The sales pitch
As commercial websites grow, there comes a time when its operators must suddenly worry about entirely new types of problems: “How do we ensure that our users have a good experience accessing our site, no matter where they are geographically or which ISP they use?”, “How do we stay online (read: in business) if we were to be the target of a DDoS attack?”, “How do we filter out traffic that we are obviously uninterested in or that poses a threat to us?”.
These are the types of challenges that you don’t want to (and sort of can’t) solve directly in your application code. Ideally, the infrastructure which supports your application can instead provide solutions to these problems in a manner that is completely transparent to your application.
As you’ve probably guessed, this is more or less Cloudflare’s value proposition.
The infrastructure
Cloudflare is essentially another Internet. I think of Cloudflare as the subway system to Manhattan’s grid of streets. Cloudflare built a global fleet of data centers (subway stations) which connect to the Internet at major junctions (streets), but Cloudflare data centers are also connected to one another via direct links (tunnels).
Above all else, Cloudflare is a layer of indirection over how packets move around the Internet. Once a packet enters the Cloudflare network, there’s no telling where it will reemerge (if at all) back onto the public Internet.
According to their marketing materials, they claim to be stationed “~50ms from about 95% of the world’s Internet-connected population”. They’re selling a fast-lane for the web. A bullet train of sorts that allows their customers to breeze past all that congestion on the busy and unpredictable highways of the Internet. In keeping with this blog's tradition of generative AI skepticism, here's DALL-E attempting to illustrate this very concept:
Okay, but how do they do this?
In order to grok how Cloudflare really works, we need to talk about some foundational tech upon which the Internet is built. Specifically, the Internet Protocol (the "IP" in TCP/IP) and the Border Gateway Protocol (BGP).
The Internet Protocol is a layer 3 protocol in the OSI model of networks. If you're new to the OSI model, know that each layer is designed to be pluggable/modular and aims to abstract over a specific facet of networking (e.g. enabling devices to share the same physical medium, routing traffic across networks, detecting and recovering from transmission failures). These layers are composed together to form a "stack". Networks are some of the best examples of encapsulation and abstraction that we have. For example, we can use Ethernet over CAT-6 cable or Wi-Fi over radio (as layers 2 and 1, respectively) and still be able to communicate with the same HTTP (layer 7) server.
The Internet Protocol is specifically concerned with routing, or the shuttling of data from its source to its destination. Given that the Internet is a giant network-of-networks, we need a way for packets to traverse through these networks to reach their destinations. As their name suggests, routers are the devices responsible for making the IP layer of the Internet work. Routers are primarily responsible for acting as gateways. If a host needs to reach another host (that is not already on the same network as it), it forwards its request on to the gateway for further transmission.
To borrow the popular "post office" metaphor, the Internet Protocol formalizes how to label envelopes with a recipient's address, and gateways/routers function as post offices. Imagine you want to send out some holiday greeting cards. For your next-door neighbor, you would probably just slip an envelope under their door or stuff it in their mailbox to save on postage (no gateway required). But for your friend who lives on the other side of the country? You take the envelope to your local post office (gateway required).
For example, your computer with an IP address of, say, 192.168.1.18, may know that google.com can be reached via the IP address 172.253.115.100, but it doesn't know how to traverse the Internet to get to 172.253.115.100. All your computer definitely knows is that 172.253.115.100 is not on the same network as itself, and therefore all traffic intended for 172.253.115.100 must pass through your gateway/router first to reach its target.
This begs the question: how do routers know where to forward data so that they reach their intended target on the Internet? This is where BGP comes into play. The Internet can be modeled as one big (sometimes cyclical) graph. BGP enables routers who are connected to one another to compare notes about which segments of the Internet they know how to reach, and roughly how expensive it would be to travel through them to reach those segments.
Via BGP, routers independently maintain their own always-up-to-date "map" of the Internet. Routers then consult this map to choose what a packet's "next hop" should be in order to move it closer to its destination. This process repeats itself at different routers across the Internet until the packet arrives at its ultimate destination, or expires. We can use the traceroute tool to visualize this process!
In the "regular" unicast communication model (one sender, one receiver), there may be many distinct routes/paths through the Internet that packets can take, but they all ultimately converge to a single host. For example, traffic may reach a server in NYC with a given IP address via a nearby cellular network or via a transatlantic fiber link, but the server remains the same in both cases. One IP address, one host.
Cloudflare, however, operates on the anycast model in which there are many hosts using the same IP address. Cloudflare's routers essentially lie (benevolently!) to other routers on the Internet and advertise themselves as the fastest possible path to reaching a Cloudflare IP address. As mentioned in this blog post:
At CloudFlare, we use Anycast at two levels: the WAN and the LAN. At the WAN level, every router in all of CloudFlare's 23 data centers announces all of our external-facing IP addresses.
It is worth noting that BGP is the mechanism by which these data centers "announce" the public IP addresses. Since BGP is an inherently trusting protocol, if Cloudflare announces that they have the fastest route to one of their own IP addresses from dozens of data centers around the world, each of their nearby routers (regional ISPs) are going to believe them. Crucially, this means that a Cloudflare IP address resolves to way more than just one host (or destination router/data center, anyway) and the host that ultimately receives your traffic varies wildly depending on where in the world/Internet your traffic originates from.
Draw the rest of the owl
Putting this all together, we know that traffic destined for a Cloudflare-protected web property will get to the Cloudflare edge network as quickly as possible instead of taking "the long way" through the wild west of the Internet. Cloudflare will then proxy this traffic to its final destination. This layer of routing abstraction is precisely what enables Cloudflare to do things like mitigate DDoS attacks. Their anycast routing strategy enables them to absorb massive amounts of traffic in a way that is completely transparent to their users.