "you're straining our network". I kid you not. We were on a business plan and still got this. When we met them in person, we were asked to upgrade to a $2000+ per month plan. From a $200/mo plan. That's a 10x increase. I searched their TOS, nowhere it was mentioned about "straining their network". Turns out that's just their scammy tactic to get you to pay. We refused. That really left a bad taste in my mouth.
Today, I refuse to recommend any client or startup to them because of this extremely unethical practice. All around, I'm not sure they deserve so much positive press/attention, especially after screwing some of their own employees (one even got super famous live streaming the firing).
We had a terrible sales experience with Cloudflare at my last place. They would not budge on the $200 a month quote, and we knew that was BS because the next closest quote we had was $3000 or something. Eventually, like the fourth try, we said, in writing, “just to be clear, for exactly $200, a month we will get XYZ bandwidth”, and of course they said “ohhh well actually maybe it’ll be $8000”.
We had discussed our requirements, our scale, our product with the sales team multiple times but it was only when we wrote down something that we could potentially have used in court that they finally acknowledged their pricing was actually nearly two orders of magnitude higher.
>I searched their TOS, nowhere it was mentioned about "straining their network". Turns out that's just their scammy tactic to get you to pay.
You seem to be pretty cagey about what your usage actually was, and whether it was indeed "straining their network". Were you using more resources/bandwidth than a typical customer would? Most ToS contains clauses that allows the vendor to unilaterally cut customers off if they're an excessive burden, even if there aren't explicit quotas, or are explicitly "unlimited". ISPs don't let you saturate your 1Gbit connection 24 hours a day, even on "unlimited" plans, but I wouldn't call it a "scam" if they told you to upgrade to an enterprise plan.
This is for a normal news website, no gambling, no offensive content. Just regular news. Their business plan explicitly mentioned "unlimited bandwidth" at the time of signing up. I clearly remember reading every bit of their TOS to find any gotchas but there were none.
If you claim you provide unlimited bandwidth, then don't call me tell me I'm straining your network.
By the tone of your comment it does sound like they give you a lot before asking you to pay more.
I still really would like to hear a byte amount. How many bytes are you pushing per month?
I don't believe anything is ever free, and everyone promising "unlimited" will still have a point where you are just costing them too much. CF don't want to say the byte number themselves. Could someone please say the byte number. Someone?
> everyone promising "unlimited" will still have a point where you are just costing them too much
I mean, in the business world, if you promise someone something, it has legal consequences, you can't just walk in and say "hey, remember I promised you something unlimited with no strings attached? Yeah, no"
That's exactly my problem with CF. It's not like we are a large news network or anything. We are actually very small compared to their other customers, that much I can tell you.
I've seen enough stories exactly like this, where it turned out such usage is unusual and a move to a higher priced plan was justified (eg. https://news.ycombinator.com/item?id=40482505, https://news.ycombinator.com/item?id=34640016, https://news.ycombinator.com/item?id=31336515), that I find it suspicious whenever people act surprised and outraged at cloudflare upselling them, but are cagey about what exactly their site's doing.
This "straining the network" is the "unlimited pto" of b2b saas. It's all bullshit. Nebulous and you don't really know what you're getting into until you're too locked in and they squeeze you. Don't do business with companies like this if you can avoid it. It's the Datadog model of we'll charge you whatever and make it extremely complicated for you to understand why you're being billed $x this month.
Word of advice, if you have unlimited PTO and you've never gotten called into a meeting to tell you you're taking too much you're not taking full advantage. It's probably higher than you think. I've gotten to normal onsie-twosie days off plus 8 full weeks before I got called in.
That was a great year.
> If you have an actual number, the idea is that you must take them, or at least, you get paid extra if you don't.
That's why "unlimited" PTO exists. Defined PTO is a liability on the company's books.
straining is also ambiguous and disingenuous.
if we believe the plan was $200 and the upgrade was to a $2,000 plan.. there's no way a $2,000 user would be "straining" Cloudflare's network.
We spend more than that. If we are putting a strain on Cloudflare, they're not at the scale we think they're at.
Seems like you don't really have any issue with the underlying business decision (ie. pushing a high usage customer to a higher tier plan) and are only upset about the wording the salesperson used. All the points you've made applies to ISPs as well. Most neighborhoods are probably provisioned well enough that a single customer saturating their 1gbit connection isn't going to bring the network down to its knees, but that doesn't mean ISPs aren't justified in pushing such customers to a higher tier offering (eg. dedicated circuit).
To be honest, sales people are sales people. Their job is to sell you on packages, and they will generally do anything to get you to upgrade.
It's not like they threatened to remove you from their service. They asked you and gave you a "canned" reason.
If you don't mind me asking you had a $200 a month plan, and changed to another provider. Did the plan price go up or down?
If CF is calling you like this then I’m not sure how you’re interpreting this as a donation call. They’re basically saying you’re about to be fired as a customer.
Except now there isn’t a clear formalization on how much you were expecting to pay or how much runway or patience CF has left for you.
> If CF is calling you like this then I’m not sure how you’re interpreting this as a donation call. They’re basically saying you’re about to be fired as a customer.
I've had a call from Cloudflare at my previous job, and it wasn't a "you're about to be fired" it was an attempted upsell.
Sales people work within the policies & frameworks set by a sales organizations whose goals and strategies are set by said organizations leadership team.
This isn't a random sales person gone rouge—its a matter of how Cloudflare chooses to do business with and treat their customers.
The problem with this approach for customers is that it makes there costs entirely unpredictable. What's the stop them from increasing prices from $2,000 on the enterprise plan to $20,000 on the enterprise plus plan?
Very true. I think it was Snowflake we worked with recently where the sales rep said they don't get commission (I assume they have other incentives).
Aggressive commission structures, sales targets, and little oversights have visible impacts on how the sales team operate.
Compare to cloud providers like AWS where you certainly get "reminded" constantly about all the integrated services and features but much less so harassed and threatened into closing deals.
Sure but there's a huge difference between companies that load the call with sales people and sell to execs vs bringing solutions architects and sales/customer engineers on the call and actually explaining the product and its benefits and coming up with a customer tailored solution.
We had a pretty positive experience with a Cloudflare contract last year but it sounds like Cloudflare is more the former than the latter.
> It's not like they threatened to remove you from their service
They routinely do exactly this
And it's not only threats, they actually enforce them. Here is an example, but there are many more: https://robindev.substack.com/p/cloudflare-took-down-our-web...
I actually recommend AWS because of this. Sure, it’s AWS with all the warts, but at least they bend over backwards to maintain compatibility (at least compared to GCP), and have sustainable billing practices.
Free is free until it’s not. When Cloudflare becomes the new Akamai and needs profits, guess who will get squeezed. If you’ve built your app around their vendor specific stuff like Cloudflare functions, that can be bad news.
> If you’ve built your app around their vendor specific stuff like Cloudflare functions, that can be bad news.
There's nothing that "special" about Cloudflare Workers, its mostly "just" a WinterCG runtime. Where you'd encounter problems is if you used the provided interfaces for other adjacent Cloudflare products, like R2, D1, KV, Queues, ect. So what you do is commit a hour of engineering time to make wrapper functions for these APIs. If you're feeling extra spicy, commit another hour of engineering time to make parallel implementations for another service provider. If you allow your tech stack to become deeply intertwined with a 3rd party service provider, thats on you.
Yeah, I guess that’s what I really meant.
Also at face value, it may seem like “an hour of engineering time,” but I think cloud vendor lock in is real unless you try very hard to only use abstract constructs.
Agreed, I’m wondering where all these magical 1-hour efforts come from that decouple someone from a vendor. Let me just decouple from s3 real quick.
This is a growing pattern in hosting like Netlify and headless CMSs like Sanity. Their free model is "generous" and then if you go production and start to have overages you get billed exorbitantly for bandwidth and API requests. It is essentially a trap. Once you hit those limits you have very little negotiating power when you hit the "call us for pricing" level and you get outrageous quotes. It costs them very little to run these services so if they can net some minnows that become whales, that is almost pure profit.
It's the double-edged sword of both free plans and "transparent pricing". If you just click "buy" and enter your CC info you're subject to their somewhat arbitrary terms of service. Service is cheap and reliable so you don't ask questions. But they can just boot you and there's very little recourse. It's why most big companies want a signed contract that's binding and comes with some kind of mandatory dispute resolution or penalties for non-compliance.
You should report that to them. Their CTO multiple times said this in HN.
I'm not a fan of Cloudflare's enterprise pricing model. It seems like they'll charge you whatever they'd like to when renewal time comes around, and will play with the numbers to ensure you stay around whatever total they'd like to see. They charge for each protected domain, in addition to sane metrics like bandwidth utilization and number of requests. Charging thousands per protected domain per year is scummy. Maybe I'm just too used to AWS/GCloud/et al. pricing that actually bills me on utilization rather than arbitrary metrics.
I heard a great theory about this recently.
The hardest part of onboarding a new customer to Cloudflare is the bit where you need to switch over to having them manage DNS for you.
If you're under a DoS attack or similar, waiting for DNS changes to propagate is the last thing you want to have to care about!
Cloudflare's generous free tier is an amazing way of getting that funnel started: anyone who signs up for the free tier has already configured everything that matters, which means when they DO consider becoming a paying customer the friction in doing so is tiny.
Not being able to use DNS I prefer, is why I've never hosted anything with Cloudflare.
The OP doesn't link to Cloudflare's (repeated) explanation about this exact topic.
It's not hard to confirm, since the CEO posted this very reason 9 years ago. It's not exactly hidden on.. StackExchange, answering the very question:
"How can CloudFlare offer a free CDN with unlimited bandwidth?"
https://webmasters.stackexchange.com/questions/88659/how-can...
The reason it's free and with unlimited bandwidth is that it's not.
Unless you stay very small, you'll eventually get on the radar of the sales team and you'll realize the service is neither unlimited nor free. In fact, you'll likely have to look at a 5 or 6-figure contract to remain on the service.
(n = 1 & all) A project I co-develop pushed 30TB to 60TB per month on Cloudflare Workers in the past (for months on end) for $0. No one called us to sign 6 figure contracts.
Workers are a very different product so I'm not too surprised by that. The main workers payment model is entirely concerned with CPU use and you must be minimizing that.
Do you have a counter example, or is this just your assumption?
I can second this. Their sales people have such poor behaviour that I am considering moving away simply on principle. There is nothing predictable about being on an enterprise contract and they will hit you with bullshit overage charges like using too many dns requests (wtf??) all of a sudden to force you onto a much larger contract. On the 28th of December no less ! We have used them for a very long time but I am having very big doubts about how much we can use them in the future even though their products are great.
(disclaimer: I'm an employee but no commission is earned for this, we just work hard, opinions on HN otherwise don't reflect that of my employer)
Big +1 for Bunny.net - I moved my current company to Bunny and it's been excellent. Super fast (for our PoPs at least), reasonable pricing, love the image optimizer & edge rules (especially for solving header issues when embedding documents), has a Terraform provider, and I was able to set most of it up in a day. Was a night and day difference from GCP's Cloud CDN
We use Bunny, and it’s been solid and super inexpensive. None of my production issues have ever been due to Bunny.
At the point where the sales team has already hit all the targets that are bigger than you.
Oh boy, where to start..
> So why is Cloudflare Pages' bandwidth unlimited?
> Why indeed. Strategically, Cloudflare offering unlimited bandwidth for small static sites like mine fits in with its other benevolent services
Those are not "benevolent". Seeing a substantial amount of name resolutions of the internet is a huge and unique asset that greatly benefits their business.
> like 1.1.1.1 (that domain lol)
It's an IP address, not a domain. And they paid a lot of money for that "lol", so that people have an easy time remembering it. Just like Google with 8.8.8.8. Not to be benevolent, but to minimize the threshold for you to give them your data.
> Second, companies like Cloudflare benefit from a fast, secure internet.
It's the exact opposite. The less secure the internet, the more people buy Cloudflare's services. In a perfectly secure intetnet, nobody would need Cloudflare.
If you go to https://1.1.1.1 it redirects you to https://one.one.one.one, I think that's what the author meant.
The hyperlink for it on the page is one.one.one.one even.
Oddly, one.one is owned and redirects to the unrelated domain registrar one.com. I wonder how much cloudflare pay them to use that subdomain.
> And they paid a lot of money for that "lol"
They didn’t pay any money for it. They were given it for free for a collaboration with APNIC.
"For free" and "collaboration", right. Just like my employer gives me lots of stock options "for free" every quarter, it just happens to be the case that I also do a lot of programming for them every day, "for free", as a form of "collaboration".
Oh, you are saying it's a mutual deal I'm having with my employer, they get sth out of it and I also do? You don't say..
We're incredibly biased since several members of our team worked at Cloudflare, but we spend ~$20 a month on Cloudflare for our startup and it is fantastic.
- Marketing videos on stream
- Pages for multiple nextjs sites
- DNS + Domain Reg
- cloudflared / tunnels for local dev
- zaraz tag manager
- Page rules / redirect rules for vanity redirects we want to do.
The list gets longer every day and the amount of problems we can solve quickly is amazing. The value to money is unmatched
In terms of brand, Cloudflare reminds me of Google during the idealist “don’t be evil” phase. Giving away lots of free and benefiting from massive mindshare. I feel similar about Cloudflare now as Google then: very positive and wouldn’t begrudge them any work contracts.
I feel like Google started on an extraction ratchet and hasn’t stopped. I used to put everything there and now barely anything. The change in brand for me has been massive.
Without knowing your bandwidth usage, it's probably because your bandwidth isn't that high? They're not charging based on revenue. Every major law firm in the world could probably be hosted on Cloudflare Free Tier with a basic static website, but still make $100+ M per year.
We're building our startup infra on cloudflare over the other major hyperscalers and it turned out to be an amazing decision...
Generous free tiers, pricing scales very competitively after that, and their interface is not nearly as bad as GCP / AWS.
I highly recommend this stack.
> their interface is not nearly as bad as GCP / AWS
Underrated.
Until recently, all the features were grouped in a very clear manner within the dashboard. Now, even Cloudflare is complicating its management interface, but they still have a long way to go before reaching the level of confusion of AWS and GCP.
Definitely.
I managed to get R2 with their cdn in front of it up and working in under an hour. The same experience with s3 fronted by cloudfront was 2 very long days. Due to my misunderstanding, yes, but aws provided (1) incomprehensible docs, (2) an extremely complex UI; (3) stale help all over the internet; and (4) incredibly unclear error messages.
I appreciate the fact its just connected enough to work. AWS does what feels like everything in their power to entrench you. I avoid AWS as much as possible but one example that comes to mind is the fact you basically need to use SQS for SES
It's hard to say because Google regularly releases updates that affect rankings.
I've had sites that don't use CF dropping positions in Google Search even though nothing changed on my end. Why? No idea.
Make sure you're not blocking googlebot, check in https://support.google.com/webmasters/answer/9012289
Yes: https://developers.cloudflare.com/ Look at Cloudflare Workers and Cloudflare Workers AI.
srcbook.com (not OP, just trolling through their profile).
For at least the last decade, Cloudflare has made the impression on me to be what Google wanted to be, in terms of "being good".
I can't remember when it was the last time I've heard something bad about Cloudflare. Then again, I don't use any of their services, even if I have an old account with them. I never saw the need to use them, but like what I see about the products they offer.
They seem to be doing much more good to the internet than causing trouble.
While there's plenty of other angles to complain about them, one of the more common ones is the fact that Cloudflare is just as happily providing service for the very same spam sites they claim to protect people against. There's plenty of blogposts that talk about this, but the one I'll give a link to is the one from Spamhaus[0], the guys who run the most popular DNSBL.
Spamhaus also mentions the main problem with their abuse form, which is that it forwards abuse emails to the hosting provider and the web administrator. They pretty much never do anything by themselves and neither the web administrator or the hosting provider have much incentive to disconnect spamming customers (since the admin is hosting it and the hoster usually stays outside of the risk anyway.)
[0]: https://www.spamhaus.org/resource-hub/service-providers/too-...
Thanks for the response.
I figure that the discord at the root of the issue you're describing can lead to more uncommon complaints against them, bringing this to mind: https://blog.cloudflare.com/kiwifarms-blocked/
Netlify manages to be wildly overpriced even by AWS standards, CloudFront starts at about $85/TB, which isn't cheap by any means, but that turns into $550/TB(!!) if you go through Netlify. They have some of the most obscene bandwidth pricing in the industry by a huge margin, and to add insult to injury they don't allow you to set a spending limit either.
This seems like little more than a sales pitch. For instance:
> Second, companies like Cloudflare benefit from a fast, secure internet. If the internet is fast and reliable, more people will want to use it.
The author doesn't seem to have anything to say with any more substance than this gem.
No, it's not an empty statement. When your site takes 5 seconds to start loading, even sometimes, or if it sometimes fails to load some image or CSS file completely, many visitors will be unhappy to have to return to it, and a lot will just close the tab without waiting.
The pleonasm is not helpful though.
because they’re an amazing piece of technology that also happens to be a state sponsored man-in-the-middle platform.
I was assuming that it's a loss-leader sort of business strategy at play before reading your comment. Do you care to share any insights/references to support this claim?
Nah that’d be a national security crisis.
But the presence of https://en.wikipedia.org/wiki/PRISM well over 10 years ago should be sufficient.
Gotcha. Yeah, I mean all of these platforms are certainly juicy targets for room 641A [0] shenanigans. I just wondered if there had been some public leaks or something which we might not all be aware of yet.
"Our Free plan gives Cloudflare access to unique threat intelligence"
Nobody remembers the "SSL added and removed here :)"?
https://www.agwa.name/blog/post/cloudflare_ssl_added_and_rem...
One half of the NSA's mission is defensive, dedicated to improving the security of US systems and infrastructure: https://www.nsa.gov/Cybersecurity/
They have the nickname "Crimeflare" for a reason and there is a reason so many threat actors, phishers, and malware people use CF on their landing pages and c2s.
When you file an abuse ticket with CF, CF takes the route of "oh we are only routing the data and content, not hosting it" and will refuse to terminate the CF accounts of someone being malicious. Threat actors know this which is why so many use em.
>When you file an abuse ticket with CF, CF takes the route of "oh we are only routing the data and content, not hosting it" and will refuse to terminate the CF accounts of someone being malicious. Threat actors know this which is why so many use em.
Their abuse page says they forward abuse tickets to the origin hosting provider. The origin hosting provider could ignore your tickets, but I don't see how that's any different than if they didn't use cloudflare to begin with.
Ok but why can’t they take responsibility for the abuse and terminate the accounts themselves, forcing the malicious actors back to being in a position of not being protected by cloudflare?
They didn't hesitate with 8chan, even when it was known that fedposting was a thing here and that the straw that broke the camel's back they pointed to could have well been a false flag.
So the deep state is smart enough to take over the corporation and inject all this secret squirrel tech, but didn't think to cook the books to make it look like a marginally-profitable (but boring) business?
It reminds me of the counterargument to UFOs where they say "so the UFO flew here from 100 light-years away, through extreme cold, deep space, intense radiation, dodged space rocks, but as soon as it came into a lukewarm atmosphere with a modest gravity and tame weather, it crashed into a field in New Mexico?"
To be fair, you could see how a vehicle designed rigidly for extreme cold, extreme vacuum, zero gravity, etc. might fail catastrophically when introduced to modest temperatures, a modest atmosphere, and a modest gravity.[1]
It wouldn't say much for the foresight of the alien designers, mind.
[1] "100 KILOpascals? KILO? I thought you said milli, you blithering nixflorp!"
> [1] "100 KILOpascals? KILO? I thought you said milli, you blithering nixflorp!"
The numbers were given in Universal Standard Units, but the manufacturer assumed Galactic Imperial Units
What? What does business profitability or viability have to do with anything? Cloudflare can serve both customers at the same time. They still make amazing products, have incredibly talented engineers, and provide extremely valuable commercial services.
PRISM worked with numerous participants from well-oiled tech startups to aging why-wont-you-just-die companies.
PRISM revealed secrets. It also revealed that some companies fought back as much as possible. It's also possible to design core tech so that even when forced to participate, you reveal as little or no information.
CloudFlare, PRISM, and Securing SSL Ciphers, 2013-06-12 Matthew Prince https://blog.cloudflare.com/cloudflare-prism-secure-ciphers/
I'm sure you've heard this before but Cloudflare isn't really a CDN. CDNs don't have to intercept requests to be useful.
I think what you describe is closer to "TLS terminating reverse proxy", which does need to intercept every request.
What are some alternatives? Preferably the more open source the better.
Idk if they're open source, but netlify was the company that I thought sort of made this feature free and easy to use. Github pages is also a free alternative.
Someone was (incidentally?) ddos'ed on Netlify last year and was served a 104k bill. The fees were waved in the end, but the caveat remains on all these free services that you pay by bandwidth.
- collect telemetry data they can use in their products
- bandwidth is cheap but the bad actor data they gather directly helps their paid enterprise tools
- people wouldn't pay for it and move to a competitor that offers it free, so its basically a monopoly on a large portion of the sales funnel
- branding message as "we are the good guys we are so generous" as you can see from the comments has worked in their favor
Bandwidth has become super cheap nowadays. Even on a CDN if you have a large enough commit the prices go very low, so you can imagine what the real cost must be:
> In Q1 of this year, I completed my yearly CDN pricing survey of over 500 customers and saw the lowest pricing rates I have ever seen for the largest customers, as low as $0.00038 per GB delivered in the US. Blended pricing globally at $0.0006. (Please note, this doesn’t mean these are the prices you should be asking for or paying!) Lower pricing is okay if traffic and commits are growing, but they aren’t
https://www.streamingmediablog.com/2024/05/cdn-pricing-press...
SSG != WordPress.
The value proposition of WordPress is that grandma can run her knitting blog. Not quite as straight forward to teach nana Markdown, jekyll, the command line, SFTP... It's true that anyone who can roll their website with a SSG doesn't need WP, but those people were never WP's core audience anyway.
This strategy works incredibly well and it's a continuation of their free dns proxy / caching service. It's a no brainer: the quality of the free services is unbeatable.
At the same time, everytime you need to buy something, you'll think "should I add a new cloud service or just buy Cloudflare?"
I don't like their almost monopoly-position but it's so good I use Cloudflare for all my projects and I keep recommending Cloudflare to all my clients.
In that regard, they remind me of a young Google.
I host my site on NearlyFreeSpeech for about 40 cents a month and there’s no bandwidth limit. The FAQ has always said: “Currently we are not tracking (and hence not billing for) extra bandwidth usage. This could change in the future, but currently we have no such plans.” Even though I could host with Cloudflare for $0, I think the tiny savings are not worth imposing the captcha on people.
Because bandwidth (and static serving) is dirt cheap, presumably especially so for someone like Cloudflare. Hetzner used to charge ~$1.20 per TB beyond the generous included allowances.
Most sites will have a hard time getting anywhere close to that and the ones that do will likely at some point want more advanced features than the free packages offer (or get force-upsold, see e.g. https://news.ycombinator.com/item?id=42713451).
Once people are in the Cloudflare ecosystem, they're much more likely to upgrade and start using additional services, or recommend Cloudflare to their employer.
As other commenters have mentioned, it is a bit of a bait and switch and not "truly" unlimited - but pretty much this is true for any XaaS that advertises "unlimited" anything. That said though, I still find cloudflare's free basic product incredibly good for the price. The proxy will handle a pretty good amount of load before you get any sales emails. I use some of their enterprise products and I'm extremely pleased, so it is a little hard to complain when I am getting great value out of it. I am however always wary of this not remaining the case forever. For what it is though, I can't really find many comparable products. It's sort of like datadog to me - yes, it's expensive, yes, their pricing can be a bit nebulous and feels bad at times, but the product is still extremely good for what I need it to do and until that changes I guess I'll just keep forking over dollars. That seems to be the way of things now.
The real answer:
If CloudFlare serves a lot of traffic (i.e. people on the internet are requesting stuff from CloudFlare's servers), they get better peering agreements (i.e. pay less) from internet network providers.
When "normal" people/companies connect to the internet, they're paying for the connection. Regional ISPs likewise pay Tier 1 network providers (i.e. "global internet backbone") for the connection, and are charged by bandwidth. When "popular" companies connect to the internet, they don't pay - e.g. a lot of ISPs would host Netflix servers for free (that way, they avoid having to pay for Netflix traffic to Tier 1 providers, but can serve it locally instead).
Say you run a small ISP. You pay for (and utilize) a 10Gbps link to the internet from a big ISP: Cogent, maybe.
You look at your network traffic and notice 5Gbps of it all seems to be going to a single AS: Google. Your customers just love Youtube, and they are pulling down a ton of video.
Rather than leaving that as an interesting factoid, you decide to reach out to Google and pitch them on cutting out Cogent. You run a cable (more-or-less literally) from your network to Google. That 5Gbps of Youtube traffic is running over your connection directly to Google.
Now you can go back to Cogent and drop your commit from 10Gbps to 5Gbps, saving you a bunch of money. Google doesn't have to pay them for transit either: they can serve content to your users straight through the cross-connect. Win-win.
If a particular company is _really_ big, say: Netflix, Cloudflare, etc: you, as a small ISP, might even offer to give them some space in your server racks to host local caches. This makes the performance better for your customers, and, again: saves transit costs.
They still pay for transit (Tier 1 providers) but they just refuse to pay for peering to eyeball ISPs. They just don't because they know if they are big enough the eyeball ISP is basically forced to offer them zero settlement (free) peering. If the ISP doesn't he has to pay for transit too and if there is some congestion in the path from the content provider to the ISP his customers are going to complain to the ISP that youtube is buffering and not to google. The content providers have a bigger lever so they don't pay.
It's kind of the same reason Google does it. There's a saying about this that I do not recall how it is phrased but it's something to the effect of, if you're not paying for it you're the product.
You're the guinea pig to help them make the product better for paying clients and to help them market the product usefulness to those that pay.
There's a catch though, the peering in cloudflare free tier is horrendous in multiple countries, for example Germany, where t-mobile still insists on making cloudflare pay for peering, which they will only do for their premium customers, meaning free tier sites can barely load.
Slightly off topic, but also curious why Cloudflare doesn't put more effort into policing content of Pages, which are frequently used by bad actors. https://www.bleepingcomputer.com/news/security/cloudflares-d...
Examples: https://pending-revew.pages.dev/ https://r2-cmq.pages.dev/ https://ampgoat-ligaciputra.pages.dev/
Metaphorically policing content is expensive and exposes you to politics. Everyone is trying to get out of doing it (see: recent Meta announcement).
If you are the literal police, they will do something.
Because (IMO) it probably glows brighter than the sun.
Tin foil hat on?
I suspect they also benefit from the massive amounts of data gathering. A huge portion of the entire internet's traffic is going through Cloudflare, SSL-terminated. It's like being plugged into the server-side (unblockable) access log of every website. That would be worth a lot.
I also suspect their support of web attestation is not benevolent. With the level of control they already have, it's increasingly possible for them to flip a switch, with the full support of Apple and Google and Microsoft, so that only authorized devices have access to the web. curl on Linux? Not authorized. Outdated OS? It's up to Apple whether they feel like signing your request – can't expect them to support it forever! – but also you can't access that website without their approval.
I feel like a conspiracy theorist here but this stuff just seems way too close at hand.
Between let’s encrypt and Caddy defaults, SSL termination is easy these days and cloudlfares insistence on doing it for me has turned me away from their products. I gather that reading the logs is part and parcel of their product, as the gatekeeper to high traffic sites they need all the signals they can get for what malicious traffic looks like.
I don’t think it requires a conspiracy, it’s just a market demand for such a product
Cloudflare is truly awesome!
They offer incredibly generous infrastructure components for individuals and small businesses.
If you’re looking to host a podcast with a custom domain name and need significant free storage, you’ll quickly realize there aren’t many (if any) free options—until you discover Cloudflare. With tools like R2 and Pages, they open the door to a world of possibilities.
I’ve even built an open-source podcast CMS/hosting solution using Cloudflare [1]. Thanks to R2, you can host up to 10GB of audio for free! It’s a game-changer.
[1] microfeed.org
In the blog post it says AWS offer a free tier of 100GB transfer on S3, but you can get 1TB when you serve it over CloudFront [1] which you normally do when using a custom domain with HTTPS
Thanks for invoking this wonderful discussion!
I run an open-source project[1] tracking the performance of pension fund schemes in India and offer a free API and a query builder because of Cloudflare.
I think this free tier, is sort of their customer acquisition strategy. I work as a freelance developer and because my experience with CF is good, I recommend CF to all my clients!
[1]: https://npsnav.in
As hardware gets cheaper, and economies of scale get bigger, it's way way cheaper to provide free stuff than spend on sales and marketing.
Works best at the extremes
I think providing unlimited bandwidth is a way to do marketing (i.e. letting people know that Cloudflare is a great, generous and high-tech company), and therefore they can attract more enterprise customers (Did you hear Cloudflare? Do you trust it? Of course!) - where the money is really from.
This page has PNGs that need serious optimization. On my monitor, those 2 Cloudflare page screenshots are ~2000x1000 PNGs that weigh 700k each. They occupy about 850x500 "px" on my monitor. (The logo and author pic are likewise, ~300x300 PNGs downscaled to ~40x40.) Serving lossy images at such high resolutions sorta makes sense, but with PNGs they kill page load times. These images could probably get away with a lossy format and much lower resolution, and the page would be less than half the size it is now.
Cloudflare requires a $3,000/year business plan in order to have custom name servers. Namecheap offers this for free.
"Account/Zone custom nameservers are available for zones on Business or Enterprise plans. Via API or on the dashboard."
Update: I say this to further illustrate how they operate.
I understand interconnecting Cloudflare’s network and hosting their servers by ISPs builds a beefier Internet and that’s great, but isn’t it potentially problematic for a small number of vendors to become a significant part of the network? What happens if they go out of business? Are we no worse off than before, or do we worry about equipment that’s in limbo unless purchased by another business? Or is it potentially bad but inevitable since investing in growing the Internet requires deep pockets so it will always be the bigger corporations owning large chunks of the network?
Infra like Internet cables under the ocean are to me more obvious things to be purchased by other businesses. ISP-collocated content servers that came to be due to discovered mutual benefits of content and service provider seem to me more complex in terms of managing them in the face of business changes.
have you looked at their enterprise prices? one enterprise account pays for thousands (or millions of low-traffic accounts) of free accounts
Cloudflare is not profitable [1]. I’m wary of what might happen when they need to become profitable. Could this be another case of a company offering an excellent, cheap product while being propped up by investors, only to later have an “enshittification” [2] phase where they aggressively cut corners and increase prices to make a profit?
[1] https://www.wsj.com/market-data/quotes/NET/financials/annual...
>Cloudflare is not profitable [1]. I’m wary of what might happen when they need to become profitable
The unit economics are sound. They have 76% gross margin, so it's not like they're selling $10 movie tickets for $8, and unlike companies like uber, they're probably not using their marketing spend to buy revenue (eg. spending $20 in promo credits to get $50 worth of sales). There's nothing wrong with a business that "unprofitable" when their unit economics work out, and are plowing their profits back into expanding the business.
Leaving out stock compensation in a non-gaap perspective would show they are close. Granted compensation is a real cost to value of shares, It's not as wide a delta as many other companies.
I would suspect they're going the other way and will continue to double down into new areas of services to expand their product line.
Probably not the place to post this feedback, but in general I get excited about what Cloudflare have been releasing in 2024. I'm borderline desperate to try them out in a business setting.
The only thing that really stops me is the horror stories I hear about random billing issues and on top of that account closures.
That is something I'm _never_ worried about with AWS.
On the off chance that someone from CF is reading this feedback.
Piggybacking on the thread a little, anyone has experience to share using Pages or Workers at scale? Perhaps I bought too much into the JAMstack hype, but it seems like a much more convenient approach compared to the k8s rube goldberg machines every other shop is utilizing (assuming they work and scale as advertised on the tin). Wondering what are some drawbacks or even show stoppers.
I've heard horror stories, where once you hit a certain limit they squeeze the hell out of you. And by that point in time you are locked in and forced to make a deal.
It's made me not use cloudflare for future products. Just charge me upfront what you need to make a healthy margin and let's do business!
Right, and why don't all products get priced at cost+? Such a puzzle.
/s
Pricing is not about today's balance sheet, but about the future of the business. If pricing ever becomes about making this month's payroll, the business is probably in trouble. There are exceptions, especially for small businesses.
We are currently developing a project and were very open regarding the provider and none came close to Cloudflare pages.
The free geo information in the header alone is already worth it for us so we save money on purchasing a separate ip db but also don't waste time for the separate db call looking up the location.
I was very disappointed by their kv store latency and that d1 does not replicate yet. So we ended up comparing a poor man solution in just providing the json at a http endpoint on our webserver vs. quite a few global kv providers.
We set up a promise race and did thourough global tests. Doing the http request beat the global kv store providers by far, even if they have a pop in syd, the cloudflare http request to europe or the us was still faster. We are using Argo though, this might have helped as well.
between 300 - 1200ms , also very random
I then found bejamas where you can do some nice comparisons like: https://bejamas.com/compare/turso-vs-upstash-redis-vs-cloudf...
It's always about creating technical debt at your org so that when they come to charge you 10-100X what some service is worth it's less painful to overpay them than it is to switch.
here's a piece of life advice for you: if it don't make sense, theres a buck in it.
I'm going to have to ask you to keep your voice down, sir.
edit: it was a joke folks, because I like the free tier.
HNer gets his casino site shut down and extorted into buying Enterprise for $120k/yr, there's an unwritten limit of 10TB. https://news.ycombinator.com/item?id=40481808
From the thread and related discussions, Cloudflare's reasons probably had nothing to do with bandwidth used. I also recently signed up for Cloudflare and pushed 20 TB per month on their free plan, I specifically asked Cloudflare if this was okay and they said yes. YMMV
> Additionally, there's plenty of "Upgrade to Pro" buttons sprinkled about. It's the freemium model at work.
I don't think they care much about few "Pro" upgrades here and there. The real money, and their focus as a company, is in enterprise contracts. Note that, Matthew Prince, the CEO, had outlined a few reasons why they have such a generous free tier on an Stack Exchange answer[1]. I think the biggest reason is this:
> Bandwidth Chicken & Egg: in order to get the unit economics around bandwidth to offer competitive pricing at acceptable margins you need to have scale, but in order to get scale from paying users you need competitive pricing. Free customers early on helped us solve this chicken & egg problem. Today we continue to see that benefit in regions where our diversity of customers helps convince regional telecoms to peer with us locally, continuing to drive down our unit costs of bandwidth.
Cloudflare had decided long ago that they wanted to work at an incredible scale. I would actually be very interested in understanding how this vision came to be. Hope Matthew writes that book someday.
[1]: https://webmasters.stackexchange.com/a/88685.