How to stop using Cloudflare
Make sure your supply chain doesn't platform violent extremists - it's time to migrate away from Cloudflare.
Why migrate?
Axios, Protocol and Crikey all have excellent articles on why it's blatantly unethical to be part of Cloudflare's ongoing platforming of hate sites. As a business owner, advisor, and simply as a fellow human, I don't want to have any part of a supply chain that supports such violence, nor do I want my content or traffic hosted alongside such abhorrent sites.
Cloudflare alternatives
Most businesses leverage Cloudflare for one or more of the following services:
- DNS (hosting + resolution)
- DDoS Protection
- WAF
- Bot Mitigation
- CDN (and web performance)
- TLS termination (for SaaS etc)
- Zero Trust Networking
There's no competitor that's a drop in solution for Cloudflare in all these categories, but here's a list of alternatives and starting conversations to have depending on which Cloudflare product you use.
DNS Hosting
I tend to use AWS Route53, but namecheap and Google domains are equally functional. It also depends on where your domain is registered (and if you just want to use your registrar's services). If you're not sure - drop me a line, its a really quick thing we can step through and scope up.
DDoS Protection
Most major public cloud providers have a baseline DDoS Protection built in to their offering - they have to because they have so much baseline traffic to their infrastructure. Azure quietly mentions their built in capability but clearly pushes their standard/premium DDoS protection SKUs. AWS has a free + premium tier while GCP customers get to PAYG a nominal fee for the base tier of protection.
If you're not using AWS/GCP or Azure (e.g. you're still growing from your initial MVP on Digital Ocean), then its a little trickier. Azure FrontDoor lists support for custom origins (though I've not tried it) but there's no free tier for that. Fastly prompts you to talk to sales (but its probably pretty affordable if you do).
Alternatively, it might be time to re-evaluate your DDoS Protection requirements and the impact that has on TCO/OpEx at your current size and scale. If that sounds relevant, maybe thats worth us having a chat?
WAF
Similar to DDoS Protection products, you probably want to start with the option thats built in to your public cloud provider since its in-network. Products like AWS WAF probably need some more extensive tuning and configuration than you're used to with Cloudflare. Double check if you have compliance requirements too (and from memory AWS has some useful reference architectures with WAF configs too).
Bot mitigation
Most public clouds include 'bot mitigation' as a feature in their WAF solutions, so does Fastly and a few others you might be tossing up between.
Dedicated solutions like Kasada might also fit your needs if you're targeting something specific. Bot mitigation is an interesting space and its worth evaluating what you're actually protecting against before committing to a solution blindly - especially since you probably got it for free from Cloudflare without thinking too much about it.
CDN & HTTP caching
Most hosts offer a CDN built in, so if you're using WP Engine or Squarespace etc, you're already covered.
For custom CDN needs (such as HTTP caching), most folks I know leverage AWS Cloudfront as a default CDN, optionally with Origin Shield, though admittedly invalidations & rules can be a PITA sometimes for certain types of application needs. Fastly has a great reputation (even their SEC filings highlight that they take a stand against unethical customers - which is why you're migrating from Cloudflare right?).
You might also consider image hosting services like Cloudinary, or use the built in services of your website host, which is especially relevant if your use of Cloudflare is focused on marketing or e-commerce websites.
TLS Termination
You're probably not on Cloudflare specifically for TLS termination, but its possible you benefit from their certificate management as a by-product etc. For a fixed set of hostnames (like most B2B SaaS companies need) your existing cloud infrastructure (e.g. CDN or load balancer) will handle TLS termination for you.
For complicated setups such as when your customers need custom domains, perhaps explore Caddy's On Demand TLS. I use this over at frontgate.app to great effect!
Zero Trust networking
I've recently been using tailscale (and others I know use WireGuard directly). They're not VPN's, and Zero Trust networking is a principal not a product - but they're great starting points if you're evaluating alternatives to Cloudflare. If you're using Cloudflare WARP, you're already using Wireguard under the hood.
DNS Resolution
You've probably set this up if you're a prosumer, so chances are you'll either know what this is or you don't have it setup. If you're using Cloudflare's 1.1.1.1
, 1.1.1.2
or 1.1.1.3
products/services then its time to move! A quick alternative is to use Google's 8.8.8.8
& 8.8.4.4
.
Building a business case for migrating away from Cloudflare
It's the right thing to do.
Liz Fong-Jones has an excellent stream recording covering several of the above Cloudflare alternatives and the embedded video below covers how you can build your business case (e.g. for your manager, employer or a business partner) to move away from Cloudflare.
Need help assessing your situation?
I'm offering free consulting time to support businesses migrate from Cloudflare to alternative platforms and providers. If you've raised less than 7 figures of funding (AUD$1M), or have a technical team of less than 5 people (e.g. bootstrapped startups) - get in touch!