After promoting 20 products and enhancements to general availability during GA Week, Cloudflare rolled through Birthday Week with even more announcements. The pace of product execution is staggering. As is typical with Birthday Week, we got a view into what to expect next from the Cloudflare product team, along with some interesting new go-to-market programs. These were all couched under Cloudflare’s mission to help build a better Internet, with a thoughtful balance of monetized and free services.
As with GA Week, I was impressed by the breadth of announcements. These spanned multiple product categories and several stand to leapfrog product capabilities forward, potentially ahead of competition. We are also seeing more examples of disruptive pricing models, where Cloudflare is leveraging their massive network scale and ownership of infrastructure to undercut competitive offerings. They appear poised to capitalize on their long time investments in data centers and global network capacity.
To get caught up on Cloudflare’s announcements from GA Week, readers can check out my prior coverage. For Birthday Week, Cloudflare provided a treasure trove of information through their blog, Cloudflare TV and press releases. This content was consolidated into a Birthday Week landing page and a handy end-of-week listing of all announcements.
In this post, I’ll try to review all the major announcements from Birthday Week and provide some perspective on what each implies for Cloudflare’s business growth. Our partners over at Cestrian Capital Research recently published an update on Cloudflare, including financials and technical analysis. Interested readers can check out that coverage as they consider an investment in NET.
Audio Version
View all Podcast Episodes and Subscribe
Overview
Historically, Birthday Week provides Cloudflare’s founders with an opportunity to reflect on the past and postulate about the future in their annual letter. This sets the theme for the week, which is then followed by many announcements. Going back to Birthday Week of 2021, the founders made the comment that Cloudflare’s pace of product development was accelerating.
What’s exciting is that the pace at which the Internet is getting better is accelerating. And, in turn, the pace at which we are able to launch innovative new products is accelerating along with it. As the Internet grows and acquires more capabilities, we believe we will continue to grow with it. An investment in Cloudflare is, fundamentally, we feel an investment in the Internet itself.
Cloudflare Founders’ Letter, September 2021
Well, they weren’t exaggerating. Birthday Week 2022 packed in 36 separate product announcements, with 12 on Tuesday alone. As I mentioned during my GA Week coverage, it was refreshing to see that most of the product announcements from the last 12 months have been brought to market. This gives investors confidence that Cloudflare isn’t just innovating by press release, but is delivering value-add services to customers. As an example, R2 and Web-RTC were both introduced during Birthday Week 2021, and are now in GA.
As I reflect on Birthday Week 2022, what strikes me is the growing awareness and influence of Cloudflare within the sphere of Internet services. Several years ago, the company arguably was little known outside of technologist circles. Now, they are able to assemble 26 (and growing) of the top software infrastructure VC’s to commit $1.25B to fund start-ups that build new technologies on the Workers platform.
And it’s that rapid growth in Cloudflare’s reach and influence that makes me optimistic about their future. While they are far from hyperscaler status, they are being included in the list of leading providers across a wide array of product categories. Cloudflare is referenced in Zero Trust, network security, serverless compute, application protection, data storage and even video streaming. As they iterate to best-of-breed product status in these categories, I think this reach will only increase.
This momentum will continue to attract the attention of large enterprises, who are looking to consolidate multiple services onto a single platform. As I will discuss, Cloudflare’s architectural approach of owning their data centers and operating their own network will provide unique advantages in pricing and performance that could be disruptive to existing providers. We are already seeing hints of this coming out of GA Week, with R2 lacking egress fees and Stream Live supporting any video resolution for the same price. Layer onto this the enhanced security insights gained from all the core infrastructure services powering millions of web sites, and Cloudflare is creating significant competitive advantage.
While some worry that Cloudflare will never compete with the hyperscalers, I don’t think that is ultimately where Cloudflare’s disruption will focus. First, I think they will target the “seams” of the Internet, occupying the space between the hyperscalers. While hyperscaler strength lies in the immense capacity of their centralized infrastructure, Cloudflare plays on the edges, where distribution across many data centers in parallel and network bandwidth provide efficiencies.
Second, they are starting to leverage their capital investment in infrastructure to roll out new application, security and network services with pricing models that undercut incumbent offerings. Those vendors most vulnerable will be the ones who don’t have full control over their infrastructure. While building out their own network, software platform and global data center footprint has been costly for Cloudflare, they can now apply this investment surgically in product categories where they have excessive compute, storage and bandwidth. Because all Cloudflare services run on all data centers in parallel, resources can be re-used across many products, creating a multiplier effect.
Let’s review the major announcements from Birthday Week. Given that there were 36 individual blog posts, I won’t cover them all in detail. Birthday Week 2022 delivered more than the prior year, demonstrating that Cloudflare’s pace of innovation really is accelerating.
Cestrian Capital Research provides extensive investor education content, including a free stocks board focused on helping people become better investors, webinars covering market direction and deep dives on individual stocks in order to teach financial and technical analysis.
The Cestrian Tech Select newsletter delivers professional investment research on the technology sector, presented in an easy-to-use, down-to-earth style. Sign-up for the basic newsletter is free, with an option to subscribe for deeper coverage.
Software Stack Investing members can subscribe to the premium version of the newsletter with a 33% discount.
Cestrian Capital Research’s services are a great complement to Software Stack Investing, as they offer investor education and financial analysis that go beyond the scope of this blog. The Tech Select newsletter covers a broad range of technology companies with a deep focus on financial and chart analysis.
Developer Platform
Cloudflare’s edge platform has been evolving rapidly over the past two years, with the goal to bring all the developer primitives and tools to market that would support modern application development. These enhancements are grounded in the distributed architecture that makes Workers unique. All services are available in parallel from all servers spread across all of Cloudflare’s 275+ data centers worldwide.
As the number of product offerings increases, most infrastructure providers start to segment out their delivery environments into separate, dedicated tiers for each product or service. This works well for isolation and parallelized internal development (using the micro-services approach), but generally results in the grouping of services into fewer delivery points. This tactic has been used by most hyperscaler offerings, as they push services out of large central data centers to the network edge, but don’t support every service in every edge location. This approach can result in more unused capacity, as each service has to project its peak utilization and allocate sufficient CPU, memory, storage and bandwidth appropriately.
By running all services on all data centers, Cloudflare can deliver fast end user performance and high utilization of capacity. The performance benefit would primarily accrue in use cases where an advantage exists in delivery services closer to the user. Examples would be latency sensitive applications (gaming, autonomous devices, UI sharing), video streaming, collaboration, network access and Zero Trust. Capacity utilization would be more efficient because CPU, memory, storage and bandwidth resources in all data centers would be shared across all services. This efficiency is created as changes in usage by one service can be backfilled by usage from another service. Cloudflare only needs to calculate peak utilization and provision additional capacity across all data centers, versus determining peak capacity for each server tier in isolation.
Because Cloudflare owns and operates their data centers and network, they have more latitude to drive down internal operating costs and undercut other service providers on pricing. This advantage becomes acute where competitive offerings rely on the infrastructure of other providers (like the hyperscalers). While hosting software applications on hyperscaler infrastructure provides fast time to market and minimal CapEx spend, incremental usage drives incremental cost in a roughly linear fashion.
This cost dynamic works out for common SaaS apps like CRM, HRM, ERP or FinTech, but it becomes less efficient for services closer to the realm of software or security infrastructure, particularly where heavy bandwidth usage is a major component of the service. By having 155 TBPS of network capacity already provisioned and 275+ data centers paid for, Cloudflare can roll out and scale high-bandwidth products at little incremental cost.
In many ways, this is similar to the advantage that the hyperscalers enjoy, being in a position to collect a toll no matter what customers do. While it may appear to be the case on the surface, I don’t think Cloudflare intends to compete directly with the hyperscalers for the same set of compute, storage and network products and services. Rather, they are disrupting other software and security infrastructure providers who don’t own and operate their data centers and bandwidth.
It is true that Cloudflare advertises pricing for some developer products in comparison to those of the hyperscalers (like R2), but I think this is to illustrate that developers can take advantage of edge compute and storage services with a pricing model that they are familiar with. And, in cases where costs accrue for bandwidth usage (like AWS egress fees), Cloudflare is demonstrating that their offering doesn’t need to charge incrementally for bandwidth.
The objective isn’t to transition all S3 business away from AWS. The lion’s share of object storage logically should reside next to heavy centralized compute and data processing workloads. But, there are use cases in data distribution, content delivery, secure collaboration and video streaming where object storage buckets can be placed anywhere. For these use cases, R2 offers a low cost solution that doesn’t incur incremental bandwidth fees.
With that underlying strategy in mind, Cloudflare’s intent with the developer platform is to rapidly build out new products and services for application builders that allow Cloudflare to leverage their advantages in architecture (globally distributed serverless runtime) and bandwidth (large network capacity with intelligent routing that is already provisioned).
Cloudflare’s edge platform necessarily started with developer primitives, like their runtime (Workers) and data storage (KV, Durable Objects, R2, D1). These provide the basic building blocks for any application. Because they started here, their product strategy appears to overlap with the hyperscalers. While these primitives can be sold to developers to consume in building their own edge-based Internet applications, they are also available to Cloudflare’s internal product development teams.
And that is where I think we will start to see an inflection in Cloudflare product offerings. They will continue to expand the building blocks that they provide to all developers (both external customers and internal product teams), but I think they will also start launching more services built by internal teams using these building blocks. We have already seen this in the rapid expansion of Zero Trust products, and are now observing the succession of new services for collaboration, communications, video streaming and IoT. It’s this second phase of product development that I think will be very interesting and could drive Cloudflare’s next leg of growth.
With that set-up, let’s dive into what was announced during Birthday Week for the developer platform.
Workers Launchpad
Cloudflare kicked off Tuesday’s announcements with a bang. They introduced a new collaboration with VC firms to fund start-up companies that build new products and services on the Cloudflare Workers platform. When Cloudflare first conceived of this idea, they thought a commitment for $250M in funding from VC’s would represent an ambitious target. After socializing the concept with a number of top VC’s, interest in participation was so great that they raised the target to $1.25B.
At the point of announcement, they had secured participation from 25 VC firms, each committing to invest $50M ($50M x 25 = $1.25B). However, the count is still increasing as more VC’s express interest. The participating firms announced thus far represent a who’s who list of the most prominent VC’s in the software infrastructure space. Examples include Bessemer, Altimeter, Firstmark, Greylock, Lightspeed, Meritech and Amplify.
This program is promising on a couple of levels from an investor’s perspective in Cloudflare. First, the investments are not being made by Cloudflare itself, so there is no impact to their balance sheet. This is different from some other prominent Venture arms of public companies. Cloudflare’s role is to function as a matchmaker, connecting promising start-ups with the VC’s. There is some cost to Cloudflare in that they are providing a number of services for free for a year (with usage limits) to start-ups that qualify. They also will deliver mentoring and sponsor special events for participants in the VC program.
The second major benefit is that these funds will be applied to build new businesses that utilize the Cloudflare Workers platform. As those companies grow, they will generate revenue for Cloudflare through their consumption of Workers resources. Granted, they will likely start small and have to break through the caps on free usage, but after those limits (whether surpassing one year or volume), their usage will be billed.
Additionally, these companies would presumably be interested in other Cloudflare services outside of Workers, like Zero Trust for their employees, network access, application security, video streaming, etc. This cross-sell should generate incremental revenue on top of what is allocated for Workers.
Cloudflare isn’t unique in setting up a program like this to fund start-ups building applications on their platform. Snowflake takes a similar tact through Snowflake Ventures. As part of that program, Snowflake Ventures provides expertise and strategic capital to growth-stage players within the data ecosystem. They usually target placements of $1M to $20M as part of Series A to pre-IPO rounds. In its first year, the group has made more than a dozen investments representing over $100 million in deployed capital.
Besides representing strategic enablers in the data management ecosystem, like DataRobot, dbt Labs and Dataiku, Snowflake has funded companies that are building their platform directly on Snowflake. The data ecosystems players maintain deep integrations with Snowflake and often direct their customers to the Snowflake Data Cloud for large scale data processing and storage. The platform builders have a more direct impact, where they are launching SaaS businesses powered by Snowflake’s platform. These include companies like Hunters, Lacework, Panther Labs and Securonix. In this case, these are all security analytics and XDR service providers who make heavy use of the Snowflake Data Cloud in providing services to their customers.
For Cloudflare, the net benefit would be similar. The Workers Launchpad would fund new companies that either build directly on the Workers platform to offer their SaaS to other customers, or might provide a gateway into Cloudflare services through deep integrations as they deliver adjacent functionality that make adoption of Workers easier. In either case, the outcome should drive broader awareness, easier use and increased consumption of the Workers platform and supporting Cloudflare services.
The other exciting aspect of this announcement is the VC firms’ motivation for participating. Arguably, firms of this stature would only bother with a program like this if they thought the underlying technology had potential. Otherwise, why would they allocate capital, particularly in this environment? I think the reason is that they view Cloudflare’s platform as a disruptive enabler for their portfolio companies to use to build the next generation of Internet services and applications. Others speculate that VC’s feel the hyperscalers are extracting too much margin from their start-ups and are looking for alternate platforms.
Over the past year, we have been seeing a rapidly increasing amount of startups building their products upon Cloudflare Workers. In fact, we have invested in Liveblocks, which uses Workers and Durable Objects under the hood to help deliver a great end user experience to developers (their users). We are excited to continue supporting the growing Workers ecosystem and the innovative products that will be built on top in the future.
Shomik Ghosh, Partner at boldstart ventures.
As noted in the quote above from the press release, several of the VC’s commented that they became aware of Cloudflare Workers because their hottest start-ups were using the product. Cloudflare’s recent acquisition Zaraz built their entire application on the Workers platform, so they know that progressive companies exist that use Workers as a foundation.
For investors, I think Launchpad represents an exciting program. It builds awareness of the Workers platform, both in the investment community and with those developers working at progressive start-ups (who generally skew highly on the talent scale). At a concrete level, the program requires participants to have built their application on the Workers platform, which should drive more utilization and revenue.
Workerd – Open Source Workers Runtime
Following up from a prior announcement during Platform Week in May, the Cloudflare team released the core of the Workers runtime as an open source project, called workerd (worker daemon). The source code is available on GitHub for download and inspection. The project is presented as a beta, with a number of caveats associated with running the code in a production environment.
The warnings make sense. While Cloudflare has run workerd in their environment for years, it is surrounded by all of the supporting services for security, performance, integration and error handling that are part of Cloudflare’s product environment. These are not portable to other environments. Therefore, the Cloudflare team had to wrap workerd in a stand-alone application server with its own configuration. This likely introduces potential bugs and issues, that will be resolved over time. Those bugs don’t imply there are issues with Cloudflare’s implementation.
Because workerd is being released as an open source project in this stripped-down manner, the Cloudflare team wrapped the code using the permissive Apache 2.0 license. This is different from the more restrictive licenses used by other commercial entities based on an open source project, like MongoDB, Confluent and Elastic.
Release of workerd as open source doesn’t create risk for Cloudflare of a hyperscaler simply hosting a commercial version of the runtime and competing with Cloudflare. This is because they would first have to build all the previously mentioned guardrails (security, scaling, integration, etc.) around it. Second, Cloudflare’s network of 275+ data centers is uniquely configured to run the code. The architectural approach of running everything in parallel isn’t compatible with the centralized design of most hyperscalers.
In fact, the Cloudflare team described this “run everywhere” architectural advantage as part of the blog post announcing the beta release of the open source project. Their fully distributed and serverless runtime architecture provides a competitive advantage for rolling so many application services on their platform. All application services are built on top of Workers, which means that every service runs on every server within every data center in parallel. Technically, the Worker handling each individual request is only instantiated on demand (serverless mode), which minimizes resource consumption.
Cloudflare calls this architecture “homogenous deployment“, and the model makes them very unique among SaaS providers. Cloudflare can deploy hundreds or even thousands of individual products and services on the same physical server. As I mentioned earlier, this is opposed to the standard approach of dedicating tiers of servers to each individual product, which are usually further sub-divided into many micro-services, resulting in a large amount of under-utilized hardware and network overhead for cross-service communication.
In a typical microservices model, you might deploy different microservices to containers running across a cluster of machines, connected over a local network. You might manually choose how many containers to dedicate to each service, or you might configure some form of auto-scaling based on resource usage. workerd offers an alternative model: Every machine runs every service.
workerd’s nanoservices are much lighter-weight than typical containers. As a result, it’s entirely reasonable to run a very large number of them – hundreds, maybe thousands – on a single server. This in turn means that you can simply deploy every service to every machine in your fleet. Homogeneous deployment means that you don’t have to worry about scaling individual services. Instead, you can simply load balance requests across the entire cluster, and scale the cluster as needed. Overall, this can greatly reduce the amount of administration work needed.
Cloudflare itself has used the homogeneous model on our network since the beginning. Every one of Cloudflare’s edge servers runs our entire software stack, so any server can answer any kind of request on its own. We’ve found it works incredibly well. This is why services on Cloudflare – including ones that use Workers – are able to go from no traffic at all to millions of requests per second instantly without trouble.
Cloudflare blog Post, September 2022
I think this strategy with open sourcing the Worker code in this way is very smart. Because the core workerd code can be downloaded and inspected, large customers at least have some protection against lock-in. If they build significant portions of their application infrastructure on Workers, and Cloudflare disappears for some reason, they could self-host with some work. Also, by having access to the source code, they can at least inspect it to further understand how the runtime works. That removes the “black box” feel of it. This should ultimately help with platform adoption, which is the end goal.
Cloudflare Calls
During Birthday Week 2021, Cloudflare introduced WebRTC Components, which were meant to provide the platform infrastructure for enabling real-time communications over Cloudflare’s network. This provided the underpinnings for new products and services based on serving real-time video and audio streams between multiple parties. As part of this year’s Birthday Week, Cloudflare introduced a new product named Calls.
Calls is based on WebRTC and provides a set of APIs for developers to build real-time audio and video features into their applications. This could be used to deliver a number of sample use cases for real-time communications, most of which we are familiar with:
- Many to many video conferencing (like Zoom or MS Teams)
- Interactive conversation among moderators, where the audience can listen and designated audience members can be brought on stage to speak (Twitter Spaces).
- Exercise or education apps where the instructor can view all participants, but participants cannot view each other (Peloton).
- Broadcast performance of several presenters to thousands of viewers.
There are many existing providers of a programmable video conferencing platform through APIs, SDKs and WebRTC implementations. Examples include Zoom (client SDKs and APIs), Agora (SDKs and APIs) and Twilio (WebRTC). Cloudflare’s advantage in rolling a similar offering is in the reach of their network and ability to run all services in parallel across all data centers. Legacy WebRTC and video conferencing solutions rely on having all participants connect to one central server or a few regional services to collect all video and audio feeds and then distribute them back to all parties.
Cloudflare’s implementation distributes the “collect and forward” function to all of its data centers. In this model, participants connect to the closest Cloudflare data center, and then the Cloudflare network handles distribution of those audio and video feeds to the other participants. By keeping the connection points local and distributed in parallel across all of Cloudflare’s 275+ data centers, users in any region of the world will experience less latency, particularly if the participants are primarily located in the same area.
Cloudflare’s implementation of Calls brings additional advantages in privacy and security. Because each participant’s video connection is routed over Cloudflare’s network, it is encrypted by default for the full path. Additionally, participant IP addresses are masked, providing more privacy. These benefits are a consequence of Cloudflare’s network access and Zero Trust products, which competing solutions do not have available to leverage.
Calls has been released in a closed beta to a select set of customers. New customers can request access to participate in the beta. Calls will be free during the beta period and then eventually released to general availability with pricing. For investors, this represents another revenue stream to anticipate in serving a popular use case around apps that make use of real-time communications. While there are a number of existing providers of this technology, Cloudflare’s architecture should enable better performance and video quality. Additionally, their network scale would also allow them to offer the service with very competitive pricing.
Cloudflare Queues
Message queues are a standard primitive for most applications. They allow two independent processes to communicate asynchronously. Developers typically implement a message queue to pass an event or job request to another process to handle. This is useful in cases where the information or request doesn’t need to be addressed immediately by the primary process. An example in e-commerce would be to send an email confirmation after an online order. It’s typically okay if that email process starts a few seconds or minutes later and is handled by a different application service.
As Cloudflare has been rapidly building out the Workers platform to support more sophisticated applications, message queues were missing. These supplement the many permanent data storage options, like KV, Durable Objects, R2 and D1. Queues provide temporary, ordered storage to allow one process to transmit a message (event, request, log item, etc.) to another.
During Birthday Week, Cloudflare introduced an implementation of a basic message queue through its new Cloudflare Queues product. Developers can create a queue, and then designate Workers that can produce and consume messages on the queue. An application can support multiple queues, with logic to filter messages and direct them to the appropriate queue. Finally, messages can be archived to R2 for long term storage if desired.
Queues is being released as a private beta now, with a sign-up list for interested customers. The next step is an open beta. Cloudflare has published pricing of $0.40 per million operations (read, write, delete). The first 1M operations per month are free and accrues no costs for bandwidth usage or egress. A high volume web site making heavy use of multiple types of queues could generate tens of millions of messages a day, so this could start to generate meaningful revenue at scale. During the private beta, usage will be free for customers, with fees accruing during the open beta.
Queues brings another necessary building block to the Worker developer environment. Additionally, Queues is a simple implementation now, providing a primitive that could be combined and extended to facilitate more sophisticated publish/subscribe systems and real-time data streaming use cases. Hosted queuing implementations exist within the hyperscalers (like AWS SQS). Self-hosted open source (RabbitMQ, ZeroMQ) options are available as well.
I like that Cloudflare is adding this capability to the Workers environment and monetizing it. I also think that Queues could be the first step in a move towards enabling more sophisticated data distribution use cases. Cloudflare’s ownership of their data centers and provisioned bandwidth could scale very nicely here to address real-time data streaming use cases between parties in a low cost way. The lack of egress fees (unlike SQS or Google Pub/Sub) would likely be appealing to enterprise customers that operate on multiple clouds or in a hybrid topology.
D1 Enhancements
As investors will recall, Cloudflare introduced its SQL database D1 back in May as part of Platform Week. It was made available as a private beta for select customers to start using in June. During Birthday Week, the Cloudflare team provided some updates on the product, including their vision to support transactions and new administrative features.
D1 is built on top of SQLite, which is a popular open-source SQL database engine. Technically, SQLite is an embedded database, which means it is implemented as a software library that developers can import into their own application. In this context, it is often used to provide a database function within mobile devices, browsers and stand-alone hardware. Unlike MySQL or PostgreSQL, SQLite doesn’t run a database server. This implementation works perfectly for Cloudflare, which effectively provides the runtime that can be invoked as a Worker process on request. Data for SQLite is stored directly in files on disk, which also aligns well with Cloudflare’s architecture. Durable Objects appears to be the backing data storage mechanism.
D1 functions like any relational database. It is ACID compliant and contains all the standard features of SQL, including tables, indexes, triggers, views and the full range of SQL commands. It is compact, fast, well-tested and extensible. This represents a solid choice for Cloudflare, without any encumbrances of a restrictive license. I think it also accelerated time to market, versus trying to build a relational database from scratch.
For Birthday Week, the team highlighted a few new capabilities. They have added automated back-ups with one-click restore. These can be scheduled to run on any frequency and store the back-up in R2. D1 has been fully integrated with Cloudflare’s developer tool, Wrangler, for command line operation, and supports administrative controls from the Cloudflare Dashboard through a UI.
The Cloudflare team also introduced a proposal for handling a transaction within Javascript code. This would support the ability to wrap multiple database interactions into a single transaction and either apply all changes or roll them back at the end. While D1 already supports ACID transactions for each operation, most databases support this capability to link individual operations into an overall transaction in code.
The product is in private beta now, and Cloudflare indicated that an open beta would be forthcoming. Open beta would include pricing, which they haven’t announced, but indicated that D1 would be priced similar to R2 and other data products, based on total storage and number of operations by type.
Cloudflare once again demonstrated the composability of their platform in building D1. The underlying data storage primitives make use of Durable Objects and R2 handles back-ups. These primitives accelerated the development of the product, by allowing Cloudflare’s engineers to re-use their own building blocks in the implementation of D1. This composability is a big part of the reason that Cloudflare’s product development cadence is able to accelerate.
WebRTC Live Streaming
As part of GA Week, Cloudflare brought its Stream Live product to GA with very competitive pricing. The disruptive change, relative to competitive offerings, is that Cloudflare is only charging based on minutes of video streamed, with no additional charges for ingestion, encoding or bandwidth consumed. This allows users to stream the highest resolution video desired. As I have discussed, Cloudflare can support this disruptive pricing model because they don’t incur additional costs for compute or bandwidth on their network.
With Birthday Week, Cloudflare extended the Stream Live product to support live streaming of video over WebRTC. As part of that, they are embracing two evolving open standards, versus forcing developers to implement a vendor-specific SDK (which limits portability). These are new standards for handling the ingestion (how broadcasters should send media content – akin to RTMP today) and egress (how viewers request and receive media content – similar to DASH or HLS today) of video over WebRTC.
For ingestion, Cloudflare has chosen to support WHIP, which is an IETF draft on the Standards Track, with many applications already successfully using it in production. For delivery (egress), they will support WHEP, which is an IETF draft with broad agreement. Combined, these provide a standardized end-to-end way to broadcast one-to-many over WebRTC at scale. Cloudflare claims that this makes Stream the first cloud service to support broadcasting using WHIP and playback using WHEP, with no vendor-specific SDK needed.
Cloudflare Stream is already built on top of the Cloudflare developer platform, using Workers and Durable Objects leveraging Cloudflare’s low-latency, distributed network, with PoPs within 50ms of 95% of the world’s population. Broadcasters stream video using WHIP to the point of presence (PoP or data center) closest to their location, which tells the Durable Object where the live stream can be found. Viewers request streaming video from the point of presence closest to them, which asks the Durable Object where to find the stream, and video is routed through Cloudflare’s network, all with sub-second latency.
Cloudflare claims that existing ultra low-latency streaming providers charge more to stream over WebRTC. However, Cloudflare’s pricing will remain the same as regular Stream, because Stream runs on Cloudflare’s global network. Once generally available, WebRTC streaming will cost $1 per 1000 minutes of video delivered, just like the rest of Stream.
The advantage of ultra-low latency is that real-time interactivity is available for the experience, removing the time delay between creators, in-person attendees, and those watching remotely. Developers can address use cases like sports betting, live auctions, interactive viewer Q&A and even real-time collaboration in video post-production.
Cloudflare is clearly making a big push in live video streaming. This builds on their release of Stream Live during GA Week and the introduction of Cloudflare Calls and now live video streaming over WebRTC. As a final competitive move during Birthday Week, they announced a free allocation of Cloudflare Stream to all Business and Pro subscribers. This includes up to 100 minutes of video content storage and up to 10k minutes of video content delivery each month. For customers that want more usage than these basic thresholds, they can upgrade to a paid Stream subscription.
I think this is a smart strategy by Cloudflare to expand customer use of video streaming from Cloudflare. It’s likely that most of their customers deliver video of some sort to their users, partners or even employees. Cloudflare can easily help them deliver this content for a low cost and with high performance. This would either replace commercial offerings or free video delivery services that show ads or other obtrusive content.
For the commercial market, I think Cloudflare is well-positioned to compete effectively. The market for live video streaming was estimated at about $1B in 2021, and is projected to grow to over $4B by 2028. Cloudflare provides a low-cost and highly performant solution that could allow them to win share from incumbents like Vimeo and Brightcove. Granted, their feature set is basic at this point, but Cloudflare will continue to evolve it until it is sufficient for most use cases. Then, their cost effectiveness and performance should help drive the purchase decision.
Workers Analytics Engine
Cloudflare introduced Workers Analytics Engine during Platform Week in May as a closed beta, requiring customers to request access to participate. During Birthday Week, they transitioned the product to open beta, making it available to a broader set of customers.
On the surface, this appears to be a simple data store for telemetry data. Internal teams at Cloudflare have been using it to collect metrics for Workers performance and R2 utilization. However, the underlying implementation is more properly a time series database. This combines cleanly with the new Pub/Sub service to provide a destination for IoT sensor data.
Developers can create an Analytics Engine instance in their environment and then populate it through Workers code. Data can be written in the form of “data points”, which consist of labels and metrics (which are just numbers). Each data point also has a timestamp associated with it. Once written, data can be read through a rich SQL API. This allows for retrieving metrics data based on combinations of labels. The data can also be graphed by popular time series visualization tools like Grafana.
During the closed beta period, the Cloudflare team made a few enhancements to the product. They rewrote the API for developers to query the Analytics Engine to improve error messages to provide more specific detail. As the query language is based on SQL, they also published documentation about what query commands are supported. To help developers understand the granularity and resolution of data being queried, they exposed a sample interval value for queries, which varies based on the resolution of data being requested.
Combined with Cloudflare’s other data offerings, they now offer a key-value store, object storage, a relational database and a time series database. Those provide developers with a lot of options. A time series database in particular serves IoT workloads. When combined with the new Pub/Sub service and Cloudflare’s distributed edge network, it should provide a powerful backplane for emerging use cases around industrial IoT and the coordination of fleets of smart devices.
Zero Trust
Cloudflare is doubling-down on expanding their Zero Trust platform offering. Going back to Cloudflare One Week in June, Cloudflare checked all the boxes for a full-featured SASE solution. The primary capabilities introduced during that Innovation Week were new product additions, like Data Loss Prevention (DLP), Email Security, CASB and a threat detection service. There were also a number of extensions to existing products. These supplemented products in ZTNA, SWG and Firewall as a service.
Most of the new product introductions in June were offered to customers in a private or closed beta format. Over the subsequent months, the Cloudflare team solicited customer feedback and made adjustments. During GA Week last week, those new product introductions were moved to GA status. Considering that they were brought to a customer beta just 3 months prior underscores how important Cloudflare considers their investment in Zero Trust solutions and reflects very fast progress.
GA Week closed the loop on four of their top level secure access functions – specifically DLP, CASB, RBI and Email Security. At this point, all seven top-level product offerings that are part of Cloudflare’s SASE stack are in GA, meaning that they can be sold to customers and generate revenue.
With Birthday Week, Cloudflare laid out the next set of product milestones for the evolution of their Zero Trust offering. The primary theme is to extend their reach beyond the core platform into the space occupied by the end user or device, effectively securing the Zero Trust path from end-to-end. Examples include protecting the user device itself, increasing support for hardware keys, integrating directly with mobile network operators and reaching further into email protection.
This expanded reach goes beyond competitive offerings in some scenarios and leverages Cloudflare’s inherent network capability. Because Cloudflare controls the network path from end-to-end and powers much of the supporting client access infrastructure like DNS, they are in a unique position to apply Zero Trust security controls across the full spectrum of access. As implemented, this would deliver protection against attacks like SIM card cloning, MFA interception and deep link phishing that other Zero Trust providers leave to the user to implement or rely on other solutions.
With this extension further into the client, Cloudflare’s Zero Trust solution is leap-frogging forward, at least in terms of vision. While several of their recently launched Zero Trust products need more iterations of feature build-out and third-party integrations, the foundation is in place and the Cloudflare team is confident in their ability to iterate quickly to flesh these out. I think the result will be deeper penetration into the Zero Trust market.
Given their broad customer base and bottoms-up selling motion, Cloudflare is well-positioned to bring on many new SMB Zero Trust customers. They are also moving up-market into larger enterprises, facilitated by their new Partner Program and their existing relationships with 29% of the Fortune 1000 for other products. In a Protocol article published in July, Cloudflare revealed that more than 15% of total customers (over 23,000 at that point) were subscribers of Zero Trust products. I imagine that penetration is continuing to increase.
With that set-up, let’s review what was announced during Birthday Week in the realm of Zero Trust.
Zero Trust SIM
Cloudflare recognizes that mobile devices represent a vulnerable component of an enterprise’s Zero Trust topology. That is because the device can be difficult to secure and is often owned by the user (BYOD). As a result, attackers are increasingly focusing on them. In a recent sophisticated phishing attack, about 130 companies were targeted and a number of them experienced breaches. Fortunately, Cloudflare was not affected, due to their use of a hardware key for MFA.
However, the incident reinforced the vulnerability of mobile devices. In order to close the loop on threats against employees on mobile devices, Cloudflare introduced their Zero Trust SIM. They claim this will be an industry first. Fundamentally, their Zero Trust SIM extends protections beyond the network to a layer in the application stack. This creates one more barrier for attackers, supplementing their already sophisticated capabilities at the network level.
Cloudflare’s Zero Trust SIM would bring these additional protections:
- Prevents employees from visiting phishing and malware sites. DNS requests leaving the device would implicitly use Cloudflare Gateway for DNS filtering.
- Mitigate common SIM attacks. By using an eSIM approach, Cloudflare can prevent SIM-swapping or cloning attacks. SIMs can be locked to individual employee devices, which brings the same level of protection as a physical SIM.
- Enables secure, identity-based private connectivity to cloud services, on-premise infrastructure and even other devices via Magic WAN. Each SIM can be strongly tied to a specific employee, and treated as an identity signal in conjunction with other device posture signals already supported by WARP.
An additional benefit of Cloudflare’s proposed approach is the ease of implementation. Particularly with BYOD, other solutions require significant configuration within the phone’s settings and there is no way to separate personal from business traffic. By using an eSIM approach, Cloudflare’s solution can be rolled out as a software update, either through a QR code, a Mobile Device Management (MDM) system or an app like Cloudflare’s WARP client.
Cloudflare is testing the Zero Trust SIM technology internally now. With several thousand employees who have a variety of mobile devices, this dogfooding will provide meaningful feedback. Then, the plan is to begin rolling out the service regionally, starting in the U.S. In parallel, Cloudflare is partnering with mobile network operators to create a tighter binding between the SIM and the user’s mobile network.
Internet of Things (IoT)
Cloudflare’s announcement of support for IoT extends the concepts introduced in the Zero Trust SIM to other devices that rely on a cellular connection, but aren’t a mobile phone. There are a surprising amount of these devices, outside of the realm of fixed sensors in factories and agriculture. These include mobile payment terminals, delivery trucks and scanners, portable industrial devices and most modern cars. If the device is mobile, it will generally have a SIM card installed in order to connect to a cellular network (versus wifi for a fixed location).
Connected IoT devices represent a larger problem than mobile phones. It’s estimated that these account for twice the number of mobile phones today, and are expected to grow much faster in the future (as they aren’t bound to the number of humans). These IoT devices are being compromised at a higher rate as well, even being harnessed for DDOS attacks. The problem has gotten so bad that both NIST and the EU are working on requirements for IoT device security.
This challenge provides a backdrop for Cloudflare’s second Zero Trust announcement, a new security platform for Internet of Things devices. The high level goals are to provide a single pane-of-glass view for all IoT devices, provision connectivity for new devices and to secure every device when it connects to the network.
Cloudflare’s IoT Platform will provide a set of services catered to the needs of organizations that deploy fleets of mobile IoT devices. These will include:
- Facilitating the provisioning of cellular connectivity at scale. Cloudflare will support ordering and managing cellular connectivity for devices.
- Controlling network access through Cloudflare Gateway. Gateway already supports the ability to create policies for DNS, network and HTTP access, and then allow or deny traffic based on the source or destination, and richer identity- and location- based controls. Cloudflare will bring these same capabilities to IoT devices, and allow developers to better restrict and control what endpoints their devices connect to.
- Move compute and storage off of the device. This protects the enterprise from data compromise if the physical device were stolen. Cloudflare offers a number of edge compute and data solutions solutions that are located in close proximity to the fleet of devices, but in secure data centers distributed across the globe. Services include Workers for compute, Analytics Engine for telemetry data, D1 as a database and Pub/Sub for many-to-many messaging. These services would be extended to provide additional features to support IoT specific use cases.
The IoT Platform is in a conceptual phase at this point, although much of the underpinning technology would be assembled from existing Cloudflare components and services. The team is soliciting interest from customers now with plans to launch a closed beta in the coming months.
While in the formative stage, I think building an IoT Platform represents a natural product extension for Cloudflare as it would harness a confluence of several capabilities that are unique to the company. First, they have the most distributed edge compute platform, where all services run on all 275+ data centers. Because IoT devices in particular can be latency sensitive, this proximity of compute and data services would provide a big advantage over centralized or regional providers that lack a global footprint.
Second, Cloudflare already offers controlled network routing through Gateway, that makes it easy to securely transmit the IoT device’s traffic to only the destinations specified. This routing would benefit from all the aforementioned Zero Trust capabilities. Finally, Cloudflare has already provisioned significant network capacity to support the rest of their services. They should be able to layer on IoT traffic processing in a very cost efficient way.
During their Zenith Live conference in June, Zscaler also unveiled some new partnerships and focus on enabling Zero Trust for IoT. The two strategies appear to be targeting similar devices, but with different tactics. Cloudflare’s initial focus seems to be on devices with a cellular network connection, whether an employee’s mobile phone or a mobile IoT device. Their device level integration and control will be applied through the SIM card (eSIM implementation) and by partnering with cellular network providers. Their strategy to move compute and data storage off of the device involves customer use of their Workers development environment and associated data storage options.
Zscaler, on the other hand, appears to be focusing on the industrial IoT market where devices are located within a physical plant and connect via a local network (wifi or 5g). To achieve device level integration, they are partnering with OT (Operational Techology) manufacturers. Prior to Zenith Live and coinciding with their earnings release, they announced their first partnership, with Siemens, to deliver an integrated OT (Operational Technology) solution.
This combines the Zscaler Zero Trust Exchange cloud security platform and Siemens’ devices to help customers with OT infrastructure. Offered directly from Siemens, customers will be able to obtain Zscaler Remote Access for OT alongside Siemens’ flexible local processing platform SCALANCE LPE. The new solution enables customers to securely manage, control and analyze production OT infrastructure from any workplace in any location.
Building on the Siemens partnership, Zscaler highlighted other opportunities to apply their Zero Trust architecture to 5G. Beyond industrial use cases, these include AR/VR experiences, autonomous vehicles and gaming. In considering these use cases, the same set of issues apply when deploying applications to the edge to secure them. Traditionally, these have been addressed by firewalls and VPN connections. Zscaler IoT allows enterprises to rethink identity, Zero Trust access policies and how to control device connections for their IoT fleets.
I think the two strategies make sense in their own way. Cloudflare’s integration at the SIM card level and through integrations with mobile providers will give them more control, but will be a heavy lift. Zscaler’s approach of piggy-backing on edge compute solutions from the hyperscalers and physical OT device manufacturers bootstraps distribution, reach and co-selling. The two strategies each have their own advantages. They also appear to be targeting separate device markets for now, splitting on connection through mobile cellular networks versus bounded enterprise 5G.
Mobile Network Operators
Cloudflare announced a new program to partner with mobile network operators (MNOs) to facilitate the use of Zero Trust connectivity and edge compute resources for joint customers. Cloudflare didn’t provide more details about MNOs engaged at this point. Interested parties can contact Cloudflare to participate.
These partnerships would focus on improving the security of users and devices connecting to a mobile network by layering on services from Cloudflare One. These would include Magic WAN (Network as a Service), Cloudflare Access (Zero Trust Network Access), Gateway (Secure Web Gateway), CASB and Cloudflare Area 1 (email security). It’s not clear what the business relationship would be in this case, whether the mobile network operator would support the integration with Cloudflare One or resell Cloudflare Zero Trust services to their commercial customers.
The other opportunity for collaboration revolves around moving compute and data storage closer to the users and devices connecting to the MNOs’ cellular networks. Cloudflare provides a fully-featured developer environment for edge-based software applications through its Workers platform. Currently, Workers are distributed throughout the world, running at all of Cloudflare’s 275+ data centers. User devices connecting to an MNO can be quickly routed to the nearest Cloudflare data center.
The opportunity from a closer partnership with individual MNO’s is to enable “local breakouts” which would immediately route traffic to a local Cloudflare data center, versus directing it to a central Internet hub on the MNO network that might be further away. An even deeper integration would involve the MNO hosting the Workers platform itself within its network facilities. That would allow local user and device traffic to remain within the mobile network, without needing to traverse to a breakout point to reach the Internet.
In this case, Cloudflare could install mini data centers within the MNO’s network for the purpose of running the Workers platform. Or, MNO’s might leverage the Workers for Platforms product to bootstrap their own edge compute offering. This would allow an MNO to quickly provide developers within their commercial customers the ability to build their own edge compute applications for users or IoT devices directly within their cellular network.
Cloudflare certainly isn’t the first software infrastructure provider to pursue partnerships with the large mobile carriers. The hyperscalers have already been forming these (Azure and ATT, AWS and Verizon). The larger carriers are also trying to roll their own compute and IoT centric solutions. At the same time, Cloudflare’s solution offers some advantages, as Workers is grounded in the idea that the runtime is fully distributed, run-anywhere. Most of the hyperscaler implementations revolve around a single physical boundary. Workers would be appropriate in cases where the devices or users move across a broader geographic boundary, like delivery trucks or scooters.
In the Zero Trust and network access market, partnerships between Cloudflare and the MNO’s might offer more opportunity. As with edge compute, some of the larger carriers are trying to layer security over their connectivity. Partnership with Cloudflare would enable Zero Trust connectivity to be extended across the globe and beyond the reaches of any individual carrier.
Hardware Keys and Collaboration with Yubico
Cloudflare utilizes hardware keys internally for all employees as their required method of multi-factor authentication (MFA). Hardware keys provide the best layer of security against phishing or SIM cloning attacks, as they require physical possession of the device. These types of attacks all rely on tricks that allow a remote attacker to appear to be the authenticating user. Without the physical key as a final step, these attacks fail.
As proof of their effectiveness, Cloudflare avoided being exploited by a sophisticated SMS attack that targeted more than 130 companies in July 2022. Many of those companies were compromised in the attack, because they relied on MFA, but with “soft tokens” (SMS code or TTOPS). Because Cloudflare had rolled out physical keys to all employees and forced their use for internal application access in 2021, Cloudflare was not breached in this attack.
Due to their experience preventing this kind of attack and the desire to help other companies improve their security game, Cloudflare is sharing their expertise and access to hardware keys with their customers. As a first step, Cloudflare published a detailed account of their transition to the use of hardware keys. In the article, they share tactics and learnings. Additionally, the Cloudflare Security Team is available to offer advice and answer questions for customers.
The larger announcement was a new collaboration with Yubico, the maker of YubiKeys, to make it easier for organizations of any size to deploy hardware keys and integrate them with Cloudflare’s Zero Trust platform.
Yubico Security Keys are available for any Cloudflare customer, and they easily integrate with Cloudflare’s Zero Trust service. That service is open to organizations of any size from individual users to large enterprises. Any Cloudflare customer can sign into the Cloudflare dashboard and order hardware security keys for as low as $10 per key.
Once ordered, Yubico will ship the hardware keys to the Cloudflare customer. The customer can then configure the hardware keys through their identity provider and require FIDO2 authentication for access to any sensitive applications through ZTNA.
I think this represents another step forward in Cloudflare’s end-to-end Zero Trust offering. As companies are realizing the additional benefits of deploying hardware keys, Cloudflare will be well-positioned. Granted, at $10 a key, it won’t generate significant revenue, but I think it makes a strong statement for the level of security on Cloudflare’s ZTNA solution and their success in preventing attacks.
As an initial data point for interest in the new program, two weeks after the announcement, Cloudflare had to reduce the cap for discounted hardware keys from 10 to 4. Cloudflare’s CEO shared that this was because Yubico wasn’t sure they could fulfill all the demand at the current rate. This appears to be a great start.
Email Link Isolation
To further improve their email security solution, Cloudflare launched a beta for a new Email Link Isolation service. This leverages Cloudflare Area 1 technology, which can be configured to examine all employee email inline. This level of integration is important and represents an advantage for Cloudflare, as the Area 1 email security system can make changes to the content of the email when it perceives that a threat exists. Other email security systems rely on an API integration, which does allow them to identify threats, but only make recommendations for protections outside of the email itself. Those might manifest as pop up warnings or blocked access to the domain in a suspicious link, versus modifying the content of the emails directly.
Most phishing and malware campaigns rely on getting the email recipient to click on a link in the email, which directs them to a third-party web site. This action is what makes these attacks difficult to block – if the malware were in the email itself (like an attachment), it would be easy to cleanse or filter out. Also, many links in an email are legitimate and required for the recipient to complete an action, so the email security system can’t just block all email links.
Email Link Isolation will be bundled into their Area 1 email security subscription to address these challenges. If the link in an email looks suspicious, but could be legitimate, Email Link Isolation will pop up an interstitial screen that gives the user the option to open the link in an isolated browser.
If the user selects the isolated browser option, the web site is opened in the Browser Isolation service, which runs on a separate virtual machine in the Cloudflare network. To ensure website compatibility and security, the target website is executed in a sandboxed Chromium-based browser. The website content is instantly streamed back to the user as vector instructions consumed by a lightweight HTML5-compatible remoting client in the user’s preferred web browser. These safety precautions happen with no perceivable latency to the end user.
The Email Link Isolation service is being launched as a beta program for existing customers. During that period, the service is free. After beta, it will be bundled into the add-on Area 1 PhishGuard subscription. I expect this capability will provide another reason for customers to take advantage of Cloudflare’s email security product.
Application Services
In order to provide customers with the ability to customize logic across many of its products, Cloudflare rolled out Page Rules several years ago. These have been adopted by millions of Cloudflare users. However, over time, their generalized design surfaced a number of limitations as customers increasingly needed more control over their routing, caching and security logic.
The Page Rules product has been overloaded with functionality at this point, being applied to disparate services from the same rules engine. As examples, they have been used to tune how long files should be cached. They can override zone-wide settings for certain URLs. They are used to create simple URL redirects and selectively add/remove HTTP headers.
Because of this overloading, Page Rules has become bogged down and can’t be extended further to support additional levels of customization. They also have a number of limitations, including use only for URL patterns, a maximum of 125 Page Rules per zone and difficulty debugging as ordering was obfuscated.
With Birthday Week, Cloudflare introduced a set of new controls that are available now for customers to test. The plan is to replace Page Rules with four new separate products, offering increased rules quota, more functionality and better granularity. Page Rules in their current form are still supported, but will be deprecated after the four new control systems exit beta testing.
The four new Rules products are:
Cache Rules. Page Rules have been the primary mechanism for customers to apply fine-grained controls over how Cloudflare should cache their content, reaching 3.5M individual Page Rules just for caching. With Cache Rules, Cloudflare is breaking out the logic for cache controls into a separate module. Cache Rules will provide more precise control over caching and allow users to set more rules. The benefit to customers is not only more flexibility, but improved performance for the Cloudflare network. The implementation will allow Cloudflare to utilize less CPU in evaluating these rules.
Configuration Rules. These provide customers with a better way of controlling Cloudflare features and settings. As each HTTP request enters a Cloudflare zone, Cloudflare applies a configuration to it. This configuration tells the Cloudflare server handling the HTTP request which features the HTTP request should ‘go’ through, and with what settings/options. This is defined by the user, typically via the dashboard. However, the level of flexibility was limited.
With Configuration Rules, customers can apply custom configurations to not just URL’s, but other criteria such as cookie settings or geography of origin. By separating Configuration Rules from Page Rules, customers can address a wider range of use cases that previously were impossible without writing custom code. Such use cases as A/B testing configuration or only enabling features for a set of file extensions are now made possible with the filtering capabilities of the product.
Dynamic Redirects. This module adds much more logic to standard redirect decisions. A redirect represents the case where a customer wants to send the user to a different web site location when the user requests a certain URL pattern. With the new capability, redirects can be based on more options, like the visitor’s country, their preferred language, their device type or use regular expressions.
Origin Rules. Customers need the ability to examine the destination of every HTTP request and determine what server, port and host header should receive it. This logic is applied through origin rules, but the implementation through Page Rules created a lot of overhead for administrators. Cloudflare customers wanted more control over traffic direction, in a way that was simple to set up and maintain.
To meet that demand, Cloudflare announced Origin Rules, a new product which allows for overriding the host header, the Server Name Indication (SNI), destination port and DNS resolution of matching HTTP requests. These can all be applied through the Cloudflare dashboard, API and Terraform configuration, eliminating the need to write custom code.
All four of these products are available for use by customers. After these four products have been tested and refined, Cloudflare will announce Page Rules end-of-life and then deprecate the feature.
While not revenue generating, these new Rules engines make a number of Cloudflare products and services easier to use and more extensible. That should reduce some customer frustration and likely will unlock more use cases, expanding the use of associated products.
Botnet Threat Feed
Cloudflare is in a unique position to track the IP addresses of computers that participate in DDOS attacks. This is because they provide services to about 20% of all websites on the Internet and 29% of the Fortune 1000. For most of these customers, Cloudflare is delivering DDOS protection. Because a DDOS attack requires making a direct connection to a Cloudflare host, Cloudflare can collect both the source IP address and some information about the client machine.
In most cases, the machines participating in a DDOS attack are hosted on some ISP’s network and even may not be owned by the DDOS attackers, as the devices could be compromised. By making the IP addresses of participating machines known, ISPs that operate the particular IP range could identify those machines on their network and block them.
To make this easier, Cloudflare will publish a feed of IP addresses for service providers of machines that have participated in HTTP DDoS attacks as observed from the Cloudflare network. The list will be filtered to just the IP range for each ISP. The service provider can then investigate the suspect IP addresses and shut them down. The value to the service provider is not just the generalized benefit of reducing the impact of DDOS attacks, but should also generate costs savings, as those machines are likely consuming more resources than others (bandwidth, CPU, etc.).
Cloudflare is offering to distribute this feed for free to any interested service provider. While they couch it generally as supporting their mission to help build a better Internet, it would also generate some indirect benefits for Cloudflare. DDOS mitigation services would incur less cost to Cloudflare if attacks were lower frequency or intensity. Also, this gives Cloudflare more exposure to ISPs, which may lead to better network peering relationships or sales opportunities.
Unmetered Rate Limiting.
Rate Limiting is a popular product in Cloudflare’s WAF offering. Rate Limiting allows customers to deploy rules that limit the maximum rate of requests from individual site visitors on specific paths or portions of their applications. It is a very effective tool to manage targeted volumetric attacks, takeover attempts, bots scraping sensitive data, attempts to overload computationally expensive API endpoints and more.
Normally, customers purchase a subscription to Rate Limiting as an add-on product and incur a charge of $5 per million requests. With Unmetered Rate Limiting, Cloudflare is removing the additional charge per million requests. Like their DDOS product, customers will pay a flat fee for Rate Limiting regardless of how much abuse is directed at them.
This announcement represents another example of Cloudflare leveraging their network capacity to undercut competitive solution providers. They will probably add more Rate Limiting customers with the new pricing plan. This would drive more revenue to Cloudflare without a commensurate increase in expense. Since Cloudflare’s network and data center costs are largely fixed, the additional capacity needed to support this pricing model are already paid for.
Privacy and Compliance
Cloudflare introduced two new programs to improve privacy on the Internet. The first is more practical. Cloudflare is offering an alternative to the popular reCAPTCHA service offered by Google. Cloudflare’s product will make CAPTCHA less intrusive, more efficient and doesn’t collect any personal data for ad targeting.
The second is a broader initiative to provide developers with new tools to allow users of their applications to maintain their privacy. In certain situations, it is useful for the application provider to not be able to track the location or identity of its users. These services make sure that both the application provider and Cloudflare can’t create a full picture of a user’s location and activity.
Turnstile for CAPTCHA
The first service announced by Cloudflare involves the age-old and increasingly frustrating CAPTCHA service. It offers a free replacement for Google’s reCAPTCHA product, which controls 98% of the CAPTCHA market. We are all familiar with these puzzles, generally requiring identifying an object as being present or not in a set of images. These puzzles are becoming increasingly difficult, even for humans, and almost impossible for users with any kind of visual disability. This complexity wasn’t always the case – but automated bots have become more sophisticated, causing an escalating battle of complexity.
Cloudflare’s solution is called Turnstile and is being offered for free to anyone, whether or not a Cloudflare customer. Through a variety of techniques, including their collaboration with Apple on Private Access Tokens, Cloudflare created a Managed Challenge service that sits in front of CAPTCHA and tries to validate whether the user is human or not before delivering a puzzle. In 91% of cases, the service is able to determine humanness without showing a CAPTCHA.
This not only improves the user experience significantly, but reduces risk of loss of privacy for users. While Google claims they don’t mine CAPTCHA for ad targeting, it is possible and there is speculation that some of the user signals are incorporated into ad serving decisions. Cloudflare, on the other hand, is a neutral party, at least as far as lacking any incentives to mine user data.
Interested application developers can easily install Cloudflare’s Turnstile on their sites by going through a few configuration steps and inserting some code (similar to other CAPTCHA solutions). The user does need to create a Cloudflare account to give them access to the Admin tool and some detailed analytics on usage. The analytics feature reports data on the locations of validation widgets deployed and metrics on how users are solving each of them.
While Cloudflare is offering this service for free, I think it will generate indirect benefits for Cloudflare through brand exposure and partnerships. As application developers choose to use Turnstile, they will create a Cloudflare account and see all of the other services available from Cloudflare. Some of these users may transition into paying accounts. Additionally, similar to the Apple relationship, Cloudflare is working with other device manufacturers to create mechanisms to signal real users as part of the Turnstile validation. These might translate into other opportunities for security solutions, like further extensions into Zero Trust to the hardware device.
Privacy Edge
Underscoring Cloudflare’s entry into supporting privacy on the Internet, they announced a new suite of products called Privacy Edge that enable application developers and platforms to make use of privacy-first cloud-based building blocks for their Internet applications. In order to function, requests for web applications have to include some level of identifying information. Cookies are the most invasive, but even IP addresses can reveal a user’s location.
While ad targeting and e-commerce services want to mine as much of this data as possible, there are other applications, like in health care, politics, reporting or some types of e-commerce where anonymity is valued. This may even be necessary in some countries, as governments want to collect this type of tracking information. If an application developer or SaaS service could host their solutions on a platform that provides methods to obfuscate tracking data for certain use cases, that would provide a useful function.
With their newly announced Privacy Edge offering, that is exactly what Cloudflare intends and makes them fairly unique among infrastructure providers in this. With their first release, Cloudflare is providing four products that enable web site operators and app developers to build privacy into their products at the protocol level.
- Privacy Gateway: A lightweight proxy that encrypts request data and forwards it through an IP-blinding relay.
- Code Auditability: A solution that verifies code delivered to a browser hasn’t been tampered with and represents an intact copy of what the application developer intended.
- Private Proxy: A proxy that offers the protection of a VPN, built natively into application architecture.
- Cooperative Analytics: A multi-party computation approach to measurement and analytics based on an emerging distributed aggregation protocol.
As an example customer use case, Cloudflare partnered with Flo Health, a personal health tracking service. For users that have turned on “Anonymous mode,” Flo encrypts and forwards traffic through Cloudflare’s Privacy Gateway so that the network-level request information (most importantly, the user’s IP address) is obfuscated by the Cloudflare network.
The outcome is that Flo Health can’t identify its users’ location beyond a generic Cloudflare IP address, but does receive the payload of the content request from the the user. Cloudflare, on the other hand, has access to the users’ IP addresses, but doesn’t store the content of the request. This means that neither party (or in collaboration) could provide the full payload of each user’s location and content requested. Even if the user’s location were revealed, there would be no way to tie that user to specific activity (and vice versa).
The Code Auditability service was recently rolled out in collaboration with Meta (Facebook WhatsApp Web). In that case, the service verifies that the version of client-side code received by the user is what was intended and doesn’t include corrupt or tampered files. Injecting malware into Javascript libraries is a popular exploit method. The Code Auditability service effectively neutralizes this attack.
The Cloudflare team sees broad use cases for the Code Auditability service. Any client-side web code that involves particularly sensitive data would be a candidate for this additional verification of code versioning. These include password managers, email apps, other security tools and financial interfaces. These would all represent high value targets for attackers. Additionally, Cloudflare’s global network ensures that validation is delivered in near real-time for user located anywhere in the world.
Privacy Proxy allows Cloudflare to proxy inbound traffic using a combination of privacy protocols that make it much more difficult to track users’ web browsing activity over time. At a high level, the Privacy Proxy Platform encrypts browsing traffic, replaces a device’s IP address with one from the Cloudflare network and then forwards it onto its destination.
Cloudflare has been supporting several partnerships to provide network-level protection for users’ browsing traffic. The most notable example is with Apple for Private Relay. Private Relay’s design adds privacy to the traditional proxy path by adding an additional hop – an ingress proxy, operated by Apple – that separates handling users’ identities from the proxying of traffic – the egress proxy, operated by Cloudflare.
The Privacy Edge product suite is currently in private beta. Cloudflare is seeking collaborators for each product offering, similar to their relationships with Flo Health, Meta and Apple. They are targeting application developers who want to build user-facing apps with Privacy Gateway. They want to work with consumer services and VPN vendors looking to add privacy to network-level security for their users via Privacy Proxy. Finally, online services shipping sensitive software over the Internet would benefit from code auditability and web app signing capabilities.
While not monetized currently, I imagine the Privacy Edge platform will evolve into a set of capabilities that represent a mix of free and paid services depending on the function and partner. In both cases, I think these will provide positive brand building for the public Internet infrastructure services and generate new revenue streams for some paid services that might expand into other products.
Analytics and Insights
Radar 2.0
Cloudflare Radar was introduced during Birthday Week in 2020. Radar provides a public view of Internet trends, patterns and insights that the Cloudflare team uses internally to help improve their service and protect their customers.
On Cloudflare Radar, users can find timely graphs and visualizations of Internet traffic, security and attacks, protocol adoption, usage and outages that might be affecting the Internet. These can be narrowed down by timeframe, country and ISP. Cloudflare also provides interactive deep dive reports on DDOS attacks and other threats.
Over the last two years, the Cloudflare team has received a lot of requests from users for additional information and content tools. These broadly include making it easier to find data, adding more types of data points like email traffic and methods to automate the sharing of insights and data. To address these requests, Cloudflare introduced Radar 2.0 in beta as part of Birthday Week.
Radar 2.0 includes a redesigned home page with filtering capabilities, content cards and better navigation. They plan to add a search function soon. Users can easily drill into any topic or data type for more detailed information. The new site also includes several methods to share the data, including social widgets, embeddable charts and an API interface.
The Radar team built Radar 2.0 on the Cloudflare platform. It utilizes Cloudflare Pages and Workers, and stores data in R2. The API is backed by GraphQL. They sped up page rendering by moving it server-side using Remix. These design changes will deliver a better UX, speed up development iterations and improve performance.
Radar primarily provides brand exposure to Cloudflare, by demonstrating the breadth of data that they process. I think the new sharing functionality will help with branding as well, making it easier for content publishers to reference Radar data on their social channels, web sites and data feeds.
Radar Outage Center
As part of the Radar 2.0 release, Cloudflare introduced a new service that tracks Internet disruptions in near real-time and provides an archive of them. It is being called the Cloudflare Radar Outage Center (CROC). The service will archive outages organized by location, type, date, likely cause and other factors. Cloudflare plans to keep expanding this initial release of CROC to serve as a public resource for government organizations, news media and impacted parties to get information on, or corroboration of, reported or observed Internet outages.
The initial launch of CROC will include a list of ongoing and past outages, with an easy interface to view and search them. For each outage, CROC will provide the location, ISP, scope, start/end times and any objective indicator of cause. This data will be available through a map-based drill-down interface and can be queried via the Radar API.
This new service has strategic potential beyond the initial use as an outage tracker. Cloudflare plans to iterate on the service to provide a much more granular system performance hub for the Internet as a whole. They have been “exploring how we can use synthetic monitoring in combination with other network-level performance and availability information to detect outages of popular consumer and business applications/platforms.” (from the blog post)
In addition to tracking availability of common consumer and business web applications, the team plans to monitor performance of other infrastructure service providers. This could evolve into a global Internet report card of sorts, allowing for comparison of uptime and service performance across a wide range of infrastructure vendors.
The tracking of outages and performance could power an internal capability for Cloudflare’s network access and Zero Trust customers, similar to those they might find on competitive offerings. At Zscaler’s Zenith Live event in June, they introduced a new feature called ISP Insights, bundled with their Digital Experience Monitoring (ZDX) product to manage the quality of user access to various applications and corporate assets.
ISP insights will display a more generalized view of the health of the Internet, through a map of the world. Operators can drill in to identify problem areas where ISP service levels have dropped. This information will be offered on a public web site. It should be noted that this data is based on the perspective of Zscaler users. If Zscaler doesn’t have active users in some part of the globe, that service issue wouldn’t be reported.
A nice feature of Zscaler ISP Insights is that the operator at an enterprise can then cross-reference the system to get a list of their corporate users who are being impacted by an ISP issue. This allows the operator to corroborate a poor ZDX user score with an actual ISP event.
Cloudflare’s new outage center product (CROC) would provide an alternate solution to Zscaler’s new offering. The advantage that CROC would have is a broader reach of users, traffic and web sites, as a consequence of Cloudflare’s free user services, unpaid tier of millions of customers and service offerings for about 20% of all web sites. This reach could provide more signals for Cloudflare customers and allow Cloudflare to optimize the performance of its Zero Trust and network access services optimally.
Radar Domain Rankings
With the popular Alexa Internet Ranking service from Amazon being shut down in May of this year, Cloudflare is offering a replacement. They announced Radar Domain Rankings in beta. The service will identify the most popular domains globally, based on public user traffic. Because of Cloudflare’s broad reach of products powering various parts of Internet infrastructure, they can accomplish a similar sampling function as Alexa did. The primary source of data will be their 1.1.1.1 resolver, which is a free DNS resolver service used by millions of consumers.
The Domain Rankings service is live. Users can see an ordered list of the top 100 most popular domains globally and per country. These are updated daily. Beyond the top 100, they also publish an unordered global most popular domains datasets divided into grouping of sizes ranging from 200 to 1,000,000.
Cloudflare plans to keep iterating on the Domain Rankings service. While it has no revenue model currently, the service would provide some indirect benefit to Cloudflare. Benefits would accrue in marketing and brand awareness primarily.
Miscellaneous
That was a lot. There were a few other announcements that I will bullet point here. Readers can puruse the individual blog posts for more details:
- Quick Search in the Dashboard. Added a search bar to the Cloudflare Dashboard that provides direct access to specific product subscriptions and the websites associated with those. This will make navigation more efficient for large enterprise customers with many Internet properties.
- RBAC for all Accounts. Existing role based access controls will be available for all subscription levels. These provide administrators with more granular control over user access to Cloudflare services by organizational function.
- Project A11Y. Improvements to the Cloudflare Dashboard to adhere to industry accessibility standards, including Web Content Accessibility Guidelines (WCAG) 2.1 AA and Section 508 of the Rehabilitation Act.
Investor Take-aways
Between GA Week and the following Birthday Week, Cloudflare delivered 56 separate announcements. These ranged from smaller product enhancements to major releases into general availability. For GA Week, the focus centered on closing the loop on many products introduced in a beta form over the past year. With the decks cleared, Birthday Week then provided a view into future product directions. Cloudflare also hinted at one more Innovation Week before year’s end – “stay tuned for a week of developer goodies coming soon.”
The scope and pace of these releases is impressive. Cloudflare is demonstrating the many directions that they can extend their product offering. This is enabled by their core platform of developer primitives and heavy investment in network capacity and optimization. Going forward, I see Cloudflare leveraging this foundation to pursue a number of product markets where they can compete effectively on performance, price and feature iteration.
Cloudflare’s strategy has risks, of course. They are fielding a broad range of products, all of which require a go-to-market strategy. The sales motion can range from bottoms-up (developer led, like Workers) to tops-down (C-level, like Zero Trust for an enterprise). The Cloudflare sales and marketing organization will need to find ways to support both, as well as surface opportunities for cross-sell within enterprise customers to drive up the net expansion rate to the new 130% target. Fortunately, Cloudflare has a large customer base to harness and relationships with 29% of the Fortune 1,000.
In this recap, I didn’t compare each Cloudflare offering with every competitive offering in the associated market, beyond some of the broader themes in Zero Trust. I realize that most product announcements represent entry into a market that isn’t greenfield (although some like Privacy Edge are emerging). In that regard, Cloudflare will need to disrupt incumbent offerings and product strategies.
In many cases, these new markets represent areas where Cloudflare can leverage their architecture and network capacity to create advantages over incumbent offerings in price and performance. This often represents the disruption, where Cloudflare can undercut existing vendors on pricing by not charging add-ons like bandwidth usage (no egress fees, no bandwidth metering on video streams, unmetered Rate Limiting, etc.) or deliver lower latency globally for cases in which performance matters.
Cloudflare’s ownership of their infrastructure provides advantages over competitors who built their solutions on top of hyperscaler infrastructure. While it may appear to investors that Cloudflare intends to compete with the hyperscalers, I don’t think this is directly the case. Rather, I think Cloudflare’s primary opportunity is to disrupt other software services businesses built on top of hyperscaler infrastructure.
It is true that some core services, like R2 or Workers have direct corollaries in hyperscaler infrastructure. By providing a less expensive alternative to S3, that storage on Cloudflare does take business away from Amazon. But, I don’t think Cloudflare’s intent is to take all S3 business – that is neither practical nor realistic. There are many use cases where enterprises should keep a large amount of data within AWS and on S3.
However, there are a meaningful number of use cases that would be equally served on R2, that don’t benefit or require proximity to compute on AWS or other hyperscalers. Examples include serving as an origin for content delivery, controlled data transfer or sharing, video delivery, log storage for external analysis, etc. In these cases, a decision to store data on R2 provides a less expensive option with the flexibility to distribute it freely to many consumers.
For these reasons, I think that Cloudflare’s various forays into adjacent markets create an interesting opportunity for investors. Not all product initiatives will stick, but some could grow into large contributors to Cloudflare’s TAM. Because of Cloudflare’s architecture of serverless delivery, use of composable platform building blocks internally and unit economics derived from their existing CapEx spend, they can continue to crank out and support new products without much incremental cost. That architectural efficiency is the crux of their “homogenous deployment” model, discussed in the open sourcing of the Workers runtime.
A couple of possible financial outcomes could emerge from this approach. First, Cloudflare could continue growing revenue at the same rate for several more years, as they accelerate the number of markets that they pursue with disruptive offerings. Second, cash flow margins should increase as more services can be supported from their existing CapEx investment and fixed bandwidth. They will need to keep investing CapEx to grow their footprint and network reach, but I believe they are approaching a point of increasing leverage, where most of the foundational investment has been made.
Granted, near term financial performance could be hampered by the macro environment, as businesses globally try to limit their spending until they have more confidence in the path forward. By pivoting their sales strategy to cost savings and vendor consolidation, Cloudflare should dampen the impact. Additionally, demand for their product offerings in security services should remain stable, as enterprises prioritize employee, network, data and application protection.
Long term, Cloudflare has a broad vision and ambitious goals. The stock will likely continue to be volatile and the high valuation multiple presents near term risk. The investment thesis is similar in many respects to that of Tesla (TSLA). That is by owning and operating their means of production (data center and network infrastructure) down to the supply chain level (like Tesla’s factories and vehicle components), Cloudflare is identifying parts of the software and security infrastructure market where they can effectively compete with other providers through advantages in cost, performance and time to market.
Like with Tesla, investors need confidence that these advantages will ultimately allow Cloudflare to outperform entrenched competitors who are equally intent on capturing significant share of new product markets. For me, I think both companies have sound strategies and that their focus on disruptive innovation and rapid cycles of product development will ultimately pay off.
Additional Reading and Listening:
- Our partners over at Cestrian Capital Research recently published an update on Cloudflare, including financials and some technical analysis. This offers investors with more data points if they are considering an investment in NET.
- Muji at Hhhypergrowth continues his coverage of Cloudflare as well, with a great holistic perspective. He has a gift for tying together all the pieces into a cohesive theme. Check out his coverage of Cloudflare – some articles require a subscription.
- Interesting Podcast episodes in which Cloudflare’s strategy is discussed:
- Screaming in the Cloud with Corey Quinn, The New Cloud War.
- The Cloudcast, VCs vs. the Cloud.
NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.
Great analysis as usual!
“In this recap, I didn’t compare each Cloudflare offering with every competitive offering in the associated market, beyond some of the broader themes in Zero Trust. I realize that most product announcements represent entry into a market that isn’t greenfield (although some like Privacy Edge are emerging). In that regard, Cloudflare will need to disrupt incumbent offerings and product strategies.”
— Would be interested in hearing more about this in the future if possible!
Thanks – sure, the article was getting long, but will loop back on these new product initiative and compare to competitive offerings in future posts, similar to what I did with Zero Trust.
Same old, same old.
Huh?
Thanks for all the detail and the insight. I’m confused about video. There’s a recent issue of the SemiAnalysis newsletter about AWS’s infrastructure inefficiencies driving creators from Twitch to YouTube. It mostly boils down to Google’s custom-designed transcoding chip giving a big cost saving, with CPUs costing about 40x and GPUs 20x. I’m wondering how Cloudflare can process video efficiently, including free encoding, as I think you’d have mentioned if they had custom silicon. I’ll be impressed if Cloudflare’s architecture outweighs the 40x and 20x. I’m not sure if it’s relevant but I’ve just found that Vimeo used to use their own servers for video but now use Google Cloud, and Fastly for CDN.
Hi Michael – On video, for a commercial entity to distribute their videos on YouTube, it still takes away the branding and requires the user to watch ads. Those creators moving from Twitch to YouTube are generally individual people trying to monetize their content. Cloudflare’s use case is primarily business to consumer. Also, I don’t think the transcoding is the bottleneck as much as the bandwidth usage. By supporting any resolution for the same price, Cloudflare is using their large bandwidth allocation to undercut other providers, like Vimeo. If Vimeo is outsourcing their video distribution to Google Cloud and/or Fastly, then they incur incremental costs for bandwidth usage. At higher resolution video, they would have difficulty competing with Cloudflare’s pricing, as their delivery costs would increase, while Cloudflare’s are fixed (because they already provisioned massive bandwidth).
Thanks!
Great job, Peter! 💚 🥃
Some readers might want to watch “Breaking Analysis: Cloudflare’s Supercloud…What Multi Cloud Could Have Been.” on the Youtube channel SiliconANGLE.