ℹ️ Cloudflare Application Services for private networks: do more with the tools you already love
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Annika Garbers and Cat Allen.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
Hello, everyone, and welcome to Cloudflare TV for CIO Week. My name is Cat Allen, Senior Product Marketing Manager for Network Services, and today I have the pleasure to speak with Annika Garbers, Product Manager for Network Services.
We're going to talk about one of our latest announcements, Application Services for Private Networks.
Annika, welcome and thank you for joining. I'm so excited to be here, and my cat is too, apparently.
I don't know if he's here, but I'm going to pick that up.
But it's Friday 5, CIO Week has been going really well. Can't wait for this conversation.
Awesome. So let's go ahead and dive in. So Application Services plus Cloudflare 1, what is it and what benefits can customers expect from this exciting new integration?
Yeah, sure. So Cloudflare offers a really broad suite of products and services, and at a high level, they're all about securing and making faster and more reliable anything that is connected to the Internet.
And if you've been a Cloudflare customer for a while, or if you've heard about us, probably the products and services that you're most familiar with are our suite of what we've called Application Services that have traditionally been focused on web applications and APIs, and how to deliver those more efficiently to end users, keep them more secure.
But then we've got this other really exciting new part of our product portfolio, Cloudflare 1, which is focused on delivering those same benefits, so security, performance, reliability, but for customers' private networks and what we traditionally think of as the corporate network or your internal network, maybe that's managed by folks out of the CIO organization, it's CIO Week.
But that is increasingly becoming more dependent on the Internet as well.
And so as these kind of boundaries are sort of blurring, customers are looking for new ways to think about securing all of their traffic, regardless of its source or destination, whether you're talking about users or applications, or data centers or offices or clouds.
And so these new integrations are really about how do we help customers use those services from Cloudflare that they already know and love within our application services portfolio, things like our web application firewall, API security, traffic management, performance optimization, DNS, how can they apply those in new ways to solve different types of problems for their entire private networks that they want to build on top of Cloudflare as well?
That sounds really exciting. So is this functionality unique to Cloudflare?
So the kind of list of functions that I just rattled off, things like the WAF, DDoS protection, DNS, et cetera, there are, of course, lots of providers that offer these services as sort of point solutions within their network, and some that have a couple of those different services delivered in different ways.
But the really unique thing about Cloudflare is that we've actually built all of those from the ground up in software that we develop and maintain on servers that we own, and again, maintain a networking software and hardware across our own network.
And on top of that, the fact that the software is all native and built to integrate with each other, the architecture decision that we've taken fundamentally for our network is to run every one of those services on every server across our entire network.
And so there's some providers who have taken an approach kind of similar to Cloudflare, but they'll teeth out these functions and say, okay, in these couple of locations across our network in these specific POPs, these are the ones that are going to be dedicated for DDoS protection.
And so the DDoS software is going to run there, or over here, we're going to run a WAF, or over here, maybe we're going to have Zero Trust services.
And Cloudflare has always taken the approach and sort of this fundamental principle that these services are actually way better and can deliver higher value for customers when they're delivered together.
And so every service runs everywhere across our whole network.
And what that means is that any packet or any request that lands at Cloudflare's network, so on the closest server to them by BGP routing across the Internet with our AnyTask network approach, it's going to be able to go through the full stack of security and performance and reliability functions that our customers enable right there on that server.
And then from there, we'll deliver the packet or request to its end destination over the most optimal path that we can get it there.
But by doing this and making this decision where we've got all of those services in one place in one stack, not only can customers administer them from one place, they just have to go to the Cloudflare dashboard, not sort of a multitude of different tools, but there's also significant performance benefits and usability benefits for that traffic because the packet is not taking multiple hops around different places across the Internet or within the customer's network in order to get those functions.
And so the way that Cloudflare delivers this service, the performance that customers will see from it, that the benefits of using these services together is really unique to us and not something that you're going to get with a different provider that sort of keeps these functions together through acquisition or building them in different parts of their software and hardware stack.
That makes sense. So you mentioned the web application firewall.
So let's shift gears and talk a little bit about that.
So web application firewall for private apps with any off-ramp. So by integrating our WAF with Cloudflare One, what can customers expect to gain?
So Cloudflare's web application firewall is trusted by millions of customers, millions of Internet properties to protect their applications that are exposed to the public Internet.
It's a really solid industry-leading product that lots of folks know and trust and love.
And what I'm super excited about with this integration is customers having the ability to put those same controls in path for any application with any traffic on -ramp or off-ramp.
So any way that they want to send their traffic to Cloudflare or receive it, including with private networks that they're integrating with Cloudflare One, they'll now be able to put WAF controls in place.
And so why is this important? Why would you need a web application firewall for traffic flows that are maybe 100% private?
Well, traditionally, in front of the old school model of networking, this wouldn't have been a relevant conversation because you have this concept of sort of a castle in moat where all of the users and all the applications that needed access sat within this concept of a corporate perimeter where there may be in the same physical location or just a subset of locations that are connected with forms of private connectivity like MPLS.
And with this sort of perimeter defined, you could put firewalls or other security appliances in place that filtered and made sure that any traffic going in and out of the network was secured and you were watching every packet.
And then also you could do that type of filtering for what customers call east-west traffic as well, traffic within that private network.
But that's really changed and that's not kind of the security posture that customers are dealing with anymore.
They've got this really fragmented traffic flow and users accessing applications from kind of anywhere.
And so security teams are really trying to make the shift to what they refer to as a Zero Trust model where you authenticate and authorize and examine every single request, even if it comes from somewhere within what you traditionally would have thought of as your trusted network.
And so customers now with this new integration can put Cloudflare WAF in front of their private applications and treat the traffic to those applications as though it was just coming from the public Internet, from an untrusted source.
Even if it is sourced from a device that is even managed by your organization, you can still get that extra level of sort of control and security and knowing that you're doing and making or not blindly trusting someone that exists on your private network.
So that's the first integration in this sort of new set that we're excited to announce.
And I know lots of customers are going to be really pumped to enable that for their private networks.
Very exciting. And one of the pieces of this announcement was also APIs.
So APIs have made headlines lately. They're clearly an attack service that needs defending.
So Cloudflare offers services to protect public APIs from things like DDoS attacks, abuse, and data loss.
What's changing with this new feature announcement? Yeah, sure. So really similar to kind of the high-level concepts that we talked about with the WAF just a second ago.
Traditionally, public -facing APIs have been sort of the focus of security teams' attention and scrutiny and making sure that security controls are on top of those public and external-facing APIs as priority number one.
But teams are also increasingly thinking about the security for their private API for the same reason, right?
You don't have this concept of a security perimeter anymore where you can say, I'm going to trust all the traffic that's in between these internal or private services.
And so in a similar way to the web application traffic that we just talked about, where you're going to be able to put the WAF in front of those private traffic flows, our API security tools are also going to be able to apply in front of internal and private APIs that customers have within their network.
And so this is going to help improve overall security posture, and it kind of draws on one of the key benefits of Cloudflare 1, which I guess we haven't mentioned so far, which is that these on -ramps and off-ramps we've talked about that you can use to connect any of your traffic into Cloudflare, those aren't exclusive to just HTTP or web traffic.
It's anything connected to the Internet. And so that means API traffic, that means HTTP traffic that we've talked about so far, but as we kind of keep walking down the layers of the OSI stack and hinting maybe you're jumping forward a little bit into some of the things that we'll get into later in this conversation, you can get these controls over all of your traffic.
It doesn't matter what kind of protocol we're talking about. That's exciting.
So let's shift gears into global and local traffic management for private apps.
So this announcement includes new ways to use traffic management tools. Can you expand on that?
Yeah, sure. So, so far in the WAF and API security, we've focused on how Cloudflare helps keep malicious actors from having a negative impact on customers' applications and networks that they connect.
But security is not the only focus of Cloudflare services.
We also have this really robust broad suite of reliability and performance tools.
And one of the ones that customers really frequently draw on to help today make their web or external facing applications more reliable and more performance is Cloudflare's load balancing portfolio.
So today we have a suite of what we refer to as global traffic management tools to balance traffic across multiple data centers or applications or properties that customers are connecting to us.
And again, so far, this has been focused on external facing applications, or it's also possible, or it has been previously possible to, for customers to load balance private traffic that they are exposing to the public Internet with Cloudflare Tunnel.
So if you've got a public host name and you're ready to put that in front of an application, regardless of whether their origin server is private or public, you can put global traffic management tools in front of that.
But our customers have asked for us to extend these capabilities in similar ways.
They want to use the WAF in front of everything. They want to be able to load balance everything too.
And that includes private traffic that is behind Cloudflare with any on or off ramp.
And it also includes the capability to do local traffic management as well.
And so this means not just managing traffic flows between different data centers or cloud properties that are maybe geographically distributed and being able to fail over between them, but also the applications or servers that exist within one of those properties, being able to balance traffic within that as well.
And so these capabilities are under active development.
We're super excited to get them in customer hands. If you're interested in beta testing them out, there's information in the blog posts about how to do that as well as with the rest of this functionality.
But this one particularly, we're super excited, I think, to get in customer hands and see what kinds of new use cases you want to enable with it.
That's awesome. So another piece of this announcement was Argo smart routing across all layers of the OSI stack for any traffic connected to Cloudflare.
What excites you the most about this functionality?
Yeah. Okay. So we talked about security with the WAF and API security.
We talked about reliability with load balancing and global and local traffic management.
Let's talk about this next piece of value that Cloudflare delivers to customers, which is performance.
So we have this product we've had for a while called Argo smart routing.
And the way that I usually explain it to folks is it's kind of like a ways for the Internet.
We help route your traffic across the Internet, avoiding congestion and other issues that could potentially slow it down.
And Cloudflare is only really able to do this because of our really, really unique vantage point across the Internet.
We see so much of the Internet's traffic all the time.
We're in all of these different locations across the world.
We're really close to users and applications. And so we're able to see when there are problems that are happening, when an ISP is having an issue, when there's congestion in one part of the Internet, when there's packet loss or other problems.
And then not only are we able to see it and give you insights and information on what might be happening with that traffic, but we can also make smarter decisions than maybe just the Internet or BGP routing would by itself with how to route that traffic.
And so Argo Smart Routing is basically delivering that functionality where we're picking the best path for your request to take across the Internet to get it to its destination as performantly as possible.
So we've had this available for a while for external facing applications.
We also announced Argo for packets about a year ago, which optimizes any IP traffic.
So that's private or public IP traffic, gets optimizations at the network level as well.
And with these integrations that we're announcing, you'll also be able to put Argo Smart Routing, that's layer three through seven controls in place for any traffic that's delivered again with any on or off ramp.
And I mentioned, I'm sounding like a little bit of a broken record now, any on or off ramp, any piece of functionality.
One of the things that I think is the coolest about this whole suite of use cases that we're introducing with this post is that the engineering effort that's required to make this happen isn't actually integrating all of these individual products with every single on and off ramp.
You could imagine if you'd approached the architecture and sort of the development of this service fabric as we're going to create all of these individual services at their own things, deploy them on different servers or in different containers and different pops around the world, and then figure out how to make the connective tissue and wiring across every individual one, then you're sort of talking about like an end by end or like a mesh problem.
How do I get every one of these things to connect and work with every other one?
But that's actually not what's happening here. The way that we've architected our systems makes it such that we can develop an integration one time.
We can say, okay, we're going to create one new wiring path or packets or requests to be able to go through this stack of products.
And then we get access to a lot of this functionality that customers can then take advantage of essentially for free.
And so while we're building these integrations and testing this out, there's tons of use cases that we probably haven't even thought of yet or tested out yet that we're hearing from customers about, you know, newly every single day that we'll be able to deliver super quickly because there's not that additional engineering work to put in of integrating every individual on and off brand.
And so again, talking about sort of uniqueness of Cloudflare's platform, that's something you only really would be able to see from us with the architecture approach that we've got, that no other provider out there is able to deliver, at least with the pace and sort of speed and iteration of innovation that we're able to do here.
And I love that you mentioned too, one of my favorite things about Cloudflare is that we do offer a lot of free services as well, right?
So we have that advantage of we have a lot of free customers, we have a lot of enterprise customers.
And so we really do have this huge global network and the advantage of, you know, we get to help so many people across so many organizations, individuals as well.
So it's really exciting to hear sort of the future of Cloudflare and how we made these really strategic architectural decisions that have really set us up for success to keep building and keep adding new functionality without having to completely start over every single time.
So last but not least, there was one other piece of this announcement, which was private DNS.
So what is it and what sorts of use cases will this unlock for customers?
Yeah, sure. So like our web application firewall, DDoS, SSL, these other functions that we've talked about so far, Cloudflare has an industry-leading DNS product to protect millions of Internet domains.
And customers can use that for external DNS today. So we talked about public host names, you can take any application and put it behind Cloudflare by making a DNS record change and using us as a reverse proxy.
And then that's the key way that customers enable access to most of those other services that we just talked about, the way that they sort of require traffic to flow through Cloudflare.
But some organizations want to be able to resolve queries to private domains only when their users are actually connected to the Zero Trust private network that they define within Cloudflare.
They don't want to create a public host name and have their users navigate to that.
They want to keep it all sort of internal to their private network.
And again, these concepts get really fuzzy, right?
Because we mentioned earlier this idea of castle and moat and private versus the public Internet.
And it's all really blurred because the boundaries here have just kind of dissolved, right?
Users can work from anywhere, most applications now are hosted on the Internet or in SaaS.
And so concepts of private network get really tricky to define.
You could sort of think of it as Cloudflare can act as like an underlay fabric.
And then the overlay is your applications or the private network that you define on top of it.
And we're making the Internet usable as an underlying fabric for all of the private network applications that you'd want to create and define in the policies to route and get to them.
And so private DNS is a really integral piece of this.
It's going to offer all of the really great features of our authoritative DNS from support for all common DNS record types, the ability to resolve DNS queries to overlapping IP addresses, especially for customers that are managing acquisitions or really complex network architectures where you've got a lot of IP address management challenges.
We're going to make that really seamless for you.
And then also all of the other Zero Trust filtering control that's offered by Cloudflare secure web gateway DNS filtering going to be built into this private DNS offering from day one.
And so this feature is really going to help our customers streamline and simplify the management and operations that their IP teams have to use and do.
It's going to help network and security teams do more with less.
And then we also expect it to bring our customers really significant savings in terms of time and the operational costs that they have to manage their network.
Again, consolidating more of these functions, managing them from one single central control plane that is the Cloudflare dashboard.
It's going to help simplify a lot of things.
And that's really what we're all about, right? Helping make the Internet a better place, make it simpler for the teams that are managing anything connected to it.
Absolutely. And adding those additional security layers, right?
Like we talked about. So helping organizations become more secure.
So in terms of where people can learn more about these, where can they go to find out?
Yeah. We published a blog post today, so you can check out the Cloudflare blog to read about all of these new integrations that we talked about, kind of learn about them in more depth.
We'd love to hear your feedback on these too.
So many of these are either in beta access or still in development. And we really value feedback from anyone from a free customer to an enterprise customer to help inform what we should be building in our product roadmap.
So please engage with us if anything in that blog post stands out to you as especially exciting, or if you see anything new that would be exciting for us to develop that isn't mentioned there, but kind of fits in this theme of integrations between our app services and private networks.
There's a link in the end of the blog post for a form that you can use to sign up for beta access to these functions.
So you can be the first to try them out and pick tires when they're available.
And yeah, just engage with us, ask questions, we love hearing your feedback, that network of free customers that continue to sort of funnel ideas and innovation into our product engine is one of my favorite things about being here.
So don't be shy about getting involved.
I love that. Well, thank you so much, Annika, for your time and insights into what's coming next year at Cloudflare.
Was there anything else that you wanted to add to this?
Or should we go ahead and wrap up? Oh, yeah, just one last thing.
We said at the top of the call or at the top of the Cloudflare TV segment, this is CIO week.
So this is just one, it's a bunch of announcements in one post, but this post is just one of a jillion announcements that have come out through the week, new products, new partnerships, new ways to use Cloudflare.
And specifically, this week has been really focused on CIO organizations and Cloudflare one, this concept of how do we make your internal and private networks more secure, faster, more reliable.
So I'd really encourage anyone watching who is excited about this to go and check out the rest of the announcements from CIO week.
There's a fantastic wrap up blog that was published this morning that's got links and sort of short summaries across all of it.
So you can start there as a way to kind of guide your journey.
And then also for every one of these blogs that we publish, there's an accompanying Cloudflare TV segment just like this one.
So if you prefer to consume information in sort of this format, or you want an accompaniment to the blog content, check it out.
And there's recordings of all of those sessions that have happened throughout the week available at Cloudflare.tv.
Awesome. Well, thank you for joining us today. And like we said, if you're interested in any of these features, make sure to follow the link in the description below to reserve your spot for beta access.
Thank you so much. Transcribed by https://otter.ai With the help of Cloudflare, we were able to add an extra layer of network security controlled by Allianz, including WAF, DDoS.
Cloudflare uses CDN and so allows us to keep costs under control and caching and improve speed.
Cloudflare has been an amazing partner in the privacy front. They've been willing to be extremely transparent about the data that they are collecting and why they're using it.
And they've also been willing to throw those logs away. I think one of our favorite features of Cloudflare has been the worker technology.
Our origins can go down and things will continue to operate perfectly.
I think having that kind of a safety net, you know, provided by Cloudflare goes a long ways.
We were able to leverage Cloudflare to save about $250,000 within about a day. The cost savings across the board is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost of our service with Cloudflare.
It's really amazing to partner with a vendor who's not just providing a great enterprise service, but also helping to move forward the security on the Internet.
One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.
Like, Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.
We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring world-class capabilities in bot management and web application firewall to protect our large public-facing digital presence.
We ended up building our own fleet of HAProxy servers such that we could easily lose one and it wouldn't have a massive effect.
But it was very hard to manage because we kept adding more and more machines as we grew.
With Cloudflare, we were able to just scrap all of that because Cloudflare now sits in front and does all the work for us.
Cloudflare helped us to improve the customer satisfaction. It removed the friction with our customer engagement.
It's very low maintenance and very cost effective and very easy to deploy and it improves the customer experiences big time.
Cloudflare is amazing. Cloudflare is such a relief. Cloudflare is very easy to use.
It's fast. Cloudflare today plays the first level of defense for us. Cloudflare has given us peace of mind.
They've got our backs. Cloudflare has been fantastic. I would definitely recommend Cloudflare.
Cloudflare is providing an incredible service to the world right now.
Cloudflare has helped save lives through Project Fairshot.
We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient, and ethical manner.
Thank you. Thank you.
The real privilege of working at Mozilla is that we're a mission-driven organization.
What that means is that before we do things, we ask what's good for the users as opposed to what's going to make the most money.
Mozilla's values are similar to Cloudflare's.
They care about enabling the web for everybody in a way that is secure, in a way that is private, and in a way that is trustworthy.
We've been collaborating on improving the protocols that help secure connections between browsers and websites.
Mozilla and Cloudflare collaborated on a wide range of technologies.
The first place we really collaborated was the new TLS 1.3 protocol, and then we followed that up with QUIC and DNS over HTTPS, and most recently, the new Firefox Private Network.
DNS is core to the way that everything on the Internet works.
It's a very old protocol, and it's also in plain text, meaning that it's not encrypted.
And this is something that a lot of people don't realize. You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.
When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.
The idea was that Cloudflare would run the server piece of it, and Mozilla would run the client piece of it, and the consequence would be that we protect DNS traffic for anybody who used Firefox.
Cloudflare was a great partner with this because they were really willing early on to implement the protocol, stand up a trusted recursive resolver, and create this experience for users.
They were strong supporters of it. One of the great things about working with Cloudflare is their engineers are crazy fast.
So the time between we decide to do something, and we write down the barest protocol sketch, and they have it running in their infrastructure, is a matter of days to weeks, not a matter of months to years.
There's a difference between standing up a service that one person can use, or 10 people can use, and a service that everybody on the Internet can use.
When we talk about bringing new protocols to the web, we're talking about bringing it not to millions, not to tens of millions, we're talking about hundreds of millions to billions of people.
Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting, and why they're using it, and they've also been willing to throw those logs away.
Really, users are getting two classes of benefits out of our partnership with Cloudflare.
The first is direct benefits. That is, we're offering services to the Cloudflare.
So that's an immediate benefit these users are getting. The indirect benefit these users are getting is that we're developing the next generation of security and privacy technology, and Cloudflare is helping us do it.
And that will ultimately benefit every user, both Firefox users and every user of the Internet.
We're really excited to work with an organization like Mozilla that is aligned with the user's interests, and in taking the Internet and moving it in a direction that is more private, more secure, and is aligned with what we think the Internet should be.