The upstart internet security and edge infrastructure company has reinvented itself to challenge the hyperscale cloud providers. Can it succeed? Credit: SPainter VFX / Getty Images Cloudflare is in the midst of a significant transformation, as it continues to build out the tools developers need to run their applications across a global network of edge locations. Recent moves put the 18-year-old internet security and performance company on a collision course with the industry-dominating hyperscale cloud providers Amazon Web Services, Microsoft Azure, and Google Cloud Platform. In 2004, Matthew Prince and Lee Holloway joined forces on Project Honeypot, a software project that gave website owners the ability to track, but not combat, email spammers. Cloudflare Cloudflare cofounders Michelle Zatlyn and Matthew Prince. By 2009, Prince’s Harvard Business School classmate Michelle Zatlyn—who is now president and chief operating officer—took an interest, and started to push Project Honeypot to become a service that didn’t just track malicious activity, but actively helped to stop it. Soon after, the three cofounders raised a Series A funding round from Ray Rothrock at Venrock and Carl Ledbetter at Pelion Venture Partners. Cloudflare was born. Since then, Cloudflare has expanded its portfolio of internet security and performance products for web administrators, as well as investing in building out an impressive content delivery network (CDN) across 270 cities to help it deliver these services to millions of global customers. Cloudflare Workers changes the game Even in the early CDN days, customers immediately started asking for customizations to the platform—a tweak here or there to meet their unique needs. However, offering this level of customization to each and every customer just wasn’t feasible. “For the largest customers, we would actually write code and deploy it in cooperation with them,” Cloudflare CTO John Graham-Cumming told InfoWorld. “Of course, that was completely unscalable, you can’t do that for your customers and it was literally in our mainline code, it was really a mess. However, there was a desire to solve that problem in a more scalable way.” By 2017, Cloudflare started looking seriously at the idea of allowing software developers to customize what they were building and running on Cloudflare’s network. In a 2018 blog post, Cloud Computing without Containers, former engineering manager Zack Bloom set out Cloudflare’s architectural model, which was aimed at allowing customers to run their own untrusted code both securely and at low latency on Cloudflare’s network. “Cloudflare has a cloud computing platform called Workers. Unlike essentially every other cloud computing platform I know of, it doesn’t use containers or virtual machines,” Bloom wrote. Where running containers orchestrated with Kubernetes across that network would have been prohibitively expensive for Cloudflare, V8 isolates—i.e., isolated instances of the Google-created V8 JavaScript engine—would allow customers to run their own code at the edge in a safe, sandboxed manner. “We started with isolates because they are lightweight, solve the cold-start problem, enable us to scale, and be truly pay-as-you-use,” Aly Cabral, vice president of product at Cloudflare, told InfoWorld. “Those are qualities we are not willing to sacrifice.” These architectural decisions also came with a set of trade-offs. “No technology is magical, every transition comes with disadvantages,” Bloom wrote at the time. “In an isolate universe you have to either write your code in JavaScript (we use a lot of TypeScript), or a language which targets WebAssembly like Go or Rust. If you can’t recompile your processes, you can’t run them in an isolate. This might mean isolate-based serverless is only for newer, more modern, applications in the immediate future.” For Gartner analyst Raj Bala, this still means that “Workers is not a general-purpose platform,” because “applications have to fit into a tightly constrained set of criteria to work, such as JavaScript-based functions, with a certain package size and runtime duration.” While targeting JavaScript workloads gave Cloudflare a sizeable beachhead for launching Workers, it also involved betting big on WebAssembly’s potential to “be a runtime or a platform with which other languages would operate and get pulled along with it,” Graham-Cumming said. Shooting for net-new growth While many customers initially came to Cloudflare Workers to customize things at the edge, “many of them also started moving bits of their applications into our network,” Graham-Cumming said. This momentum put Cloudflare into immediate competition with other CDN vendors like Akamai and Fastly. More significantly, it also crossed swords with the hyperscale cloud providers: AWS, Microsoft Azure, and Google Cloud Platform. While Cloudflare Workers and similar platforms are now firmly on the table for developers when assessing where to run their applications, it is yet to be seen if a mass migration to these platforms is on the horizon. “The odds of me moving my application are pretty small, you are shooting for net-new growth,” RedMonk analyst Steve O’Grady said of Cloudflare’s appeal to enterprise developers. Take the UK fintech company Moneybox. It doesn’t use Cloudflare’s edge programming tools at present, but it is a longtime customer of Cloudfare’s DNS, firewall, and access control products. “It wouldn’t be worth our while to rewrite part of our applications to use Cloudflare,” Jon Leigh, engineering director at Moneybox, told InfoWorld. “It may be cheap, but the expense of the developer effort wouldn’t even things out.” Expanding Cloudflare Workers Cloudflare Workers has opened the door to providing software developers with the tools needed to build and run applications across a large global network in a serverless way, essentially outsourcing a bunch of server-related operational tasks for Cloudflare to manage. It also aims to offer speed and price performance to rival competing serverless options, such as AWS Lambda. “They may have led the industry in terms of moving from a solution where edge is just delivering static assets, to one where it is important to be able to execute code at the edge,” Andrew Cornwall, senior analyst at Forrester, told InfoWorld. “Cloudflare has been in the lead when it comes to companies thinking about enabling edge development and serverless functions.” Cloudflare Workers was soon followed by Cloudflare’s R2 object storage service in 2021, which competes directly with Amazon’s flagship S3 service, with the added bonus of no data egress fees, which are a hot button issue for anyone tasked with keeping their cloud bills down. Cloudflare CEO Matthew Prince has publicly called AWS’s bandwidth charges “egregious” and “bonkers.” Then came the SQLite-compatible D1 database in May of this year. “Frankly, with SQL, we went through this brief detour in technology, where there was this NoSQL movement. It was kind of like the ‘Okay, Boomer’ moment for data storage, where a SQL database was somehow old fashioned. It turns out that SQL databases are old fashioned, but they’re also very, very powerful things, and people use them,” Graham-Cumming said. “I think with D1, you can build a complete database-backed application on Cloudflare today,” he added. Prioritizing opinion and simplicity All of these tools prioritize opinion and simplicity over optionality, as Cloudflare looks to provide a compelling developer alternative to the breadth of options the major cloud providers offer. “Developers felt like they needed to make a choice between something that scales and something that is easy to build, like Heroku did. Our ambition is to remove that choice with easy-to-use abstractions that scale to any need,” Cabral said. Cabral admires platforms like Vercel and Netlify for being truly developer-first. For Cloudflare to match the ease of use and utility those platforms offer, Cloudflare needs to “move to any runtime developers want and free them from lock-in.” This is where bets on the WebAssembly ecosystem could prove vital. “We have an ambition to allow any developer to build on this platform and WebAssembly should help us expand there,” Cabral said. “Meeting developers where they are is a key part of our strategy.” That middle ground could be the key for Cloudflare as this market heats up. “By offering primitives like storage and database and compute, they are opinionated in how and where they are rolling that out and doing that organically through things they had built,” RedMonk’s O’Grady said. “Demand for higher-level abstractions will increase and that seems to be the bet that Fastly is making, but not the one that Akamai is making.” Competition at the edge As O’Grady hinted, Cloudflare is not alone in these ambitions. Rival CDN provider Akamai has been building out its edge development capabilities, culminating in the $900 million acquisition of cloud hosting company Linode in March. Fastly recently announced the acquisition of the web development community Glitch for similar reasons. Where Cloudflare stands out from its rival CDN providers is in its ability to roll out homegrown developer tools at pace and respond to customer needs. “I think Cloudflare is leading the market in terms of the developer experience and they are one of a few companies focused on ensuring developers feel comfortable in their environment,” Forrester’s Cornwall said. Ghassan Abdo, research vice president for IDC’s worldwide telecom, virtualization, and CDN practice, is less bullish. “Programmability of the edge has been there for a while with the CDN, Akamai EdgeWorkers, Amazon CloudFront with Lambda@Edge, or Fastly Varnish, and the recent acquisition of Glitch,” Abdo said. “That part is not exclusive to Cloudflare. What is, is their ability to look at adjacent market capabilities like D1, R2, and we may see them get into other opportunities.” After largely pioneering the content delivery network, Akamai now calls itself the “world’s most distributed cloud services provider,” thanks to recent acquisitions and expansion into providing customers with edge compute, security, and delivery capabilities. “With the acquisition of Linode, we’ll have core cloud computing capabilities. That’s the last big piece, in a sense, because now our customers can build their apps on Akamai, they can run them on Akamai, they can secure them with us, and they can deliver, of course, through Akamai,” Akamai CEO Tom Leighton told industry publication Protocol in June. Leighton says Akamai already has thousands of customers using its edge computing capabilities today, and speculated that edge computing could become its biggest revenue stream in the next five years, quickly superseding security and delivery. For Graham-Cumming, this doesn’t come as a surprise. “We really believe this is the right architecture from the developer’s perspective, so it doesn’t surprise me that other people are doing the same thing,” he said. What’s next for Cloudflare? Cloudflare’s ambitions don’t stop here. It now wants to enable more developers to use its tools, and also expand the types of applications that can run on its network. “I think if there is a ceiling, and if we see the ceiling approaching at some point, obviously we would look at how we satisfy the developers who want to build on our platform,” Graham-Cumming said. This includes applications with unique or extremely large data models and data types, as well as the ability to schedule and queue asynchronous jobs, and offer more intelligent ways to assign compute power. “I am bullish on what they are doing,” Forrester’s Cornwall said. “Being able to say ‘we can do it cheaper and faster, by being more local to users,’ is a hard pitch to push back against.” Of course, if Cloudflare is to truly change the game, the company will need to convince application developers to change some well-worn habits. Then again, if anyone is used to abandoning old ways in favor of better ways, it’s application developers. Related content news Java proposals would boost resistance to quantum computing attacks OpenJDK proposals would provide Java implementations of a quantum-resistant module-latticed-based digital signature algorithm and key encapsulation mechanism. By Paul Krill Nov 08, 2024 2 mins Java Quantum Computing Application Security news analysis What Entrust certificate distrust means for developers Secure communications between web browsers and web servers depend on digital certificates backed by certificate authorities. What if the web browsers stop trusting your CA? By Travis Van Oct 30, 2024 9 mins Browser Security Web Development Application Security news Embedded developers face mounting pressure on security A recent survey by BlackBerry Limited finds tensions between innovation, project deadlines, and functional safety. By Paul Krill Oct 11, 2024 2 mins Developer Application Security Software Development feature 6 ways to apply automation in devsecops Automation should serve as a foundational principle for approaching every security challenge. Here’s how automation can help you secure software development processes. By Shashank Srivastava Sep 30, 2024 9 mins DevSecOps CI/CD Application Security Resources Videos