Page Comparison

If you use Cloudflare as a mere CDN, you have to ensure that requests don’t bypass the CDN front. Clients can override DNS entries and directly connect to the web servers. Sure, that may not be an issue for small-scale services. But it’s an issue because:

• no Web App Firewall

• no Rate Limits (for login brute forcing)

• no DDoS protection

• ….

Why pay for a CDN security-featured CDN feature if an attacker needs 10s to bypass all the controls.

With the cloudflared approach, you don’t have that problem. Cloudflare publishes a list of IPv4 and IPv6 endpoints, which you can allow when you want to glue the CDN / Service Edge to your Load Balancer / web-front.

https://www.cloudflare.com/en-gb/ips/

Restricting this channel via AWS Security Groups, IPtables etc. can be complex.