> Additionally, there's plenty of "Upgrade to Pro" buttons sprinkled about. It's the freemium model at work.
I don't think they care much about few "Pro" upgrades here and there. The real money, and their focus as a company, is in enterprise contracts. Note that, Matthew Prince, the CEO, had outlined a few reasons why they have such a generous free tier on an Stack Exchange answer[1]. I think the biggest reason is this:
> Bandwidth Chicken & Egg: in order to get the unit economics around bandwidth to offer competitive pricing at acceptable margins you need to have scale, but in order to get scale from paying users you need competitive pricing. Free customers early on helped us solve this chicken & egg problem. Today we continue to see that benefit in regions where our diversity of customers helps convince regional telecoms to peer with us locally, continuing to drive down our unit costs of bandwidth.
Cloudflare had decided long ago that they wanted to work at an incredible scale. I would actually be very interested in understanding how this vision came to be. Hope Matthew writes that book someday.
I think there are a few other benefits (even if that was the main benefit/driving force behind the decision).
When you have low-paying (or zero-paying) customers, you need to make your system easy. When you're enterprise-only, you can pay for stuff like dedicated support reps. A company is paying you $1M+/year and you hire someone at $75,000 who is dedicated to a few clients. Anything that's confusing is just "Oh, put in a chat to Joe." It isn't the typical support experience: it's someone that knows you and your usage of the system. By contrast, Cloudflare had to make sure that its system was easy enough to use that free customers would be able to easily (cheaply) make sense of it. Even if you're going to give enterprise customers white-glove service, it's always nice for them when systems are easy and pleasant to use.
When you're carrying so much free traffic, you have to be efficient. It pushes you to actually make systems that can handle scale and diverse situations without just throwing money at the problem. It's easy for companies to get bloated/lazy when they're fat off enterprise contracts - and that isn't a good recipe for long-term success.
Finally, it's a good way to get mindshare. I used Cloudflare for years just proxying my personal blog that got very little traffic. When my employer was thinking about switching CDNs, myself and others who had used Cloudflare personally kinda pushed the "we should really be looking at Cloudflare." Free customers may never give you a dollar - but they might know someone or work for someone who will give you millions. Software engineers love things that they can use for free and that has often paid dividends for companies behind those free things.
I built my website on Cloudflare Pages and ended up using basically their entire suite of tools - Pages, D1, Analytics, Rules, Functions. The DX was pretty good because all of these features worked well together.
Cloudflare offered all of this for free because it gets them positive mentions (like the one you’re reading right now) and they’re educating a bunch of developers on their entire product portfolio. And what does it cost to host my blog that 1000-2000 views a month? Literally nothing.
This approach is good as long as the tech stack is open source and portable to other platforms. Otherwise, no matter how good a company/CEO seems ATM, you are ultimately at their mercy if they decide to raise prices significantly.
By using an open, interoperable tech stack, you maintain the freedom to switch to another cloud provider at will.
This shared fluid power also creates a compelling reason for cloud providers to remain honest and competitive in their dealings with customers.
You don't get it.
For most companies free users are just a source of potential paid customers. Such companies squeeze the free users to force them to upgrade. For Cloudflare the millions of free users strengthen their negotiating power with ISPs around the world. We provide value to Cloudflare just by being Cloudflare customers. It is possible that Cloudflare might get a CEO who doesn't understand this, but possible doesn't mean likely.
In any case, I've built my website with Astro, pulling in the Cloudflare integration as a dependency. If I wanted to switch to Vercel or Netlify or whatever else, Astro makes it easy. As for database, others offer managed Sqlite.
If all else fails, I'll ditch the few dynamic parts of the website and deploy the bulk of the site as static html to Github Pages or something.
I have been bitten many times by this usage of free stuff that suddenly starts to cost money so it took a while before I dared to use cloudflare. Have been using it for a few years now without any surprise bills so still happy. Hope I didn't jinx it now. :-)
Think it'll stay the same as long as the CEO (Prince) and CTO (Graham-Cumming) stay in place. Policies might change with a change of leadership, but even then I don't consider it likely.
I feel like there might be an additional motivation too, which is that this investment in a better internet (free SSL for everyone before LetsEncrypt came around, generous free tiers for users, etc. etc.) means that Cloudflare builds a reputation of being a steward of the ecosystem while also benefitting indirectly from wider adoption of good, secure practices.
In some ways it's analogous to investing in your local community and arguably paying tax: it's rare that you would directly and personally benefit from this, but if the environment you live in improves from it, crime is reduced, more to do, etc. then you can enjoy a better quality of life.
Have they made a better internet? Many would say that made it worse.
> made it worse.
I'd say this too. I'm giving LetsEncrypt 100% credit for making HTTPS so ubiquitous and free.
But CloudFlare certainly made things worse for "webmaster" era of the Internet, with everything centralized to CloudFlare. I live in Vietnam, and CloudFlare has made things super annoying with their captcha challenges everywhere.
Credit where it's due, CloudFlare pushed HTTP/2 and 3 adoption. More websites are available over IPv6, and their 1.1.1.1 DNS is actually quite nice.
I'm in the USA, but run Linux. I am getting tired of proving I'm not a bot. I'm on a static IP and they still can't figure out that I'm not a bot.
I don't think they have a CAPTCHA. CAPTCHAs make the users work, Google does this with their reCAPTCHA. The user has to to free work to help Google with their training of machine learning models. I absolutely hate to do work to increase Google's already outrageous profits and leave the page immediately unless it is very important for me to visit it.
Cloudflare has something called Turnstyle where the browser needs to do work. It's a bit of energy waste, but smooth for the user. Unless their algorithm comes to an incorrect decision and doesn't let you in. Then it's infuriating. For me in Europe that seems to be rare, but I have no idea how well it works in Vietnam.
This can be a slippery slop into censorship! Or a corporate feudal divide up the Internet segments by geo-locations.
Of course in general I do feel better about Cloudflare than Google making money.
> I don't think they have a CAPTCHA … Cloudflare has something called Turnstyle
I believe CF Turnstyle was only released in 2024. I believe they used reCAPTCHA up to 2020, and then switched to hCaptcha. I believe hCaptcha continues to be offered.
Right, 1.0 might have been last year. But it was available (maybe called beta?) probably since 2018 at least. I have used Gitlab since 2018 and IIRC it had Turnstyle from the beginning. Gitlab have configured(?) it such that it comes at every login, but because it works automatically it has never been a problem for me. It wouldn't have worked on some phones, but I don't use phones for Gitlab.
I wasn't aware that they have (had) alternative solutions. Probably because I've rarely seen them. Or if they used reCAPTCHA I got mad on Google, not noticing that Cloudflare had injected it.
Overall, certainly. There are some negative things people talk about that you might agree with, but look back at what the market was that they disrupted and continue to disrupt. I think that without Cloudflare your registrar would be GoDaddy and your SSL certificates would be from Verisign and your rents would be huge. Backbone wise, that would depend on your region.
My registrar were different before and after godaddy existed and plenty of varieties existed. I find less exist now than during GoDaddy's heyday. But less people care about domain names as they stopped becoming a lottery ticket.
My worries were paypal would take over but then came stripe.
SSL certificates were from Verisign until letsencrypt offered thek free. I didn't see Cloudflare changing that market.
Before them we had uunet and other backbone providers.
Cloudflare made their name from ddos protection attacks. They made that market.
For DDOS there was and still is Prolexic/Akamai. Cloudflare did not made that market, they just took a big chunk of it. There are other big players too, like Google.
I mean, maybe we would have found another solution to DDOS, but as someone who has had a pretty significant attack (on a service which is a clear public good) mitigated for free… it’s pretty nice being able to keep your services online in a hostile environment.
I don’t know the history here, do you have some examples?
My usage is pretty much limited to their DNS.
They're pretty reviled by people who go out of their way to be private via things like VPNs and locked down browsers, because that constantly trips their bot detection and makes using the web miserable.
And in places where CGNAT is in use, so that many people are on the same IP address, and botnets are active on that address.
I live in India in such a situation, and most of the time it’s not too bad, but I still encounter Cloudflare CAPTCHAs pretty frequently. At times, it’s been almost half the web is blocking you. And occasionally, it actually is blocking you, not just a CAPTCHA. It’s also not rare, when being more aggressively blocked, for a site to break because it tries loading scripts from another domain, which is then CAPTCHAing so that scripts just won’t load.
Back when I lived in Australia, I practically never got Cloudflare blocks.
The mechanism may be understandable and even justifiable to a considerable extent, but the poor definitely end up suffering more from Cloudflare than the rich.
They’ve got a pretty long history of helping scammers and criminals.
https://www.spamhaus.org/resource-hub/service-providers/too-...
So the better internet is for everyone, is that so bad?
I’d rather have them help everyone than make arbitrary decisions about who gets served. That’s what we have the legal system for.
It gets into the weeds fast. I thought I was all for free speech, then the Christchurch terrorist shared his live stream of him killing people.
The legal system is too slow and private companies have a dubious record of what they police. What’s a good model to follow?
> The legal system is too slow and private companies have a dubious record of what they police. What’s a good model to follow?
Get the legal system in shape. Yeet everyone above pension age out of public office so that we finally may get people into power who grew up with smartphones instead of old farts who let their secretaries print out e-mails and type audio recordings into letters. Then, do the same for police leadership and DAs, yeet the brawns and get the brains. You can't prosecute IT crimes if your average police officer doesn't even know what a proxy or a money mule scam is or if the DA is too goddamn lazy to file a subpoena because the damage is less than 950 dollars.
Then, crack the whip on domestic telcos, ISPs and hosters. Whoever hosts anything connected with more than 200 users has to have a 24/7/365 abuse hotline that has the manpower and authority to investigate abuse claims and remediate them (i.e. disconnect whoever is causing the problem until this party has remediated the issue on their end) in less than four hours.
Then, crack the whip on manufacturers of smart devices. Mandate that every Thing sold with an internet connectivity get at least security updates for a decade, and that the full source code for everything in it including signing keys for firmware be submitted to Library of Congress or whatever archive and released when the manufacturer either goes bust or declares end of life for that Thing.
And then, get the State Department into shape. Countries from which malicious traffic operates or where money from scams gets exfiltrated to get half a year to get their shit in order and be good netizens, or they get cut off from Western nations. No SWIFT, no Internet, no SS7.
The Internet at its fundamental core (cough BGP) runs on the assumptions of a high-trust society, which has led to issues all over the place as the world has shifted towards a no-trust-at-all lawless society and as it is impossible to uproot probably trillions of dollars worth of infrastructure, drastic action needs to be taken to restore the Internet to a high-trust place again.
> Then, crack the whip on domestic telcos, ISPs and hosters. Whoever hosts anything connected with more than 200 users has to have a 24/7/365 abuse hotline that has the manpower and authority to investigate abuse claims and remediate them (i.e. disconnect whoever is causing the problem until this party has remediated the issue on their end) in less than four hours.
I think this makes small-scale hosting unaffordable. It would probably cost circa $150k to staff that hotline, which is then the lower bound on labor cost for the provider. That implies a $750/yr bill to each of those 200 customers before technical costs.
>Then, crack the whip on manufacturers of smart devices. Mandate that every Thing sold with an internet connectivity get at least security updates for a decade, and that the full source code for everything in it including signing keys for firmware be submitted to Library of Congress or whatever archive and released when the manufacturer either goes bust or declares end of life for that Thing.
This is much needed as to not have a bunch of e-wast. Of course pretty sure this will cut into next year's new model's profit. Do we really this new model of phone/computer every few year?
> or they get cut off from Western nations. No SWIFT, no Internet, no SS7.
How do you propose to disconnect them from the internet? As long as there is a country that peers with them that the west peers with, they will be reachable.
This is easy for the phone calls if the politicians cared: Every provider knows who the previous hop was for a call. You report every abuse and your previous hop has two options. 1. They're covered by local law and can point at their previous hop or direct customer. 2. They're abroad and it's their responsibility to deal with their previous hop.
Nobody wants to get disconnected from being and to call the US. This would solve the spam/scam calls issue pretty much immediately.
For the internet it would be harder to enforce.
I always figured a better idea was to put a token tax on voice/VOIP telephony. A few cents per minute or even per connected call that crosses the border.
This makes the unsophisticated scams that rely on spray-and-pray and low-take-rate uneconomical, AND provides friction against offshoring legitimate customer-service.
Yeah, you can argue people will encrypt their way around being easily taxable, but it's the "tax evasion/AML" concept-- you create something easy to prove and to prosecute, even if it would be harder to hunt down the underlying scam.
I'd vote for you. God damn I wish this was the world we lived in.
If a killer wanted to make a scene, they could just do it in the real world right in front of people instead of on Facebook.
These days, with everyone having a camera strapped to their hands or face, that might not work.
> I’d rather have them help everyone than make arbitrary decisions about who gets served. That’s what we have the legal system for.
They don't get to have common carrier status without any of the regulation or obligations that go with it.
They also help the groups which sell DDoS services. And sell the DDoS protection. Even if we ignore their morally messed up choices, their business is both making things worse for everyone and sells the cure.
I guess people downvoting this didn't know - this is something that happens over and over again: https://www.reddit.com/r/CloudFlare/comments/zmx223/6_ddos_f...
There's a ton of sites that ISPs wouldn't sell service to if it wasn't for Cloudflare making it difficult to determine where those sites were. It's basically /dev/null for abuse reports.
Reminds me of the School -> Pro pipeline where companies sell cheaply or even give away their software to learning institutions so that students who go pro are familiar with their tools and then later recommend it for their work.
That’s absolutely true for things like MS Office and Adobe - but it also works in the other direction: I’m sure making kids use Java for AP computer-science or for undergrad contributed to its uncool status today.
The two almost-contradictory takes I hold about this are…
- Java is cool, actually
- Java would be just as uncool even if people weren’t required to use it in school
The problem for Java's "uncool status" isn't Java as a programming language, the JVM or its academic use IMHO, it rather is a consequence of large-enterprise culture.
Large enterprise doesn't value "creativity" or any deviation from standards, but it does value plans and estimates - hence clueless, brainless "managers" and "architects" forced programmers to do absolutely insane bullshit busywork that a gang of monkeys on LSD could do, and that culture spread throughout the large-enterprise world.
On top of that come "design by committee" stuff like CORBA, XML, SOAP, Java EE, Enterprise Beans and everything associated with this particular horror show, JDBC...
You can do absolutely mind blowing stuff with Java and the JVM. But fuck corporate for torturing Java and the poor sods tasked with the busywork. Java got the image it has because programmers want to be creative but could not be so because their bosses were braindead.
The historical Java patterns of factories of gizmos modified by adapters on adapters etc. really makes the large codebases miserable to work on. Along its enterprise lifespan it picked up all the fad modelling/project jargon/pattern nonsense (which as you rightly say were there to limit creativity) and that is now embedded in codebases. It might be that a new Java enterprise application started from scratch would be lovely, but those are rarely seen in the actual enterprise world.
I don't think it was ever uncool because of the core language, it was always uncool because of the standard libraries, UIs and culture.
> I don't think it was ever uncool because of the core language
Putting type-erasure vs. reification to side, I'm going to disagree here: for reasons unknown, Java's language designers have adopted a dogmatic opposition to class-properties (i.e. field-like syntax for invoking getters and setters), operator-overloading, or any kind of innovation of syntax.
I appreciate the problem of backwards-compatibility (and forwards-compat too), but the past 30 years of software and programming-language usage and design shows that field-like getters/setters (i.e. "properties") are a good and useful feature to have; so if Java is going to overlook something as basic as properties (pun intended), then it follows that Java's designers will similarly disregard other language design innovations (case-in-point: if "value types" are even an innovation).
I can say there is one thing that Java has done well, and that's make a good music video: https://www.youtube.com/watch?v=1JZnj4eNHXE
-----
Yes, Project Loom's reinvention of Green Threads is cool, but that's not anywhere near enough to address Java's declining relevance and credibility as an application-programming language in the era of C# 13, Rust and TypeScript (and yes, I know Rust doesn't have properties - but the rest-of-Rust more than makes up for it). My main take-away from the past 15+ years is that Java fell-behind everyone else; it's not that C# is Microsoft's take on Java, but that Java is now a third-rate C#.
Autocad 10-12 back in college. Cost thousands of dollars in 80s/90s dollars, Not officially allowed to copy, but in reality effortless to copy and run at home for free.
There were other products aiming to be just as good at the same time that were actually protected with dongles and such.
The one that everyone could run at home is the one that took over the world.
Same with Photoshop, and Windows, and plenty of others. Intentional or not, the ease of copying these products is what made them ubiquitous.
I think Windows was ubiquitous because for a long time there was nothing else usable for Joe Average on PCs, and PCs were essentially the only game in town until Apple got its act together.
This is exactly our thinking with authentik (open source IdP), and it's played out in practice so far. Enterprise sales conversations are so much easier when they start with "we all use you in our homelabs already." We're much more focused on giving those individual users a positive early experience (in hopes that some small percentage will really pay off down the road) than in extracting a few dollars from each of them.
I had this exact conversation with a Cloudflare rep a year or two ago, after I told her how I user their free DNS service. She said, "that free service was the best thing we ever did". And we wound up buying their bot management and DDOS services.
I went back and reread that reply by Matthew. Essentially, nothing has changed; the free customers are very important to us for all the reasons that he outlined. See also this blog post on us and free customers from 2024: https://blog.cloudflare.com/cloudflares-commitment-to-free/
^ CTO of Cloudflare for reference
> I don't think they care much about few "Pro" upgrades here and there. The real money, and their focus as a company, is in enterprise contracts.
Cloudflare's enterprise customer acquisition strategy seems to be offering free or extremely cheap flat-rate plans with "no limits", then when a customer gets a sizeable amount of traffic they will try to sell them an enterprise plan and cut them off if they don't buy (see https://robindev.substack.com/p/cloudflare-took-down-our-web...). IMO this is pretty shrewd, as it means that companies can't do real price comparisons between Cloudflare and other CDNs until they already have all their infrastructure plugged into Cloudflare.
That particular story / case had a lot more context to it that we weren't given. I wouldn't be ready to place any kind of merit on it without hearing more. I also think given the OP's industry it's likely there were issues with IP reputation. Could it have been handled differently? Probably. In this case I think it would have been smarter to just part ways upfront and let the client know it's not going to work out. I suspect the contract was designed to say.. we don't see the value in this relationship.. but at this price we'll make it work type deal. I don't think that's the right way to go, but I hardly believe this is how they operate.
I've used their free -> enterprise services in multiple companies and clients. Haven't had a single bad experience with them yet. Always helpful, if a bit delayed at times.
It doesn't seem like Cloudflare has any problems with online gambling, especially since the first email the author got from Cloudflare came from someone in their "Gaming & iGaming" division. There's people in this thread in other industries who have had similar experiences with them.
IMO the biggest problems are how Cloudflare kept inventing excuses like "issues with account settings" to get the customer on the phone with their sales team, and the mixing of "trust and safety" with sales (like deleting their account for ToS violations after the CEO mentioned talking to a competing CDN).
No problem with gaming & gambling where it’s legal. Lots of problems where 1) it’s illegal; and 2) a customer sets up lots of free accounts to get around local ISP blocks and gets big ranges of our IPs blocked causing significant collateral damage to other customers who share the IPs. In that case we will ask the customer to switch to a solution which requires them to bring their own IP addresses. And because that takes much more bespoke support, we charge for it.
I don't know that I can trust the perspective of the Op here. Gaming and Gambling aren't the same thing. We don't know that they invented excuses here either. I would also suspect the comment about a competing CDN was used by the OP to try and gain leverage and it failed.
All i'm saying is we can't make a determination of right and wrong without more data. All things considered, it reads more to me that the data withheld is on the original OP side rather than the CF side.
Either way, it's a unique one off. Most of the mentions in this thread of this behavior all rely on this one experience. I think that in of itself is probably a positive on the side of cloudflare. If it were institutional that they treat clients like this we would hear it regularly.
> Gaming and Gambling aren't the same thing.
iGaming is a euphemism for online gambling.
https://assets.ctfassets.net/slt3lc6tev37/4SyI8LW6SeJAGPWwZY...
Interesting, thanks for the link to the asset too.
Gambling is often just refered to as "gaming" by the industry and legal system, so the word is like "drinking" in that it's both specific and non-specific depending on context. English is a very well thought out language.
Yep, and if you contact their sales directly because you've been bitten before and tell them your traffic they will be happy to tell you that yes, other than a short trial you have to pay them for huge bandwidth from month one. It's actually surprising to me people would believe it's fully free. Like think for a bit that if that was the case Netflix would just move to Cloudflare free tier and Cloudflare would go bankrupt immediately.
Like think for a bit that if that was the case Netflix would just move to Cloudflare free tier and Cloudflare would go bankrupt immediately.
Cloudflare's free tier specifically excludes video. See https://www.cloudflare.com/service-specific-terms-applicatio...:
Content Delivery Network (Free, Pro, or Business) Cloudflare’s content delivery network (the “CDN”) Service can be used to cache and serve web pages and websites. Unless you are an Enterprise customer, Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN. Cloudflare reserves the right to disable or limit your access to or use of the CDN, or to limit your End Users’ access to certain of your resources through the CDN, if you use or are suspected of using the CDN without such Paid Services to serve video or a disproportionate percentage of pictures, audio files, or other large files. We will use reasonable efforts to provide you with notice of such action.
Replace Netflix with Reddit in that hypothetical then, would they be allowed to serve their substantial non-video traffic through the free tier? If so, you have to wonder why they choose to pay for Fastly instead.
We’d be happy to support Reddit on our free tier. I doubt we’d actually be able to measure the increase in bandwidth costs if they were to onboard.
Yes, and they are free to talk to us any time if they want to switch; I doubt they'd want to be on a free plan because there are significant extras that come with the paid plans.
Does this apply to caching R2 with the free tier CDN?
The R2 overview page explicitly lists "Storage for podcast episodes", but a podcast host under the free tier would serve a disproportionate percentage of audio files.
It's been asked and answered many times. https://www.cloudflare.com/en-au/service-specific-terms-deve...
ctrl+f "podcast" has no results
It's treated (along with the big one, video) under non-html content
Audio is tiny compared to video (and even images), especially for podcasts, think ~1MB/minute. And they compress well if you want them to be smaller. High quality video (think 4K HDR) can quite comfortably be over 1MB per second.
I assume they don't want to become a file sharing website, but hosting a podcast is relatively easy on the bandwidth requirements.
A music album which gives an hour of entertainment might be distributed in lossless form at a size of 300 MB or so. A similar length TV episode could be between that and 1 GB. Podcasts are usually way lower quality and much smaller.
A lot of people who had large image collections (like myself) online struggled with revenue relative to cost circa 2012, I saw a lot of sites I respected go down, though we did see some new style social sites such as Pinterest, Snapchat, Instagram, etc. Somehow YouTube was doing much better in terms of revenue/cost with video.
Compressing images for the web is not at all trivial, I over-compressed a few million images and really regretted it. When I post to social now I use Photoshop's "(Legacy) Save for web" which has a nice slider for the quality level and find I can get images I take with my Sony to look like they came from a pro camera between 80kb (small flower, blurry background) to 800kb. I see huge splash images on blogs that are smaller, they make a good first impression, look close and the blocking is awful.
What about hosting video on R2 and using the CDN?
Frankly it’s none of y’alls beeswax what medium of content I’m deploying. I can understand restrictions on illegal and offensive content. I won’t be using Cloudflare if including a file or even putting some base64 in my html file will be a ToS violation.
It's these petty restrictions that make these pricing policies convenient, and it hurts the market :(
https://en.wikipedia.org/wiki/Dumping_(pricing_policy) https://pricecontrol.biz/en/dumping-from-a-to-z/
Wouldn't a significant restriction on what you can host for free move it further from being dumping? I don't understand your logic.
No, if they had to be more consistent with the rules this type of dumping wouldn’t be as effective.
What's inconsistent about allowing web pages but not video?
If they had a limit of 50MB average per page navigation, would you call that rule consistent? It would have largely the same effect and I don't think it would affect the ease of dumping.
Well bad example, but as someone else said, replace with any other large non video service. I'm not making this up, I had calls with sales. And like I said, I don't think this is surprising, it's like "infinite bandwidth" deals from ISPs and phone data plans, etc. It's a reasonable expectation that you'd have to pay at some threshold.
I haven't heard about this in particular but based entirely on your depiction here it sounds more like fraud to me.
If I was paying a flat rate for a no limit plan, that company tried to sell me an Enterprise plan which I declined, then they cut me off, we'd be in court as soon as the clerk would schedule it.
If you were rotating IPs against the TOS I don't think you'd have a leg to stand on
The GP doesn't mention anything about rotating IPs
I think he is saying that the customer, a casino. Had a dubious legal status in different countries. They are often banned.
Cloudflare doesn't want their IP's (rotating) to be affected so advised bring your own IP, which is an Enterprise feature.
I remember this story and it missed the entire point.
The customer ( a casino) was using dubious actions in different countries which impacted Cloudflare's IP trust. Tldr: Cloudflare didn't want an IP ban in their IP's due to government regulation.
The fix was to bring their own IP which is an Enterprise feature, as they weren't allowed to use Cloudflare's IPs anymore.
> Bandwidth Chicken & Egg: in order to get the unit economics around bandwidth to offer competitive pricing at acceptable margins you need to have scale, but in order to get scale from paying users you need competitive pricing. Free customers early on helped us solve this chicken & egg problem.
I'm not really sure how this works.
Suppose you have paying customers and for that you need X amount of bandwidth. If you add a bunch of free customers then you need X + Y bandwidth. But the price of X + Y is never going to be lower than the price of X, is it? So even if the unit cost is lower, the total cost is still higher and you haven't produced any additional revenue in exchange, so how can this produce any net profit?
If you send 10Gbit/s to an ISP you have to pay for transit to reach it. But if you send 100Gbit/s+ the ISP suddenly is willing to not only peer for free with you but may even host the servers for you in their data center for free. [0][1][2] So yes being bigger can absolutely save you costs.
[0]: https://www.cloudflare.com/partners/peering-portal/
[1]: https://openconnect.netflix.com/en/
[2]: https://support.google.com/interconnect/answer/9058809?hl=en
Don't forget about the Bandwidth Alliance, which is agreements for free or cheap egress between peers.
Can't you just send random generated packets. Or by requesting content from other hosting provider with free or cheap egress. Or sending to another hosting provider.
Sending random packets at another AS just results in your traffic being blocked. The network engineers running these systems are smart, and the community is surprisingly small.
The thing with ISPs is the small guys are more likely to have to pay, and the smaller you are the more likely you are to pay more.
If you are a Tier 1 ISP, everyone is willing to pay you to carry their traffic and other Tier 1s just make peering agreements with you.
If you're johnscheapvps.com, you're likely to pay all your upstream ISPs for your traffic. If you're GCP or, say, digitalocean.com, everyone would love to be paying you to get faster access to all the sites hosted on your platform (and because paying you is probably going to be cheaper than their regular upstream)
Imagine you're an ISP. If your customer has slow bandwidth to some random website, they will blame the website. If they have a slow connection to YouTube, they will blame you.
So YouTube gets more favorable terms on transit bandwidth than the random site does.
it may be, especially if the ISP in question just does direct peering with you, your unit cost can drop to ~ $0/MB, and you stop paying Cogent/Verizion/HE unit cost for facilitating the connection from you to the ISP.
Works for the ISP too, one off cost for them to drop there side of the bill down
The point is that that you get your paid offering down to a lower price point because you have the volume to get the cheaper peering deals. Because your paid offering is cheap you get even more volume from paying customers which offsets the loss you made.
And this works IME
I use Cloudflare for hobby projects 90% of the time because it’s free. That dramatically increases the likelihood I advocate for their offerings in the enterprise
Cloudflare generally seems to have a really smart strategy team. There's a really excellent Stratechery article about Cloudflare's strategy team more generally:
(Stratechery is down now, but the web archive is up.) https://web.archive.org/web/20250108182845/https://strateche...
It's a very elegant business strategy because you have one clear focus (handle loads of bandwidth), but it can be expressed in so many ways (DNS/Caching, object storage, video delivery/streaming, static site hosting).
I've always wondered if there is an accounting benefit for them. Can the free tier be charged as 'marketing'? No idea how you would internally break up the costs, but it could make your margins look better.
Another likely reason: the process of metering bandwidth accurately enough to use as input for a billing process costs money. On their distributed setup it's probably seriously expensive to do accurate bandwidth metering per site. Probably more expensive than they expect to make by pricing bandwidth.
The hidden purpose of a free tier is to discourage competition
Expand on this please?
Let’s say you’re looking to break into the Fun as a Service market. The incumbent offers 100 hours of Fun per year as a free service and charges enterprise prices above that. If you want to start a Fun as a Service competitor, to have any chance of competing for new signups you also have to front 100 hours/year for anyone who wants to try it at a 100% loss, before you can even start making money.
It’s the same principle behind predatory pricing, which is illegal but rarely enforced. The goal is to make it too expensive for new players to enter the market, or to force existing competitors out.
That's not the complete story.
Cloudflare's main income is DDOS, which is incoming traffic they pay for.
They pay for that pipeline (which you pay for up and down traffic), so they have a generous free CDN because they already pay for it.
( Unrelated to workers, ... )
I think this is the important part
> Today we continue to see that benefit in regions where our diversity of customers helps convince regional telecoms to peer with us locally, continuing to drive down our unit costs of bandwidth
If you can peer your traffic you can send it for free.
So lots of small customers, despite not paying anything, is helping to reduce bandwidth costs for Cloudflare to zero.
If they've reduced bandwidth costs to zero then they can afford to give it away for free.
I can tell you from personal experience that getting some ISPs to peer with you is hard unless you are exchanging lots of traffic already.
This is a clever playbook that has made Cloudflare a tier 1 ISP in an age when that is extremely difficult.
- Not every peering is free. - You still have to pay for the fibre and router.
Power and rent too
> Cloudflare had decided long ago that they wanted to work at an incredible scale.
This reminds me of the story of how Jeff Bezos bought relentless.com. The rest is history. https://pluralistic.net/2022/11/28/enshittification/
It's not really free. One day, you get a call from their sales team saying "you're straining our network". I kid you not. We were on a business plan and still got this. When we met them in person, we were asked to upgrade to a $2000+ per month plan. From a $200/mo plan. That's a 10x increase. I searched their TOS, nowhere it was mentioned about "straining their network". Turns out that's just their scammy tactic to get you to pay. We refused. That really left a bad taste in my mouth.
Today, I refuse to recommend any client or startup to them because of this extremely unethical practice. All around, I'm not sure they deserve so much positive press/attention, especially after screwing some of their own employees (one even got super famous live streaming the firing).
We had a terrible sales experience with Cloudflare at my last place. They would not budge on the $200 a month quote, and we knew that was BS because the next closest quote we had was $3000 or something. Eventually, like the fourth try, we said, in writing, “just to be clear, for exactly $200, a month we will get XYZ bandwidth”, and of course they said “ohhh well actually maybe it’ll be $8000”.
We had discussed our requirements, our scale, our product with the sales team multiple times but it was only when we wrote down something that we could potentially have used in court that they finally acknowledged their pricing was actually nearly two orders of magnitude higher.
>I searched their TOS, nowhere it was mentioned about "straining their network". Turns out that's just their scammy tactic to get you to pay.
You seem to be pretty cagey about what your usage actually was, and whether it was indeed "straining their network". Were you using more resources/bandwidth than a typical customer would? Most ToS contains clauses that allows the vendor to unilaterally cut customers off if they're an excessive burden, even if there aren't explicit quotas, or are explicitly "unlimited". ISPs don't let you saturate your 1Gbit connection 24 hours a day, even on "unlimited" plans, but I wouldn't call it a "scam" if they told you to upgrade to an enterprise plan.
Well, Cloudflare seems pretty cagey about what their prices are, given they don't reveal them to clients until they are completely tied in.
This is for a normal news website, no gambling, no offensive content. Just regular news. Their business plan explicitly mentioned "unlimited bandwidth" at the time of signing up. I clearly remember reading every bit of their TOS to find any gotchas but there were none.
If you claim you provide unlimited bandwidth, then don't call me tell me I'm straining your network.
By the tone of your comment it does sound like they give you a lot before asking you to pay more.
I still really would like to hear a byte amount. How many bytes are you pushing per month?
I don't believe anything is ever free, and everyone promising "unlimited" will still have a point where you are just costing them too much. CF don't want to say the byte number themselves. Could someone please say the byte number. Someone?
> everyone promising "unlimited" will still have a point where you are just costing them too much
I mean, in the business world, if you promise someone something, it has legal consequences, you can't just walk in and say "hey, remember I promised you something unlimited with no strings attached? Yeah, no"
That's exactly my problem with CF. It's not like we are a large news network or anything. We are actually very small compared to their other customers, that much I can tell you.
I've seen enough stories exactly like this from other CF customers to believe it.
I've seen enough stories exactly like this, where it turned out such usage is unusual and a move to a higher priced plan was justified (eg. https://news.ycombinator.com/item?id=40482505, https://news.ycombinator.com/item?id=34640016, https://news.ycombinator.com/item?id=31336515), that I find it suspicious whenever people act surprised and outraged at cloudflare upselling them, but are cagey about what exactly their site's doing.
On the one hand it’s completely reasonable for a business to ask customers to pay for what they are getting.
On the other hand, this entire HN thread was kicked off by a blog post gushing about how awesome it is that Cloudflare offers truly unlimited bandwidth for free.
I’ve been around the industry long enough to understand that anything marketed as free and unlimited is in fact a loss leader. But I also am fine with pointing out this obvious contradiction between marketing and reality.
> offers truly unlimited bandwidth for free
Free of charge is different from free of restrictions. Cloudflare didn't trick anyone into signing up for these plans, and it's never been a secret that they're a for-profit company.
> contradiction between marketing and reality
I think the important distinction is contradiction between expectations and reality. Cloudflare free plan's outside of Pages have never offered "unlimited free bandwidth" but "generous free bandwidth with conditions". It just so happened that for many the "generous" was unlimited, and this precedence somehow convinced everyone that "free plan" meant "unlimited free bandwidth" instead of "generous free bandwidth with conditions".
I'm with parent in the feeling that most the stories of Cloudflare acting in bad faith end up being the customer up to shady shit but expecting Cloudflare to subsidize them because "free plan". I'd be genuinely curious to read about an incident where I didn't side with Cloudflare.
Separate to this issue is that their Sales team employ strategies that the engineering crowd considers distasteful like phone calls, pressure tactics and private pricing. Most engineers never need to talk to a sales person outside retail, so it's a shock when you're suddenly talking to one trained and incentivized to exploit more from larger clients but is instead using those tactics on you. It's unsettling if you're not familiar with it, and leaves a bad taste in your mouth.
> Cloudflare free plan's outside of Pages have never offered "unlimited free bandwidth" but "generous free bandwidth with conditions".
To be clear, Cloudflare's pricing pages have definitely included statements like "we never charge for bandwidth" for the free plan of the CDN. Here's a snapshot from exactly 10 years ago[1].
They removed it after a while, probably because it's just not true, and I don't think they make any such statements on their increasingly complicated pricing pages any more.
[1]: https://web.archive.org/web/20150116071824/https://www.cloud...
The statement is true in so much as you can not be billed for traffic that has occurred without a paid contract in place. Also no mention of "unlimited", and though free is used throughout never "free bandwidth". It also doesn't contradict that Cloudflare can and does restrict or limit services for perceived TOS violations.
In the many years I've used Cloudflare I was never under the impression I received "free unlimited bandwidth", but "generous free bandwidth with conditions".
So if you're on a free plan you never pay for bandwidth, until you're not on a free plan (or any plan). It sucks to be one of the free plan users that doesn't have the ability to make a paid plan work, but I don't understand why Cloudflare needs to keep subsidizing something that wouldn't be tenable without their handout.
This "straining the network" is the "unlimited pto" of b2b saas. It's all bullshit. Nebulous and you don't really know what you're getting into until you're too locked in and they squeeze you. Don't do business with companies like this if you can avoid it. It's the Datadog model of we'll charge you whatever and make it extremely complicated for you to understand why you're being billed $x this month.
Word of advice, if you have unlimited PTO and you've never gotten called into a meeting to tell you you're taking too much you're not taking full advantage. It's probably higher than you think. I've gotten to normal onsie-twosie days off plus 8 full weeks before I got called in.
That was a great year.
Do you think "unlimited leave" policies end up acting a bit like insurance models? Some people take a lot, many take a little, so it evens out to less-than-if-we-had-a-set-number-of-days?
I understand unlimited PTO as no lower limit, as in, there is no limit on how few PTO days you can take.
If you have an actual number, the idea is that you must take them, or at least, you get paid extra if you don't.
> If you have an actual number, the idea is that you must take them, or at least, you get paid extra if you don't.
That's why "unlimited" PTO exists. Defined PTO is a liability on the company's books.
straining is also ambiguous and disingenuous.
if we believe the plan was $200 and the upgrade was to a $2,000 plan.. there's no way a $2,000 user would be "straining" Cloudflare's network.
We spend more than that. If we are putting a strain on Cloudflare, they're not at the scale we think they're at.
Seems like you don't really have any issue with the underlying business decision (ie. pushing a high usage customer to a higher tier plan) and are only upset about the wording the salesperson used. All the points you've made applies to ISPs as well. Most neighborhoods are probably provisioned well enough that a single customer saturating their 1gbit connection isn't going to bring the network down to its knees, but that doesn't mean ISPs aren't justified in pushing such customers to a higher tier offering (eg. dedicated circuit).
Why are you straining so hard and spending so many words to defend general scumminess.
Invisible limits are an anti-pattern, simple as that.
See my other comment[1]. I'm not sure why you're straining so hard and spending so many words to defend "general scumminess", like the the right of a gambling site hosting dozens of domains (to evade government bans) on shared cloudflare IPs, or people expecting to get 1.2PB of bandwidth served out of a $200 CDN plan.
You want this to be complicated so badly, but it's not.
Hidden limits are an anti-pattern.
There is no counter-argument.
If they have a hard limit they can cut people off well ahead of 1.2PB of bandwidth with less ambiguity: it's a strictly better situation.
>You want this to be complicated so badly, but it's not.
>Hidden limits are an anti-pattern.
>There is no counter-argument.
Here's a counterargument: do you get similarly upset that restaurants advertising "free refills" cut you off after you've been at the place for 12 hours and you dispensed 8L of coke? Explicit limits is how you get "limit one refill per customer", leaving most customers worse off.
Do I think hidden limits are always better? No. It operates on a spectrum, and depends on how many "legitimate" customers are affected by the limit.
It doesn't sound like the number of refills is the real problem if you're worried about someone staying for 12 hours.
If the rule was "you have to leave after 2 hours" or "after an hour, you get one last refill", that would solve the problem and affect almost nobody else, while being nice and explicit about expectations. (Or cut those numbers in half if you want, it's just an example.)
>It doesn't sound like the number of refills is the real problem if you're worried about someone staying for 12 hours.
A butt in seat doesn't cost the business any money as long as it's not displacing any paying customers (ie. the place isn't packed). Soda might be cheap but it's not free, so dispensing 8L of product does cost the business money.
>If the rule was "you have to leave after 2 hours" or "after an hour, you get one last refill", that would solve the problem and affect almost nobody else, while being nice and explicit about expectations. (Or cut those numbers in half if you want, it's just an example.)
See my other point about people riding up the limit. When you institute an explicit limit, you end up having to be more conservative because an explicit limit emboldens people to ride up right against the limit, rather than a fuzzy limit with the expectation that people act "reasonably". Instituting the limits you proposed would cause the problematic customers to chug soda within the allotted time, for instance. It also becomes a hassle for everyone else who's being reasonable. If I'm meeting with some friends after and need to kill an hour or two, I suddenly have to worry about whether I can stay without getting kicked out, etc. Most people, even above-average utilization customers lose out from this, and the only people who benefit are the ones taking advantage to an absurd degree.
> Instituting the limits you proposed would cause the problematic customers to chug soda within the allotted time, for instance.
How much soda do you think they're going to chug? That sounds weird and rare. I don't think it's a limit where you're going to have a problematic amount of riding.
> If I'm meeting with some friends after and need to kill an hour or two, I suddenly have to worry about whether I can stay without getting kicked out, etc.
That's not consistent with the idea that the business is fine with you sitting around for a while. If they're fine with that, they would only limit your refills after a point. That rule should give you no reason to worry about being forced to leave.
Though is buying a new drink after two hours a big deal in the first place...?
Ok, so when open a restaurant offering refills of soda for tonight's dinner you can have hidden limits...
And when you build a SaaS that people build entire businesses on, you can state your limits transparently and openly.
Not sure this is the gotcha that you think it is.
So you're admitting the principle is fine for restaurants, but not for "SaaS that people build entire businesses on"?
Yes.
I won't hold them to the same standards, they're not the same thing.
If you want to wax poetic about drink policies go right on ahead, no push back from me.
Cloudflare doesn't have hidden limits. Their limits are not written down, and they're somewhat moving targets (which is probably why they're not written down); but they're very obvious (in an economic sense), and their value (at any given point in time) is very easily measured.
Cloudflare's limits can be formalized by imagining one of their PMs saying the following: "You can do things on our general infrastructure for free, as long as we don't offer more-specific infrastructure that's intended specifically for the thing you're doing. And even then, we will let you use the general infrastructure as a "workaround" to needing to engage with the domain-specific infrastructure... up until the point where — if you had been using the purpose-built domain-specific infrastructure from the beginning — the cost model for that specific infrastructure would have had you spending enough money, that the 'uncaptured revenue' you would represent, would begin to affect one of our salespeople's KPIs. Once you hit that point, our salespeople will come to 'convert' you."
For examples:
• You can force regular old Cloudflare to cache large image assets through Page Rules, with long TTLs, for free. Or you can stuff your large image assets into Cloudflare R2, lose the ability to set long TTLs, and pay per (origin-pull) GET request above a certain daily free-tier limit. If you serve enough image assets through Page Rules that you represent non-trivial uncaptured R2 revenue, then Cloudflare will contact you.
• You can force a Cloudflare Pages site to do small amounts of CF Workers logic in the routing phase of serving the page, for free. Or you can put an actual Worker in front of a regular static site, and pay per GET request + per CPU-second after some free-tier thresholds. If you use enough CPU-seconds inside the "unbilled" stage of your Cloudflare Pages site, Cloudflare will contact you. (Note that they're very unlikely to come after you for this, since the limit on the amount of work you can do here is pretty trivial, so you'd have to be getting a ridiculous amount of requests for this overhead to add up to anything meaningful.)
• Previously, you could force Cloudflare to resize images "on the way through" for free, using a /cdn-cgi/ path. These days, you're forced to go through Cloudflare Images, which charges per request and (IIRC) per processed byte. This is because everyone was using the free approach and ignoring the Cloudflare Images infra, and Cloudflare saw hundreds to thousands of accounts with potential non-trivial un-captured revenue here. Rather than address them all individually, they "sunsetted" the support for free image resizing, to force these accounts to either start paying or get out.
---
Note how this is exactly the same as a restaurant saying: "you can have water for free, and we'll put a lemon slice in your water, but we're not going to give you enough lemon slices and table sugar packets to make lemonade with — because we charge for lemonade. Just buy the gosh-darn lemonade; stop exploiting our kindness to make it yourself; by doing so, you're using way more of our resources than if you'd just let us make it."
There's nothing hidden about the cost of lemons or sugar packets. The restaurant is going to give you lemons and sugar packets for free right up until your consumption could have paid for a lemonade. Then they're gonna force you to buy the lemonade.
i agree with all your points - but i wish the lemonade didn't have arbitrary pricing up to $5k a month
If 1.2 PB is a problem, then why don't they just specify a bandwidth limit of say 1 PB? They specifically say "unlimited bandwidth", so yes, what they are doing _is_ scummy because there is a very obvious incongruity between what they claim and what they actually offer.
I imagine because people will immediately push up against the limit and no further. It’s much easier to detect these excessive users if their bandwidth naturally keeps growing.
This is just stratified pricing. If you're egressing 1.2PB ($50k+ worth of bw on AWS) there's a likelihood that you're earning a fair bit and an enterprise contract will be worth it to you when it comes to support. On the other hand if you're egressing 1.2PB to serve some open model weights that you don't charge for, CF would prefer to leave you to it and enable you to serve.
To be honest, sales people are sales people. Their job is to sell you on packages, and they will generally do anything to get you to upgrade.
It's not like they threatened to remove you from their service. They asked you and gave you a "canned" reason.
If you don't mind me asking you had a $200 a month plan, and changed to another provider. Did the plan price go up or down?
If CF is calling you like this then I’m not sure how you’re interpreting this as a donation call. They’re basically saying you’re about to be fired as a customer.
Except now there isn’t a clear formalization on how much you were expecting to pay or how much runway or patience CF has left for you.
> If CF is calling you like this then I’m not sure how you’re interpreting this as a donation call. They’re basically saying you’re about to be fired as a customer.
I've had a call from Cloudflare at my previous job, and it wasn't a "you're about to be fired" it was an attempted upsell.
Sales people work within the policies & frameworks set by a sales organizations whose goals and strategies are set by said organizations leadership team.
This isn't a random sales person gone rouge—its a matter of how Cloudflare chooses to do business with and treat their customers.
The problem with this approach for customers is that it makes there costs entirely unpredictable. What's the stop them from increasing prices from $2,000 on the enterprise plan to $20,000 on the enterprise plus plan?
Very true. I think it was Snowflake we worked with recently where the sales rep said they don't get commission (I assume they have other incentives).
Aggressive commission structures, sales targets, and little oversights have visible impacts on how the sales team operate.
Compare to cloud providers like AWS where you certainly get "reminded" constantly about all the integrated services and features but much less so harassed and threatened into closing deals.
If you're not big enough to get an actual contract signed by your legal teams then nothing. That's just how it is, not unique to CF.
Sure but there's a huge difference between companies that load the call with sales people and sell to execs vs bringing solutions architects and sales/customer engineers on the call and actually explaining the product and its benefits and coming up with a customer tailored solution.
We had a pretty positive experience with a Cloudflare contract last year but it sounds like Cloudflare is more the former than the latter.
> It's not like they threatened to remove you from their service
They routinely do exactly this
And it's not only threats, they actually enforce them. Here is an example, but there are many more: https://robindev.substack.com/p/cloudflare-took-down-our-web...
This org was getting Cloudflare owned IPs blocked left & right due to the gambling content.
The fees are for sure ridiculous but i don't think Cloudflare was wholly unreasonable to request that the customer bring their own IP.
Is it written anywhere in their ToS that “gambling content” requires you to pay 120k$ or get booted out? If not, then it's not reasonable at all to give them a 24-hour notice and it definitely sounds like extortion.
I don't buy the “was getting Cloudflare owned IPs blocked left & right” argument.
Remember we are talking about a platform that still protects 4chan despite the internet raids, violence threats, celebrity hacking + photos leak, the buffalo shooting, etc:
https://en.wikipedia.org/wiki/4chan#Controversies_and_harass...
Surely there are abuse and fair use provisions in their ToS/contract for shared resources like IPs. If they're in the xx percentile of customers causing IP blocks they'd enforce.
Industry practice is to just move all the risky customers in an IP range dedicated to them
I actually recommend AWS because of this. Sure, it’s AWS with all the warts, but at least they bend over backwards to maintain compatibility (at least compared to GCP), and have sustainable billing practices.
Free is free until it’s not. When Cloudflare becomes the new Akamai and needs profits, guess who will get squeezed. If you’ve built your app around their vendor specific stuff like Cloudflare functions, that can be bad news.
> If you’ve built your app around their vendor specific stuff like Cloudflare functions, that can be bad news.
There's nothing that "special" about Cloudflare Workers, its mostly "just" a WinterCG runtime. Where you'd encounter problems is if you used the provided interfaces for other adjacent Cloudflare products, like R2, D1, KV, Queues, ect. So what you do is commit a hour of engineering time to make wrapper functions for these APIs. If you're feeling extra spicy, commit another hour of engineering time to make parallel implementations for another service provider. If you allow your tech stack to become deeply intertwined with a 3rd party service provider, thats on you.
Yeah, I guess that’s what I really meant.
Also at face value, it may seem like “an hour of engineering time,” but I think cloud vendor lock in is real unless you try very hard to only use abstract constructs.
Agreed, I’m wondering where all these magical 1-hour efforts come from that decouple someone from a vendor. Let me just decouple from s3 real quick.
This is a growing pattern in hosting like Netlify and headless CMSs like Sanity. Their free model is "generous" and then if you go production and start to have overages you get billed exorbitantly for bandwidth and API requests. It is essentially a trap. Once you hit those limits you have very little negotiating power when you hit the "call us for pricing" level and you get outrageous quotes. It costs them very little to run these services so if they can net some minnows that become whales, that is almost pure profit.
It's the double-edged sword of both free plans and "transparent pricing". If you just click "buy" and enter your CC info you're subject to their somewhat arbitrary terms of service. Service is cheap and reliable so you don't ask questions. But they can just boot you and there's very little recourse. It's why most big companies want a signed contract that's binding and comes with some kind of mandatory dispute resolution or penalties for non-compliance.
You should report that to them. Their CTO multiple times said this in HN.
I'm not a fan of Cloudflare's enterprise pricing model. It seems like they'll charge you whatever they'd like to when renewal time comes around, and will play with the numbers to ensure you stay around whatever total they'd like to see. They charge for each protected domain, in addition to sane metrics like bandwidth utilization and number of requests. Charging thousands per protected domain per year is scummy. Maybe I'm just too used to AWS/GCloud/et al. pricing that actually bills me on utilization rather than arbitrary metrics.
Did you move from cf to someone else, or are you still using them?
I like Bunny because it’s prepaid
Would you be comfortable sharing how many terabytes you were pushing over their network? Also, how much a similar contract costs with the competition.
While I agree it’s scummy, you could argue you got $1800 worth of traffic for free for a while.
I heard a great theory about this recently.
The hardest part of onboarding a new customer to Cloudflare is the bit where you need to switch over to having them manage DNS for you.
If you're under a DoS attack or similar, waiting for DNS changes to propagate is the last thing you want to have to care about!
Cloudflare's generous free tier is an amazing way of getting that funnel started: anyone who signs up for the free tier has already configured everything that matters, which means when they DO consider becoming a paying customer the friction in doing so is tiny.
Not being able to use DNS I prefer, is why I've never hosted anything with Cloudflare.
The OP doesn't link to Cloudflare's (repeated) explanation about this exact topic.
I suspect they also greatly benefit from developers using them for hobbies and suggesting that their workplace use them in turn. Though, that's much harder to track.
It's not hard to confirm, since the CEO posted this very reason 9 years ago. It's not exactly hidden on.. StackExchange, answering the very question:
"How can CloudFlare offer a free CDN with unlimited bandwidth?"
https://webmasters.stackexchange.com/questions/88659/how-can...
Oh
This ^
The reason it's free and with unlimited bandwidth is that it's not.
Unless you stay very small, you'll eventually get on the radar of the sales team and you'll realize the service is neither unlimited nor free. In fact, you'll likely have to look at a 5 or 6-figure contract to remain on the service.
(n = 1 & all) A project I co-develop pushed 30TB to 60TB per month on Cloudflare Workers in the past (for months on end) for $0. No one called us to sign 6 figure contracts.
Workers are a very different product so I'm not too surprised by that. The main workers payment model is entirely concerned with CPU use and you must be minimizing that.
wait
Do you have a counter example, or is this just your assumption?
Actually, I have a really good counter example but I'm unwilling to share it publicly, as I don't want to dox myself.
But the gist of it is that CF sales are really good at identifying users that are both locked into their offerings and big enough to be able to sign an expensive contract.
CF do have an excellent offering and workers, in particular, are amazing for many things.
Once the above conditions hit though, you will invariably get a call from the sales team. There is no free lunch.
"CF sales are really good at identifying users that are both locked into their offerings"
as I said in another comment, if you allow yourself to become deeply intertwined with a 3rd party service provider that's on you
There are several counter examples in the comments on this page.
none of which seem to have given their bandwidth figures.
Their usage was finite.
So if cloudflare’s offer is really unlimited and free, they haven’t exceeded it.
"everyone knows" that unlimited basically anything has limits.
I'd be shocked if CF actually allowed you to use a couple hundred PB/month for free. And that's still finite!!
> "everyone knows" that unlimited basically anything has limits.
Right. But the answer to the question posed in the title - "Why is Cloudflare Pages' bandwidth unlimited?" - is that the bandwidth is not, in fact, unlimited.
At the start of this thread, i_have_an_idea said "The reason it's free and with unlimited bandwidth is that it's not" I think they, you, and I all agree on that.
What I don't understand is the other people in this thread, who seem to take cloudflare's marketing puffery at face value.
> What I don't understand is the other people in this thread
OP said, "Unless you stay very small ... you'll realize the service is neither unlimited nor free" ... is what I commented on.
Yeah, to be fair the 60TB/month of outbound traffic you mention would cost ~$4800/month if you were doing it via AWS cloudfront. Cloudflare's free tier is pretty generous if they're providing that for $0.
Yes: cloudflare is not a charity.
I can second this. Their sales people have such poor behaviour that I am considering moving away simply on principle. There is nothing predictable about being on an enterprise contract and they will hit you with bullshit overage charges like using too many dns requests (wtf??) all of a sudden to force you onto a much larger contract. On the 28th of December no less ! We have used them for a very long time but I am having very big doubts about how much we can use them in the future even though their products are great.
(disclaimer: I'm an employee but no commission is earned for this, we just work hard, opinions on HN otherwise don't reflect that of my employer)
Big +1 for Bunny.net - I moved my current company to Bunny and it's been excellent. Super fast (for our PoPs at least), reasonable pricing, love the image optimizer & edge rules (especially for solving header issues when embedding documents), has a Terraform provider, and I was able to set most of it up in a day. Was a night and day difference from GCP's Cloud CDN
We use Bunny, and it’s been solid and super inexpensive. None of my production issues have ever been due to Bunny.
The CSS on the site isn't loading properly for me FYI on chrome, it looks insane
+1 to Bunny
At which point do you think you get in the radar?
At the point where the sales team has already hit all the targets that are bigger than you.
Oh boy, where to start..
> So why is Cloudflare Pages' bandwidth unlimited?
> Why indeed. Strategically, Cloudflare offering unlimited bandwidth for small static sites like mine fits in with its other benevolent services
Those are not "benevolent". Seeing a substantial amount of name resolutions of the internet is a huge and unique asset that greatly benefits their business.
> like 1.1.1.1 (that domain lol)
It's an IP address, not a domain. And they paid a lot of money for that "lol", so that people have an easy time remembering it. Just like Google with 8.8.8.8. Not to be benevolent, but to minimize the threshold for you to give them your data.
> Second, companies like Cloudflare benefit from a fast, secure internet.
It's the exact opposite. The less secure the internet, the more people buy Cloudflare's services. In a perfectly secure intetnet, nobody would need Cloudflare.
> And they paid a lot of money for that "lol"
They didn’t pay any money for it. They were given it for free for a collaboration with APNIC.
"For free" and "collaboration", right. Just like my employer gives me lots of stock options "for free" every quarter, it just happens to be the case that I also do a lot of programming for them every day, "for free", as a form of "collaboration".
Oh, you are saying it's a mutual deal I'm having with my employer, they get sth out of it and I also do? You don't say..
If you go to https://1.1.1.1 it redirects you to https://one.one.one.one, I think that's what the author meant.
The hyperlink for it on the page is one.one.one.one even.
Oddly, one.one is owned and redirects to the unrelated domain registrar one.com. I wonder how much cloudflare pay them to use that subdomain.
We're incredibly biased since several members of our team worked at Cloudflare, but we spend ~$20 a month on Cloudflare for our startup and it is fantastic.
- Marketing videos on stream
- Pages for multiple nextjs sites
- DNS + Domain Reg
- cloudflared / tunnels for local dev
- zaraz tag manager
- Page rules / redirect rules for vanity redirects we want to do.
The list gets longer every day and the amount of problems we can solve quickly is amazing. The value to money is unmatched
In terms of brand, Cloudflare reminds me of Google during the idealist “don’t be evil” phase. Giving away lots of free and benefiting from massive mindshare. I feel similar about Cloudflare now as Google then: very positive and wouldn’t begrudge them any work contracts.
I feel like Google started on an extraction ratchet and hasn’t stopped. I used to put everything there and now barely anything. The change in brand for me has been massive.
I run a $3m/yr startup on a free tier Cloudflare account. To this day I have no idea why Cloudflare is not charging us for anything. I would have happily paid them for their service
Without knowing your bandwidth usage, it's probably because your bandwidth isn't that high? They're not charging based on revenue. Every major law firm in the world could probably be hosted on Cloudflare Free Tier with a basic static website, but still make $100+ M per year.
250M Requests
1.66M Unique visitors
24TB served
However, I do understand in their world, 24TB is chump change
Don't know much about corporate traffic usage, but at some cheap VPS place like Hetzner you get 20TB traffic per month included für less than 4€.
Seems like a lot of traffic to me, probably is next to nothing or would cost more.
We're building our startup infra on cloudflare over the other major hyperscalers and it turned out to be an amazing decision...
Generous free tiers, pricing scales very competitively after that, and their interface is not nearly as bad as GCP / AWS.
I highly recommend this stack.
> their interface is not nearly as bad as GCP / AWS
Underrated.
Until recently, all the features were grouped in a very clear manner within the dashboard. Now, even Cloudflare is complicating its management interface, but they still have a long way to go before reaching the level of confusion of AWS and GCP.
Definitely.
I managed to get R2 with their cdn in front of it up and working in under an hour. The same experience with s3 fronted by cloudfront was 2 very long days. Due to my misunderstanding, yes, but aws provided (1) incomprehensible docs, (2) an extremely complex UI; (3) stale help all over the internet; and (4) incredibly unclear error messages.
Honestly, I feel like Cloudflares interface is quite complicated for the number of features they have. All their stuff seems to be only slightly integrated.
I appreciate the fact its just connected enough to work. AWS does what feels like everything in their power to entrench you. I avoid AWS as much as possible but one example that comes to mind is the fact you basically need to use SQS for SES
I feel like my page ranking on Google is lower after switching to Cloudflare. Like google is secretly punishing Cloudflare hosted pages or something.
I have zero evidence to prove anything. Just gut feeling. Anyone else notice this?
It's hard to say because Google regularly releases updates that affect rankings.
I've had sites that don't use CF dropping positions in Google Search even though nothing changed on my end. Why? No idea.
Make sure you're not blocking googlebot, check in https://support.google.com/webmasters/answer/9012289
you run compute workloads on there?
Yes: https://developers.cloudflare.com/ Look at Cloudflare Workers and Cloudflare Workers AI.
Cool. What are you building?
srcbook.com (not OP, just trolling through their profile).
Same here!
For at least the last decade, Cloudflare has made the impression on me to be what Google wanted to be, in terms of "being good".
I can't remember when it was the last time I've heard something bad about Cloudflare. Then again, I don't use any of their services, even if I have an old account with them. I never saw the need to use them, but like what I see about the products they offer.
They seem to be doing much more good to the internet than causing trouble.
Are you serious? It seems that cloudflare is one of those companies that doesn't make itself heard much because it's better that people don't know how much pieces of sh*t they are.
Consider this comment a non-confrontational petition for some sources, please.
While there's plenty of other angles to complain about them, one of the more common ones is the fact that Cloudflare is just as happily providing service for the very same spam sites they claim to protect people against. There's plenty of blogposts that talk about this, but the one I'll give a link to is the one from Spamhaus[0], the guys who run the most popular DNSBL.
Spamhaus also mentions the main problem with their abuse form, which is that it forwards abuse emails to the hosting provider and the web administrator. They pretty much never do anything by themselves and neither the web administrator or the hosting provider have much incentive to disconnect spamming customers (since the admin is hosting it and the hoster usually stays outside of the risk anyway.)
[0]: https://www.spamhaus.org/resource-hub/service-providers/too-...
Thanks for the response.
I figure that the discord at the root of the issue you're describing can lead to more uncommon complaints against them, bringing this to mind: https://blog.cloudflare.com/kiwifarms-blocked/
Because they own the CDN and most of the bandwidth is from peering, so it essentially costs them nothing. Netlify on the other hand has to pay per GB to AWS.
Netlify manages to be wildly overpriced even by AWS standards, CloudFront starts at about $85/TB, which isn't cheap by any means, but that turns into $550/TB(!!) if you go through Netlify. They have some of the most obscene bandwidth pricing in the industry by a huge margin, and to add insult to injury they don't allow you to set a spending limit either.
This seems like little more than a sales pitch. For instance:
> Second, companies like Cloudflare benefit from a fast, secure internet. If the internet is fast and reliable, more people will want to use it.
The author doesn't seem to have anything to say with any more substance than this gem.
No, it's not an empty statement. When your site takes 5 seconds to start loading, even sometimes, or if it sometimes fails to load some image or CSS file completely, many visitors will be unhappy to have to return to it, and a lot will just close the tab without waiting.
The pleonasm is not helpful though.
because they’re an amazing piece of technology that also happens to be a state sponsored man-in-the-middle platform.
I was assuming that it's a loss-leader sort of business strategy at play before reading your comment. Do you care to share any insights/references to support this claim?
Nah that’d be a national security crisis.
But the presence of https://en.wikipedia.org/wiki/PRISM well over 10 years ago should be sufficient.
Gotcha. Yeah, I mean all of these platforms are certainly juicy targets for room 641A [0] shenanigans. I just wondered if there had been some public leaks or something which we might not all be aware of yet.
I'd also point out the following from Cloudflare CEO Matthew Prince's wiki page [1]:
> "Prince co-founded Unspam Technologies, which supported the development of Project Honey Pot [2], an open source data collection software created by Prince and Lee Holloway designed to gather information on IP addresses used by email-address harvesting services."
> In 2008, the Department of Homeland Security (DHS) contacted Unspam Technologies, asking, "Do you have any idea how valuable the data you have is?" The DHS' email served as the impetus for Cloudflare, a technology company Prince co-founded with Holloway and fellow Harvard Business School graduate Michelle Zatlyn the following year
> The DHS' email served as the impetus for Cloudflare
Emphasis mine. I love Cloudflare, their tech is amazing, but to bury our heads in the sand that it wasn't started from day one to be a government spying program would be extremely naive.
https://blog.cloudflare.com/cloudflare-prism-secure-ciphers/
> At CloudFlare, we have never been approached to participate in PRISM or any other similar program.
> To date, CloudFlare has never received an order from the Foreign Intelligence Surveillance Act (FISA) court.
Overly specific weaseling. (Not by you, by Cloudflare).
The questions are not about if they were approached or participate in any programs, it's what they do and if they provide the data or not.
Again, an offhand comment about an email from the DHS is given all the weight in the world while a direct statement from Cloudflare is nitpicked to death.
The whole point is it's not a direct statement. It is a lot of words which fails to answer the core question: is cloudflare syphoning data off to any of the Five Eyes (and I almost wrote Five Guys . . ) government intelligence agencies or their allies?
For example, in your link: "One of the ways we limit the scope of orders we receive is by limiting the data we store. I have written before about how CloudFlare limits what we log and purge most log data within a few hours. For example, we cannot disclose the visitors to a particular website on CloudFlare because we do not currently store that data."
So if they are MITMing everything they totally could just send everything out straight away and not contradict what they're saying at all. Them storing the data or not is completely beside the point.
US based companies (like china and europe based ones) are not allowed to talk about it, when state actors implementing their spying tools. It is just naive to think that cloudflare doesn't give access to state agencies. As others have said, it is more likely that cloudflare as a company is entirely built around the idea to provide a singe point of surveillance to US agencies.
Love the double standard here. An offhand comment about an email from the DHS is considered strong evidence that Cloudflare was "started from day one to be a government spying program" while anything Cloudflare could say to deny it is brushed off as not strong enough.
I'm not judging the evidence FOR Cloudflare being a spy.
But it's a natural double standard that when your potential spy says "I'm not a spy!", well it's no evidence AGAINST.
>> At CloudFlare, we have never been approached to participate in PRISM or any other similar program […because we approached them]
>> To date, CloudFlare has never received an order from the Foreign Intelligence Surveillance Act (FISA) court […because they never had to ask in the first place]
My paranoia was cemented by the book When Google Met Wikileaks. Silicon Valley types do not have to be coerced to share data with 3 letter agencies, they have aligned incentives to ensure American dominance. Which is fine with me, as an American, but I won’t pretend there’s some rivalry where Cloudflare won’t comply without a court order.
Oh, well, that's alright then! If they so it must be true!
Post Snowden, I think the assumption has to be any large US hosting/service provider is compromised in a similar fashion.
"Our Free plan gives Cloudflare access to unique threat intelligence"
Nobody remembers the "SSL added and removed here :)"?
https://www.agwa.name/blog/post/cloudflare_ssl_added_and_rem...
How else would a cdn work? Or an l7 ddos protection?
One half of the NSA's mission is defensive, dedicated to improving the security of US systems and infrastructure: https://www.nsa.gov/Cybersecurity/
SELinux is a great example of that end.
Of course, I know an embarrassing number of people that won't touch it because they're convinced it's an NSA backdoor into your system.
They have the nickname "Crimeflare" for a reason and there is a reason so many threat actors, phishers, and malware people use CF on their landing pages and c2s.
When you file an abuse ticket with CF, CF takes the route of "oh we are only routing the data and content, not hosting it" and will refuse to terminate the CF accounts of someone being malicious. Threat actors know this which is why so many use em.
>When you file an abuse ticket with CF, CF takes the route of "oh we are only routing the data and content, not hosting it" and will refuse to terminate the CF accounts of someone being malicious. Threat actors know this which is why so many use em.
Their abuse page says they forward abuse tickets to the origin hosting provider. The origin hosting provider could ignore your tickets, but I don't see how that's any different than if they didn't use cloudflare to begin with.
They still have the ability to terminate the accounts of the threat actors using their platform (which would fuck up their scam/spam/malicious campaigns) yet seem to not want to under their guise of "oh its not us".
If they're willing to go to those lengths for scum, imagine how far they'd go for legit customers that pay.
Scum can also be paying customers
Ok but why can’t they take responsibility for the abuse and terminate the accounts themselves, forcing the malicious actors back to being in a position of not being protected by cloudflare?
Before CF, there were no DDOS for hire services, because they all DDOSed each other offline.
Keeping them online generates more DDOSes, driving demand for CF’s DDOS protection product. Protecting such sites is a sound business strategy.
DDoS protection stops their site from going offline, it doesn't stop them from advertising their services on some obscure forum, which seems to be what they used to do and still do today.
My favourite CF conspiracy theory is that by terminating booters' SSL they know who will be DDoS'd, and when.
They didn't hesitate with 8chan, even when it was known that fedposting was a thing here and that the straw that broke the camel's back they pointed to could have well been a false flag.
So the deep state is smart enough to take over the corporation and inject all this secret squirrel tech, but didn't think to cook the books to make it look like a marginally-profitable (but boring) business?
It reminds me of the counterargument to UFOs where they say "so the UFO flew here from 100 light-years away, through extreme cold, deep space, intense radiation, dodged space rocks, but as soon as it came into a lukewarm atmosphere with a modest gravity and tame weather, it crashed into a field in New Mexico?"
To be fair, you could see how a vehicle designed rigidly for extreme cold, extreme vacuum, zero gravity, etc. might fail catastrophically when introduced to modest temperatures, a modest atmosphere, and a modest gravity.[1]
It wouldn't say much for the foresight of the alien designers, mind.
[1] "100 KILOpascals? KILO? I thought you said milli, you blithering nixflorp!"
> [1] "100 KILOpascals? KILO? I thought you said milli, you blithering nixflorp!"
The numbers were given in Universal Standard Units, but the manufacturer assumed Galactic Imperial Units
What? What does business profitability or viability have to do with anything? Cloudflare can serve both customers at the same time. They still make amazing products, have incredibly talented engineers, and provide extremely valuable commercial services.
PRISM worked with numerous participants from well-oiled tech startups to aging why-wont-you-just-die companies.
PRISM revealed secrets. It also revealed that some companies fought back as much as possible. It's also possible to design core tech so that even when forced to participate, you reveal as little or no information.
CloudFlare, PRISM, and Securing SSL Ciphers, 2013-06-12 Matthew Prince https://blog.cloudflare.com/cloudflare-prism-secure-ciphers/
Honestly this is the most likely hypothesis, but would be nice to have some more evidence.
If a cdn didn't intercept requests, how else could it work? Literally every cdn is an mitm.
I'm sure you've heard this before but Cloudflare isn't really a CDN. CDNs don't have to intercept requests to be useful.
I think what you describe is closer to "TLS terminating reverse proxy", which does need to intercept every request.
What are some alternatives? Preferably the more open source the better.
what is an "open source" network infrastructure provider?
Cloudflare is mostly open-sourced, alternatives are more often than not closed-sourced
I don't think putting up a few libraries on GitHub and writing great post-mortems makes something "Mostly open-sourced".
I believe the implication is that cloudflares usefulness is not in her source code but rather her physical infra, there is not some free as in freedom alternative to that.
Idk if they're open source, but netlify was the company that I thought sort of made this feature free and easy to use. Github pages is also a free alternative.
Someone was (incidentally?) ddos'ed on Netlify last year and was served a 104k bill. The fees were waved in the end, but the caveat remains on all these free services that you pay by bandwidth.
That's why I like Bunny, the only such service I could find with prepaid pricing. I would rather have service shut off than to have to pay $104k for a day or two of service.
It's not the same type of platform as Bunny, but NearlyFreeSpeech.NET has done cheap, prepaid hosting for 20+ years.
Wow, thanks for sharing. Their policies look great. I am going to try them out.
I've used them for small stuff for years. I've never had any issues with them.
This is one of those things where the act of trying to evade state-level actors by definition puts you on their radar big time.
Alternatives to what? Five Eyes? Good luck with that.
China is happy to offer an alternative. It has pretty high costs, and I don't think it's worth it, but it exists.
- collect telemetry data they can use in their products
- bandwidth is cheap but the bad actor data they gather directly helps their paid enterprise tools
- people wouldn't pay for it and move to a competitor that offers it free, so its basically a monopoly on a large portion of the sales funnel
- branding message as "we are the good guys we are so generous" as you can see from the comments has worked in their favor
I still cannot believe the pricing on R2, unlimited egress. It's absurd, I love it!
Loss leaders are like that.
Bandwidth has become super cheap nowadays. Even on a CDN if you have a large enough commit the prices go very low, so you can imagine what the real cost must be:
> In Q1 of this year, I completed my yearly CDN pricing survey of over 500 customers and saw the lowest pricing rates I have ever seen for the largest customers, as low as $0.00038 per GB delivered in the US. Blended pricing globally at $0.0006. (Please note, this doesn’t mean these are the prices you should be asking for or paying!) Lower pricing is okay if traffic and commits are growing, but they aren’t
https://www.streamingmediablog.com/2024/05/cdn-pricing-press...
And their free tier is 10GB of free storage.
In the 90’s I worked at an ISP.
We had very generous policies for web pages hosted on our servers.
Those web pages generated outgoing traffic that balanced (partly) out incoming traffic and gave us a negotiating position for peering agreements with other ISP’s
>I wondered why there's an abundance of good, free hosting these days.
Only in the context of developers. For non-tech people who only wants another Wordpress or blogger, there aren't that many choices.
With the wealth of free static site generators, you can build a "free WordPress" easily. My site is an example
SSG != WordPress.
The value proposition of WordPress is that grandma can run her knitting blog. Not quite as straight forward to teach nana Markdown, jekyll, the command line, SFTP... It's true that anyone who can roll their website with a SSG doesn't need WP, but those people were never WP's core audience anyway.
Not entirely incorrect, but a lot of these SSGs are essentially content management systems (eg Publii). Only gripe I have so far is no online editor
This strategy works incredibly well and it's a continuation of their free dns proxy / caching service. It's a no brainer: the quality of the free services is unbeatable.
At the same time, everytime you need to buy something, you'll think "should I add a new cloud service or just buy Cloudflare?"
I don't like their almost monopoly-position but it's so good I use Cloudflare for all my projects and I keep recommending Cloudflare to all my clients.
In that regard, they remind me of a young Google.
I host my site on NearlyFreeSpeech for about 40 cents a month and there’s no bandwidth limit. The FAQ has always said: “Currently we are not tracking (and hence not billing for) extra bandwidth usage. This could change in the future, but currently we have no such plans.” Even though I could host with Cloudflare for $0, I think the tiny savings are not worth imposing the captcha on people.
Because bandwidth (and static serving) is dirt cheap, presumably especially so for someone like Cloudflare. Hetzner used to charge ~$1.20 per TB beyond the generous included allowances.
Most sites will have a hard time getting anywhere close to that and the ones that do will likely at some point want more advanced features than the free packages offer (or get force-upsold, see e.g. https://news.ycombinator.com/item?id=42713451).
Once people are in the Cloudflare ecosystem, they're much more likely to upgrade and start using additional services, or recommend Cloudflare to their employer.
As other commenters have mentioned, it is a bit of a bait and switch and not "truly" unlimited - but pretty much this is true for any XaaS that advertises "unlimited" anything. That said though, I still find cloudflare's free basic product incredibly good for the price. The proxy will handle a pretty good amount of load before you get any sales emails. I use some of their enterprise products and I'm extremely pleased, so it is a little hard to complain when I am getting great value out of it. I am however always wary of this not remaining the case forever. For what it is though, I can't really find many comparable products. It's sort of like datadog to me - yes, it's expensive, yes, their pricing can be a bit nebulous and feels bad at times, but the product is still extremely good for what I need it to do and until that changes I guess I'll just keep forking over dollars. That seems to be the way of things now.
It's kind of the same reason Google does it. There's a saying about this that I do not recall how it is phrased but it's something to the effect of, if you're not paying for it you're the product.
You're the guinea pig to help them make the product better for paying clients and to help them market the product usefulness to those that pay.
The real answer:
If CloudFlare serves a lot of traffic (i.e. people on the internet are requesting stuff from CloudFlare's servers), they get better peering agreements (i.e. pay less) from internet network providers.
When "normal" people/companies connect to the internet, they're paying for the connection. Regional ISPs likewise pay Tier 1 network providers (i.e. "global internet backbone") for the connection, and are charged by bandwidth. When "popular" companies connect to the internet, they don't pay - e.g. a lot of ISPs would host Netflix servers for free (that way, they avoid having to pay for Netflix traffic to Tier 1 providers, but can serve it locally instead).
I can sort of intuitively see why that's the case, but any concrete or specific reasons on why "popular" companies don't pay?
The linked Wikipedia article doesn't really explain the reason behind it.
Say you run a small ISP. You pay for (and utilize) a 10Gbps link to the internet from a big ISP: Cogent, maybe.
You look at your network traffic and notice 5Gbps of it all seems to be going to a single AS: Google. Your customers just love Youtube, and they are pulling down a ton of video.
Rather than leaving that as an interesting factoid, you decide to reach out to Google and pitch them on cutting out Cogent. You run a cable (more-or-less literally) from your network to Google. That 5Gbps of Youtube traffic is running over your connection directly to Google.
Now you can go back to Cogent and drop your commit from 10Gbps to 5Gbps, saving you a bunch of money. Google doesn't have to pay them for transit either: they can serve content to your users straight through the cross-connect. Win-win.
If a particular company is _really_ big, say: Netflix, Cloudflare, etc: you, as a small ISP, might even offer to give them some space in your server racks to host local caches. This makes the performance better for your customers, and, again: saves transit costs.
Really good explanation. Thank you!
They still pay for transit (Tier 1 providers) but they just refuse to pay for peering to eyeball ISPs. They just don't because they know if they are big enough the eyeball ISP is basically forced to offer them zero settlement (free) peering. If the ISP doesn't he has to pay for transit too and if there is some congestion in the path from the content provider to the ISP his customers are going to complain to the ISP that youtube is buffering and not to google. The content providers have a bigger lever so they don't pay.
Thanks. I think I have a better understanding now (those concepts like transit, peering are still hard to grasp for me as an outsider). Basically if you host content that many consumers want, you have leverage against ISPs?
There's a catch though, the peering in cloudflare free tier is horrendous in multiple countries, for example Germany, where t-mobile still insists on making cloudflare pay for peering, which they will only do for their premium customers, meaning free tier sites can barely load.
Slightly off topic, but also curious why Cloudflare doesn't put more effort into policing content of Pages, which are frequently used by bad actors. https://www.bleepingcomputer.com/news/security/cloudflares-d...
Examples: https://pending-revew.pages.dev/ https://r2-cmq.pages.dev/ https://ampgoat-ligaciputra.pages.dev/
Metaphorically policing content is expensive and exposes you to politics. Everyone is trying to get out of doing it (see: recent Meta announcement).
If you are the literal police, they will do something.
Because (IMO) it probably glows brighter than the sun.
Hey Matt! DB here from last summer haha!
cool to see you started writing! looking forward to seeing more, keep it up
Thanks! More to come, and hopefully see you back in the office after you graduate
Tin foil hat on?
I suspect they also benefit from the massive amounts of data gathering. A huge portion of the entire internet's traffic is going through Cloudflare, SSL-terminated. It's like being plugged into the server-side (unblockable) access log of every website. That would be worth a lot.
I also suspect their support of web attestation is not benevolent. With the level of control they already have, it's increasingly possible for them to flip a switch, with the full support of Apple and Google and Microsoft, so that only authorized devices have access to the web. curl on Linux? Not authorized. Outdated OS? It's up to Apple whether they feel like signing your request – can't expect them to support it forever! – but also you can't access that website without their approval.
I feel like a conspiracy theorist here but this stuff just seems way too close at hand.
Well, with all due respect, I reckon that tinfoil hat really accentuates your character, Light reflecting as it’s drawn toward the aluminum and all.
Between let’s encrypt and Caddy defaults, SSL termination is easy these days and cloudlfares insistence on doing it for me has turned me away from their products. I gather that reading the logs is part and parcel of their product, as the gatekeeper to high traffic sites they need all the signals they can get for what malicious traffic looks like.
I don’t think it requires a conspiracy, it’s just a market demand for such a product
Cloudflare is truly awesome!
They offer incredibly generous infrastructure components for individuals and small businesses.
If you’re looking to host a podcast with a custom domain name and need significant free storage, you’ll quickly realize there aren’t many (if any) free options—until you discover Cloudflare. With tools like R2 and Pages, they open the door to a world of possibilities.
I’ve even built an open-source podcast CMS/hosting solution using Cloudflare [1]. Thanks to R2, you can host up to 10GB of audio for free! It’s a game-changer.
[1] microfeed.org
In the blog post it says AWS offer a free tier of 100GB transfer on S3, but you can get 1TB when you serve it over CloudFront [1] which you normally do when using a custom domain with HTTPS
Thanks for invoking this wonderful discussion!
I run an open-source project[1] tracking the performance of pension fund schemes in India and offer a free API and a query builder because of Cloudflare.
I think this free tier, is sort of their customer acquisition strategy. I work as a freelance developer and because my experience with CF is good, I recommend CF to all my clients!
[1]: https://npsnav.in
As hardware gets cheaper, and economies of scale get bigger, it's way way cheaper to provide free stuff than spend on sales and marketing.
Works best at the extremes
I think providing unlimited bandwidth is a way to do marketing (i.e. letting people know that Cloudflare is a great, generous and high-tech company), and therefore they can attract more enterprise customers (Did you hear Cloudflare? Do you trust it? Of course!) - where the money is really from.
Cloudflare offers a lot for free. I think they are able to cover the free users from how much they charge enterprise customers.
> the page you're reading now is ~2.2MB, which is in line with typical page weights of ~2.7MB these days
For a small mostly-text blog post? Wtf are you talking about? That’s absurd.
This page has PNGs that need serious optimization. On my monitor, those 2 Cloudflare page screenshots are ~2000x1000 PNGs that weigh 700k each. They occupy about 850x500 "px" on my monitor. (The logo and author pic are likewise, ~300x300 PNGs downscaled to ~40x40.) Serving lossy images at such high resolutions sorta makes sense, but with PNGs they kill page load times. These images could probably get away with a lossy format and much lower resolution, and the page would be less than half the size it is now.
Cloudflare requires a $3,000/year business plan in order to have custom name servers. Namecheap offers this for free.
"Account/Zone custom nameservers are available for zones on Business or Enterprise plans. Via API or on the dashboard."
Update: I say this to further illustrate how they operate.
I understand interconnecting Cloudflare’s network and hosting their servers by ISPs builds a beefier Internet and that’s great, but isn’t it potentially problematic for a small number of vendors to become a significant part of the network? What happens if they go out of business? Are we no worse off than before, or do we worry about equipment that’s in limbo unless purchased by another business? Or is it potentially bad but inevitable since investing in growing the Internet requires deep pockets so it will always be the bigger corporations owning large chunks of the network?
Infra like Internet cables under the ocean are to me more obvious things to be purchased by other businesses. ISP-collocated content servers that came to be due to discovered mutual benefits of content and service provider seem to me more complex in terms of managing them in the face of business changes.
have you looked at their enterprise prices? one enterprise account pays for thousands (or millions of low-traffic accounts) of free accounts
Cloudflare is not profitable [1]. I’m wary of what might happen when they need to become profitable. Could this be another case of a company offering an excellent, cheap product while being propped up by investors, only to later have an “enshittification” [2] phase where they aggressively cut corners and increase prices to make a profit?
[1] https://www.wsj.com/market-data/quotes/NET/financials/annual...
>Cloudflare is not profitable [1]. I’m wary of what might happen when they need to become profitable
The unit economics are sound. They have 76% gross margin, so it's not like they're selling $10 movie tickets for $8, and unlike companies like uber, they're probably not using their marketing spend to buy revenue (eg. spending $20 in promo credits to get $50 worth of sales). There's nothing wrong with a business that "unprofitable" when their unit economics work out, and are plowing their profits back into expanding the business.
Leaving out stock compensation in a non-gaap perspective would show they are close. Granted compensation is a real cost to value of shares, It's not as wide a delta as many other companies.
I would suspect they're going the other way and will continue to double down into new areas of services to expand their product line.
Cash flow positive. Margins look healthy. Spend lots of R&D which i would attribute to having $1.6B(2023) of capital on hand and being cash flow positive.
Probably not the place to post this feedback, but in general I get excited about what Cloudflare have been releasing in 2024. I'm borderline desperate to try them out in a business setting.
The only thing that really stops me is the horror stories I hear about random billing issues and on top of that account closures.
That is something I'm _never_ worried about with AWS.
On the off chance that someone from CF is reading this feedback.
Other than bandwidth, is there any other performance differences between Cloudflare and GitHub Pages?
Extremely anecdotal, but I've always found GitHub pages to be noticeably slower. Which is weird, because they use Fastly which is generally good.
Pages probably consumes less than 10% of resources compared to their free CDN. Probably even less than 1%.
Piggybacking on the thread a little, anyone has experience to share using Pages or Workers at scale? Perhaps I bought too much into the JAMstack hype, but it seems like a much more convenient approach compared to the k8s rube goldberg machines every other shop is utilizing (assuming they work and scale as advertised on the tin). Wondering what are some drawbacks or even show stoppers.
I have done a few products, X million WAU, workers/pages scale really well. I haven't had any issues. I know docker/k8s extensively (and have scaled them previously).
Drawback: less nodejs api, so limited apis.
cloudflare is one of the most successful CIA spying op in history, following facebook. when people willingly disable their own encryption and allowing you to MITM them, money well spent i say.
I've heard horror stories, where once you hit a certain limit they squeeze the hell out of you. And by that point in time you are locked in and forced to make a deal.
It's made me not use cloudflare for future products. Just charge me upfront what you need to make a healthy margin and let's do business!
Because it is a national security operation designed to spy on everyone
CF super fan since they released. Nice write up btw.
Me too, helps me a lot
Why does any paid platform have a generous free tier?
Right, and why don't all products get priced at cost+? Such a puzzle.
/s
Pricing is not about today's balance sheet, but about the future of the business. If pricing ever becomes about making this month's payroll, the business is probably in trouble. There are exceptions, especially for small businesses.
Top of the funnel.
We are currently developing a project and were very open regarding the provider and none came close to Cloudflare pages.
The free geo information in the header alone is already worth it for us so we save money on purchasing a separate ip db but also don't waste time for the separate db call looking up the location.
I was very disappointed by their kv store latency and that d1 does not replicate yet. So we ended up comparing a poor man solution in just providing the json at a http endpoint on our webserver vs. quite a few global kv providers.
We set up a promise race and did thourough global tests. Doing the http request beat the global kv store providers by far, even if they have a pop in syd, the cloudflare http request to europe or the us was still faster. We are using Argo though, this might have helped as well.
What was the latency for the KV store?
between 300 - 1200ms , also very random
I then found bejamas where you can do some nice comparisons like: https://bejamas.com/compare/turso-vs-upstash-redis-vs-cloudf...
Thanks! I never thought it could be this bad. 1200 ms is a lifetime for a key-value cache.
This is great for the 100+ domains that I've registered but never had time yet to fully develop. Going to build landing pages for those domains.
It's always about creating technical debt at your org so that when they come to charge you 10-100X what some service is worth it's less painful to overpay them than it is to switch.
here's a piece of life advice for you: if it don't make sense, theres a buck in it.
generous or not, Cloudflare's done enough that i'd never use them
Without Cloudflare there would be many poor malware coders and phishers. Cloudflare are saints!
Everything has a limit.
you forgot to mention that Cloudflare is the by far the largest MITM operation on this planet
oh, btw, hello NSA o/
I tried to build a static site using Cloudflare but it didn't build. I went back to Netlify.
I'm going to have to ask you to keep your voice down, sir.
edit: it was a joke folks, because I like the free tier.
HNer gets his casino site shut down and extorted into buying Enterprise for $120k/yr, there's an unwritten limit of 10TB. https://news.ycombinator.com/item?id=40481808
From the thread and related discussions, Cloudflare's reasons probably had nothing to do with bandwidth used. I also recently signed up for Cloudflare and pushed 20 TB per month on their free plan, I specifically asked Cloudflare if this was okay and they said yes. YMMV
I find myself often suspicious of "free" tiers, because it seems to be that 1. the terms can change at any time or 2. "free" can be removed at any time.
I had used CF Pages and I really really liked all the tools it gave me, but free didn't sit well with me. I switched to CDN bunny.net for hosting my personal site and DNS and I pay $1/mo, which is their monthly minimun payment. It doesn't have facny stuff like github intergation or such, but I feel more at peace actually knowing what I'm paying for.
I wish CF would have a personal pricing level, I'd be more than happy to pay them and have a customer relationship instead of a freemium user relationship with them!
You'll find plenty of arguments in CFs blogs on why they offer a free tier, from ISPs offering free peering to hobbyists testing the latest features to hobbyists bringing their company onto CF.
It's not a blitz-scaling customer trap.
