What Is Cloudflare and How Does It Work? CDN, WAF, DDoS Protection & Edge Network Explained

The Simple Core Idea

Cloudflare is a global network that sits between your users and your servers. It intercepts every incoming request and decides what to do with it: serve it from cache, block it, rewrite it, or forward it to your origin. It does this across data centres in hundreds of cities, which means the interception happens physically close to the user rather than far away on your server.

Without Cloudflare, every request travels directly from the user's browser to your server:

With Cloudflare, requests take a short detour through the nearest edge location:

When a user in Tokyo requests your site hosted on a server in Virginia, Cloudflare handles that request from a data centre just a few miles from the user — without the round trip ever reaching Virginia. The user gets a faster response. Your server gets less traffic. And anything malicious gets filtered out before it ever arrives.

Key Terms to Know Before We Go Further

Two terms appear throughout this article and are worth defining upfront.

Origin server is simply your server — the machine running your actual application code. It is called the "origin" because it is where the content originally lives, before Cloudflare caches or intercepts it.

The edge refers to Cloudflare's global network of data centres spread across hundreds of cities. Rather than all processing happening in one centralised location, the edge brings computation and caching physically closer to users. Each edge location is just a set of servers — the term sounds abstract but the reality is straightforward.

How Cloudflare Sits in Your Architecture

Here is where Cloudflare fits in a typical modern system:

Cloudflare is the first layer. Before any request reaches your load balancer, Cloudflare has already decided whether to serve cached content, block the request, rewrite it, rate-limit it, or pass it through.

How You Set Cloudflare Up

When you register a domain, your DNS nameservers(GoDaddy, Namecheap etc) tell the internet where to find your site. Setting up Cloudflare means pointing those nameservers to Cloudflare instead of your registrar's defaults. From that moment on, when anyone queries your domain, Cloudflare answers — and Cloudflare's IP address is what the world sees, not your server's.

This is the entire setup. You do not change your application code. You do not move your server. You update two nameserver entries at your domain registrar, and Cloudflare handles the rest.

How a Request Actually Flows Through Cloudflare

Here is the exact journey of a single request once Cloudflare is active:

1. A user's browser requests yourwebsite.com
2. DNS resolves the domain to Cloudflare's IP address, not yours
3. Cloudflare checks its cache for a saved copy of the response
4. Security rules (WAF, bot detection, rate limiting) are applied
5. If cached content exists and is still fresh, Cloudflare returns it immediately
6. If not, Cloudflare forwards the request to your origin server
7. Your origin server responds to Cloudflare
8. Cloudflare caches that response (if cacheable) and sends it to the user

All of this happens in milliseconds. The user sees a fast, secure website. Your server sees dramatically less traffic.

What Cloudflare Actually Does

1. It caches content close to your users (CDN)

When a user loads an image, a CSS file, or a JavaScript bundle, Cloudflare stores a copy in its nearest data centre. The next time someone asks for that same file, Cloudflare hands it over without ever contacting your origin server.

The result is that pages load faster and your server focuses on complex work like fetching data from a database. A user in Australia no longer waits for a round trip to a server in Ohio. The difference can be seconds.

2. It absorbs traffic floods (DDoS Protection)

Some bad actors try to overwhelm your server by sending millions of fake requests. This is called a Distributed Denial of Service (DDoS) attack.

Cloudflare absorbs that flood and filters out the noise before any of it reaches your origin. Your server never sees the attack.

3. It answers DNS queries instantly

When someone types example.com into a browser, the browser needs to find your server's IP address. That translation is handled by DNS (Domain Name System). Cloudflare runs one of the fastest DNS services in the world and answers those queries in milliseconds.

4. It blocks dangerous requests before they reach your code (WAF)

Your application has vulnerabilities. Someone might try to sneak a SQL injection into a form. A scraper might be pounding your API. Cloudflare can spot these patterns and drop the request immediately.

This is the Web Application Firewall (WAF). Think of it as a security guard reading every request and saying, "That looks suspicious — go away."

Worth noting: the WAF is largely a paid feature. The free tier gives you meaningful DDoS protection and CDN benefits, but granular WAF rules require a paid plan.

5. It routes users to the healthiest server (Load Balancing)

If you run your application in multiple regions — say, Virginia and Ireland — Cloudflare can send each user to the region that gives them the best experience. It checks which server is alive, which is least loaded, and which is closest. This happens automatically.

6. It hides your real server (Reverse Proxy)

When Cloudflare sits in front of you, attackers never learn your origin server's IP address. They only see Cloudflare's IP. In architecture terms, Cloudflare is a reverse proxy — it represents your server to the internet, and your origin server communicates only with Cloudflare.

This is one of the most important things Cloudflare does. If an attacker cannot find your origin server's IP address, they cannot bypass Cloudflare to attack you directly.

7. It lets you run small pieces of logic at the edge (Workers)

With a feature called Workers, you can write JavaScript that runs inside Cloudflare's edge data centres, right next to your users. That code can check an authentication header, rewrite a request, fetch data from multiple APIs, or block a request entirely — all in milliseconds, before the request ever reaches your origin.

8. It manages HTTPS certificates automatically

Every modern website needs an SSL/TLS certificate for HTTPS. Cloudflare provides and renews these certificates automatically. You never need to remember to renew them.

Which brings us to one of the most important configuration decisions you will make.

SSL Modes: Get This Right

When Cloudflare handles your HTTPS, it creates two separate encrypted connections: one between the user and Cloudflare, and one between Cloudflare and your origin server. There are four SSL modes that control how these connections behave, and choosing the wrong one is one of the most common junior engineer mistakes.

Off — No encryption anywhere. Never use this.

Flexible — The connection between the user and Cloudflare is encrypted, but the connection between Cloudflare and your origin server is not. This feels safe to users (they see the padlock) but it is not. Data travels unencrypted between Cloudflare and your server. Avoid this unless your origin genuinely cannot support HTTPS.

Full — Both connections are encrypted, but Cloudflare does not validate your origin server's certificate. It accepts self-signed certificates. Better than Flexible, but not ideal.

Full (Strict) — Both connections are encrypted, and Cloudflare validates that your origin server has a valid certificate. This is the recommended setting for any production application.

If you set this up and immediately see a redirect loop, the most common cause is that your origin server is only serving HTTP while Cloudflare is trying to connect over HTTPS. Fix the origin first.

Proxied Mode and DNS Only Mode

When you look at your DNS settings inside Cloudflare's dashboard, each DNS record has a small cloud icon next to it that indicates one of two states.

Proxied (shown as an orange cloud) means traffic to that record flows through Cloudflare — caching, WAF, DDoS protection, and everything else is active. DNS only (shown as a grey cloud) means Cloudflare acts purely as a DNS resolver for that record, and traffic goes directly to your origin, bypassing all of Cloudflare's features.

Most of your web traffic records (your A or CNAME records for www and your root domain) should be set to Proxied. You would leave a record as DNS only for things like mail servers or internal subdomains that should not route through Cloudflare.

What Cloudflare Cannot Protect

Cloudflare is excellent at protecting HTTP and HTTPS web traffic. It is not a blanket shield for your entire infrastructure.

If your origin server has an open database port (say, port 5432 for PostgreSQL) and someone discovers your real server IP, Cloudflare does nothing to protect that. SSH ports, database ports, and any non-web traffic are outside Cloudflare's scope by default.

The practical lesson: do not assume Cloudflare secures everything. Lock down your origin server's firewall so it only accepts traffic from Cloudflare's IP ranges, and keep all other ports restricted.

Why Organisations Choose Cloudflare

For performance: Cached assets are served from data centres close to users. Round-trip latency drops dramatically.

For security: DDoS attacks, SQL injections, bots, and scrapers are blocked before they touch your infrastructure.

For reliability: If your origin server goes down, Cloudflare can sometimes serve stale cached content instead of showing an error page.

For cost reduction: Every request Cloudflare answers from cache is a request that never hits your server, saving CPU, database connections, and bandwidth.

For simplicity: Instead of configuring a CDN, a WAF, a load balancer, a DNS provider, and an edge compute platform separately, you configure one platform.

When Cloudflare Is Not the Right Choice

For most public-facing web applications, Cloudflare is a good choice. But there are valid reasons to consider alternatives.

If you are fully inside AWS and prefer keeping everything under one roof, CloudFront integrates deeply with S3, API Gateway, and IAM permissions in ways Cloudflare does not. If you need extremely fine-grained caching logic, Fastly offers a powerful configuration language (called VCL) that gives you more control than Cloudflare's rules system. Large enterprises with existing compliance requirements might already be contracted with Akamai or Imperva. And if you are building a purely internal application that never touches the public internet, Cloudflare's standard product is not the right fit — though Cloudflare Zero Trust is worth exploring.

Even in those cases, many teams still use Cloudflare. Its free tier makes the decision easy to revisit.

Common Beginner Mistakes

These come up constantly and are worth knowing before you encounter them.

Choosing Flexible SSL mode. It looks safe because users see a padlock, but the connection between Cloudflare and your origin is unencrypted. Use Full (Strict) unless you have a specific reason not to.

Forgetting to purge cache after deploying updates. Cloudflare may continue serving old CSS, JavaScript, or HTML files to users long after you deploy a fix. Get into the habit of purging the relevant cache after deployments, or automate it as part of your pipeline.

Leaving your origin IP exposed. If someone discovers your real server's IP — through old DNS records, email headers, or other leaks — they can attack it directly, bypassing Cloudflare entirely. Audit your origin's exposure and restrict inbound traffic to Cloudflare's published IP ranges only.

Misunderstanding the orange cloud toggle. Leaving it grey on a record you intended to protect means Cloudflare is doing nothing for that hostname. Always check which records are proxied.

Where to Look When It Is Working

Once Cloudflare is active, you can confirm it is working by inspecting the response headers on any request to your site. You will see headers like CF-Ray (a unique identifier for each request that Cloudflare processed) and CF-Cache-Status (which tells you whether Cloudflare served the response from cache or from your origin).

CF-Cache-Status will show values like HIT (served from cache), MISS (Cloudflare had to ask your origin), or EXPIRED (Cloudflare had a cached copy but it was too old). Watching these values in your browser's developer tools is the fastest way to understand what Cloudflare is actually doing on any given request.

What 'Put Cloudflare In Front of It' Actually Means

You will hear "put Cloudflare in front of it" many times in your career. Now you know what that means. It means: point your DNS to Cloudflare, cache what you can, block what is bad, route what is good, run small logic at the edge, and keep your real server hidden.

Cloudflare is not magic. It is a collection of very practical services bundled into one global network. The best way to understand it is to try it. Point a test domain to Cloudflare's DNS, enable the CDN, check the SSL mode, and watch the request headers. You will see it working quietly — sitting between your users and your code, making the internet a little faster and a little safer.