Don't put Cloudflare in front of a Cloud egress bill. i.e. don't do this: Azure|Amazon > Cloudflare
Always use your own proxy where the egress is well within your free tier, i.e. do this: Azure|Amazon > Hetzner|Linode > Cloudflare
Why?
Because Cloudflare cache is a massively multi-tenant LRU cache and whilst hot files will be cached well (and with Cloudflare Tiered Cache even better - but this itself is a cost) anything else is still going to expose you to some degree of egress cost.
When I exposed AWS to the web I paid $3k per month to AWS. With Cloudflare in front of AWS I paid $300 per month to AWS. With Linode in front of AWS and behind Cloudflare I paid $20 per month to Linode and about $12 per month to AWS.
A Linode, Hetzner instance... or any other dumb cheap web server that comes with a healthy free tier of bandwidth is all you need to set up a simple nginx reverse proxy and have it cache things to disk https://docs.nginx.com/nginx/admin-guide/content-cache/conte...
Or simply use a proper CDN that doesn't pretend to eat all the cost for a flat fee but then sometimes does not. BunnyCDN has an amazing volume tier at half a cent per GB.
Or if caching is your biggest priority then Fastly or Akamai will shine too.
But if you're balancing all considerations and want the cheap "good enough" caching with the DDoS protection, free TLS certs, and unmetered (assuming you aren't imgur or something)... then Cloudflare does a great job at being good enough. And for those sharp edges... drop in a proxy of your own, or layer your CDNs.
I don't understand, what is the advantage of Cloudflare over Fastly or Akamai if caching is not your biggest priority? Does Cloudflare have better DDoS protection, or something else?
Fastly comes close on a lot of fronts (and does better at a few things) but unless you are godlike with Varnish scripting it's a lot harder to make it do what you want than Cloudflare.
Thanks this is really helpful, I'm planning a delicate migration to a CDN and it's a tough choice. Cloudflare just seems like "an everything machine" from their marketing website, I'm struggling to understand how I would actually use it for a monolithic website + API.
It is pretty much an "everything machine". I think they are positioning themselves as a platform alternative to having a separate origin + CDN. i.e you develop your entire application with Workers + Durable Objects + R2.
As a CDN it's pretty great though, I have managed very very large properties behind Cloudflare and they have always gone above and beyond for us when big DDoS have came our way.
I interpreted the question as "if caching -isn't- your biggest priority". i.e what does it do better assuming giant zip files isn't the main thing you are interested in.
So I'm not really responding to OP but rather the commenter I replied to. :)
Will BunnyCDN reliably keep an 18gb file in cache without hitting origin? I use and like Bunny, but relying on that to not get a massive bill in the mail scares the shit out of me.
Azure has its own CDN. If one wants to do Cloudfare -> CDN -> Azure Storage, then at least let it be Azure CDN in the middle, not another cloud provider in the mix. ¯\_(ツ)_/¯
I've switched to Backlaze B2, which has a bandwidth alliance with Cloudflare. Even without it, B2 egress is something like 1/5th of S3, so may be worth thinking about.
If you use argo caching on Cloudflare, it should reduce origin server load even more. Essentially, instead of going directly to your origin, cloudflare endpoint will first reach to it's root node to see if it's cached there and only that node is allowed to communicate with your origin. I see like ~95% cache hits with that turned on.
Because Hetzner and Linode VPSs have fixed disk sizes, while Azure and AWS have basically infinite storage. You use your cheap commodity VPS as a cache, not a source-of-truth.
Many of them have managed object storage services as well. OVH[1] and Linode[2], scaleway[3] have them, that should scale for most use cases and are S3 compatible APIs
Also Azure and Linode, Scaleway Backblaze and others are part of Cloudflare bandwidth alliance [4] so there shouldn't be egress fees between the two.
It is really only AWS which is a problem, you don't need this setup with any other provider.
Trust in what sense? Uptime, security, privacy? I am not sure whether I can say I trust one or another, by personally I had a good experience with VPS/dedicated server providers, more than with cloud (AWS/GCP).
Out of curiosity I tried to look up their pricing and the first thing I am greeted with when launching their price calculator is "you must allow functional cookies".
I disabled all shields for their side and still the same thing. Waste of time
I personally never used Linode and can not recommend nor talk against it, I was just pointing out that if you want scalable solutions AWS is not the only answer.
If your cache is much smaller than the data, it will be ineffective, unless you think everyone keeps downloading the same tiny subset of files. That last assumption works for web content (e.g. newest articles see more hits) but probably not for data.
The risk that your service becomes faang popular and you suddenly need unlimited everything and need it immediately?
It is possible but highly unlikely. The more likely scenerio is you just continue overpay like a lot of others waiting for the moment. If that moment happens you realize with the sudden popularity your store inventory is sold out so you couldn't profit off of the extra traffic anyhow.
There's a clear trade-off between downtime risk and cost explosion risk. For a hobby/non-profit project, risking the downtime to possibly save 7k€ plus surely saving the surcharge of "scalability" is definitely worth it.
Another option if Linode's included bandwidth + overages is too much is a dedicated box from Reliable Site. I'm not a customer nor am I affiliated with them at all, I just occasionally check in on their low end prices and noticed that they've started included an unmetered 1Gbps port with every host.
If you're going to have an intermediary proxy that you run, for AWS perhaps use Lightsail. It is price competitive, and includes more bandwidth than Linode/DigitalOcean/Vultr for the price.
Do you have a more detailed citation for that? At $DAYJOB we seem to be using Lightsail (for non-cache purposes) along with some "real AWS" resources without a problem,
51.3. You may not use Amazon Lightsail in a manner intended to avoid incurring data fees from other Services (e.g., proxying network traffic from Services to the public internet or other destinations or excessive data processing through load balancing or content delivery network (CDN) Services as described in the Documentation), and if you do, we may throttle or suspend your data services or suspend your account.
I think you’re expanding this clause past what it says.
The clause prohibits you from using Lightsail to cheat other services. So, per their example, you couldn’t set up a Lightsail instance as a reverse proxy between the internet and an ELB, to take advantage of Lightsail’s higher transfer quotas and “in-region” traffic from Lightsail to ELBs.
Hosting a site on Lightsail and hosting other things on other AWS services is fine.
I am not the OP. The terms indicate you cannot use it to proxy traffic to bypass bandwidth costs. The grandparent comment suggested using Lightsail to do this, and it is a violation of the TOS. The parent comment, however, stipulated that you are not allowed to use Lightsail at all, which is indeed wrong. I was just posting the relevant portion of the TOS which applies to the grandparent comment, and clarifies on the parent comment (which is inaccurate)
That's insane. But not a surprise, lightsail only exists so aws can say they offer similar pricing to Linode/DigitalOcean/Vultr/etc... as long as you don't ever plan to grow
Interesting. In this example where the parent comment discusses using a proxy from AWS to Linode/Hetzner to Cloudflare, then I'd go with someone in the Bandwidth Alliance, which would include Linode and Vultr.
Have either of those actually implemented Bandwidth Alliance? Last I looked(few months ago), the only outfit that had actually done anything on that was Backblaze. Vultr and Linode were nothing more than announcements with no actual cost savings for customers implemented.
Reducing CloudFlare to a CDN is a disservice. They have some amazing services like Bot Management and Workers that make them very appealing. The CDN is just a nice bonus.
From the Cloudflare blog, it seems R2 would've handled this exact situation - auto-migration of cloud S3-like-storage objects - download from cloud-storage just once and cache in R2 for Cloudflare to serve.
Has anyone gotten access to R2 yet? I signed up but haven't heard back myself.
Would love to find out if you can write to any/every region and have things replicate, or if you have to write to a single region. BunnyCDN's edge storage solution looked interesting until I found out it only supported writes to a single region.
Hoping R2 might be my savior here, otherwise will probably have to roll my own active-active minio cluster, which I'm not looking forward to maintaining. Other suggestions welcome!
Always use your own proxy where the egress is well within your free tier, i.e. do this: Azure|Amazon > Hetzner|Linode > Cloudflare
Why?
Because Cloudflare cache is a massively multi-tenant LRU cache and whilst hot files will be cached well (and with Cloudflare Tiered Cache even better - but this itself is a cost) anything else is still going to expose you to some degree of egress cost.
When I exposed AWS to the web I paid $3k per month to AWS. With Cloudflare in front of AWS I paid $300 per month to AWS. With Linode in front of AWS and behind Cloudflare I paid $20 per month to Linode and about $12 per month to AWS.
A Linode, Hetzner instance... or any other dumb cheap web server that comes with a healthy free tier of bandwidth is all you need to set up a simple nginx reverse proxy and have it cache things to disk https://docs.nginx.com/nginx/admin-guide/content-cache/conte...