ℹ️ Cloudflare Application Services for private networks: do more with the tools you already love

Hello, everyone, and welcome to Cloudflare TV for CIO Week.

My name is Cat Allen, Senior Product Marketing Manager for Network Services, and today I have the pleasure to speak with Annika Garbers, Product Manager for Network Services.

We're going to talk about one of our latest announcements, Application Services for Private Networks.

Annika, welcome and thank you for joining.

I'm so excited to be here. My cat is too, apparently.

I don't know if it's Zoom, but I picked that up. But it's Friday, Vibes, CIO Week has been going really well.

Can't wait for this conversation. Awesome. So let's go ahead and dive in.

So Application Services plus Cloudflare One, what is it and what benefits can customers expect from this exciting new integration?

Yeah, sure.

So Cloudflare offers a really broad suite of products and services, and at a high level, they're all about securing and making faster and more reliable anything that is connected to the Internet.

And if you've been a Cloudflare customer for a while or if you've heard about us, probably the products and services that you're most familiar with are our suite of what we've called Application Services that have traditionally been focused on web applications and APIs and how to deliver those more efficiently to end users, keep them more secure.

But then we've got this other really exciting new part of our product portfolio, Cloudflare One, which is focused on delivering those same benefits, so security, performance, reliability, but for customers' private networks and what we traditionally think of as the corporate network or your internal network, maybe that's managed by folks out of the CIO organization, it's CIO Week, but that is increasingly becoming more dependent on the Internet as well.

And so as these kind of boundaries are sort of blurring, customers are looking for new ways to think about securing all of their traffic regardless of its source or destination, whether you're talking about users or applications or data centers or offices or cloud.

And so these new integrations are really about how do we help customers use those services from Cloudflare that they already know and love within our application services portfolio, things like our web application firewall, API security, traffic management, performance optimization, DNS, how can they apply those in new ways to solve different types of problems for their entire private networks that they want to build on top of Cloudflare as well?

That sounds really exciting.

So is this functionality unique to Cloudflare? So the kind of list of functions that I just rattled off, things like the WAF, DDoS protection, DNS, et cetera, there are, of course, lots of providers that offer these services as sort of point solutions within their network and some that have a couple of those different services delivered in different ways.

But the really unique thing about Cloudflare is that we've actually built all of those from the ground up in software that we develop and maintain on servers that we own and again, maintain and networking software and hardware across our own network.

And on top of that, the fact that the software is all native and built to integrate with each other, the architecture decision that we've taken fundamentally for our network is to run every one of those services on every server across our entire network.

And so there's some providers who have taken an approach kind of similar to Cloudflare, but they'll teeth out these functions and say, OK, in these couple of locations across their network and these specific POPs, these are the ones that are going to be dedicated for DDoS protection.

And so the DDoS software is going to run there or over here, we're going to run a WAF or over here, maybe we're going to have Zero Trust services.

And Cloudflare has always taken the approach and sort of this fundamental principle that these services are actually way better and can deliver higher value for customers when they're delivered together.

And so every service runs everywhere across our whole network.

And what that means is that any packet or any request that lands at Cloudflare's network, so on the closest server to them by BGP routing across the Internet with our any task network approach, it's going to be able to go through the full stack of security and performance and reliability functions that our customers enable right there on that server.

And then from there, we'll deliver the packet or request to its end destination over the most optimal path that we can get it there.

But by doing this and making this decision where we've got all of those services in one place in one stack, not only can customers administer them from one place, they just have to go to the Cloudflare dashboard, not sort of a multitude of different tools, but there's also significant performance benefits and usability benefits for that traffic because the packet is not taking multiple hops around different places across the Internet or within the customer's network in order to get those functions.

And so the way that Cloudflare delivers this service, the performance that customers will see from it, that the benefits of using these services together is really unique to us and not something that you're going to get with a different provider that sort of keep these functions together through acquisition or building them in different parts of their software and hardware stack.

That makes sense. So you mentioned the web application firewall, so let's shift gears and talk a little bit about that.

So web application firewall for private apps with any off ramp.

So by integrating our WAF with Cloudflare One, what can customers expect to gain?

Yeah, sure. So Cloudflare's web application firewall is trusted by millions of customers, millions of Internet properties to protect their applications that are exposed to the public Internet.

It's a really solid industry leading product that lots of folks know and trust and love.

And what I'm super excited about with this integration is customers having the ability to put those same controls in path for any application with any traffic on ramp or off ramp.

So any way that they want to send their traffic to Cloudflare or receive it, including with private networks that they're integrating with Cloudflare One, they'll now be able to put WAF controls in place.

And so why is this important?

Why would you need a web application firewall for traffic flows that are maybe 100 percent private?

Well, traditionally, kind of the old school model of networking, this wouldn't have been a relevant conversation because you have this concept of sort of a castle in moat where all of the users and all the applications that needed access sat within this concept of a corporate perimeter where there may be in the same physical location or just a subset of locations that are connected with forms of private connectivity like MPLS.

And with this sort of perimeter defined, you could put firewalls or other security appliances in place that filtered and made sure that any traffic going in and out of the network was secured and you were watching every packet.

And then also you could do that type of filtering for what customers called East West traffic as well, traffic within that private network.

But that's really changed. And that's not kind of the security posture that customers are dealing with anymore.

They've got this really fragmented traffic flow and users accessing applications from kind of anywhere.

And so security teams are really trying to make the shift to what they refer to as a Zero Trust model, where you authenticate and authorize and examine every single request, even if it comes from somewhere within what you traditionally would have thought of as your trusted network.

And so customers now with this new integration could put Cloudflare WAF in front of their private applications and treat the traffic to those applications as though it was just coming from the public Internet, from an untrusted source, even if it is sourced from a device that is that is even managed by your organization.

You can still get that extra level of sort of control and security and knowing that you're doing and not blindly trusting someone that exists on your private network.

So that's the first integration in this sort of new set that we're excited to announce.

And I know lots of customers are going to be really pumped to enable that for their private networks.

Very exciting, and one of the pieces of this announcement was also APIs, so APIs have made headlines lately, they're clearly an attack service that needs defending.

So Cloudflare offers services to protect public APIs from things like DDoS attacks, abuse of data loss.

What's changing with this new feature announcement?

Yeah, sure. So really similar to kind of the high level concepts that we talked about with the WAF just a second ago.

Traditionally, public facing APIs have been sort of the the focus of security teams attention and scrutiny and making sure that security controls are on top of those public and external facing APIs as priority number one.

But teams are also increasingly thinking about the security for their private API for the same reason, right?

You don't have this concept of a security perimeter anymore where you can say, I'm going to trust all the traffic that's in between these internal or private services.

And so in a similar way to the web application traffic that we just talked about, where you're going to be able to put the WAF in front of those private traffic flows, our API security tools are also going to be able to apply in front of internal and private APIs that customers have within their network.

And so this is going to help improve overall security posture and and it kind of draws on one of the key benefits of Cloudflare one, which I guess we haven't mentioned so far, which is that these on ramps and off ramps we've talked about that you can use to connect any of your traffic into Cloudflare.

Those aren't exclusive to just HTTP or web traffic.

It's anything connected to the Internet. And so that means API traffic.

That means HTTP traffic that we've talked about so far. But as we kind of keep walking down the layers of the OSI stack and hinting, maybe you're jumping forward a little bit into some of the things that we'll get into later in this conversation, you can get these controls over all of your traffic.

It doesn't matter what kind of protocol we're talking about.

That's exciting. So let's shift gears into global and local traffic management for private apps.

So this announcement includes new ways to use traffic management tools.

Can you expand on that?

Yeah, sure. So so far in the WAF and API security, we've focused on how Cloudflare helps keep malicious actors from having a negative impact on customers, applications and networks that they connect.

But security is not the only focus of Cloudflare services.

We also have this really robust, broad suite of reliability and performance tools.

And one of the ones that customers really frequently draw on to help today make their web or external facing applications more reliable and more performance is Cloudflare's load balancing portfolio.

So today we have a suite of what we refer to as global traffic management tools to balance traffic across multiple data centers or applications or properties that customers are connecting to us.

And again, so far this has been focused on external facing applications or it's also possible or it has been previously possible to for customers to load balance private traffic that they are exposing to the public Internet with Cloudflare Tunnel.

So if you've got a public host name and you're ready to put that in front of an application, regardless of whether their origin server is private or public, you can put global traffic management tools in front of that.

But our customers have asked for us to extend these capabilities in similar ways.

They want to use the WAF in front of everything. They want to be able to load balance everything, too.

And that includes private traffic that is behind Cloudflare with any on or off ramp.

And it also includes the capability to do local traffic management as well.

And so this means not just managing traffic flows between different data centers or properties that are maybe geographically distributed and being able to fail over between them, but also the applications or servers that exist within one of those properties, being able to balance traffic within that as well.

And so these capabilities are under active development. We're super excited to get them in customer hands.

If you're interested in beta testing them out, there's information in the blog post about how to do that, as well as with the rest of this functionality.

But this one particularly, we're super excited, I think, to get in customer hands and see what kinds of new use cases you want to enable with it.

That's awesome. So another piece of this announcement was Argo smart routing across all layers of the OSI stack for any traffic connected to Cloudflare.

What excites you the most about this functionality?

Yeah, OK, so we talked about security with the WAF and API security.

We talked about reliability with load balancing and global and local traffic management.

Let's talk about this next piece of value that Cloudflare delivers to customers, which is performance.

So we have this product we've had for a while called Argo smart routing.

And the way that I usually explain it to folks is it's kind of like a ways for the Internet.

We help route your traffic across the Internet, avoiding congestion and other issues that could potentially slow it down.

And Cloudflare is only really able to do this because of our really, really unique vantage point across the Internet.

We see so much of the Internet's traffic all the time.

We're in all of these different locations across the world.

We're really close to users and applications. And so we're able to see when there are problems that are happening, when an ISP is having an issue, when there's congestion in one part of the Internet, when there's packet loss or other problems.

And then not only are we able to see it and give you insights and information on what might be happening with that traffic, but we can also make smarter decisions than maybe just the Internet or BGP routing would by itself with how to route that traffic.

And so Argo Smart Routing is basically delivering that functionality where we're picking the best path for your request to take across the Internet to get it to its destination as performantly as possible.

So we've had this available for a while for external facing applications.

We also announced Argo for packets about a year ago, which optimizes any IP traffic.

So that's private or public IP traffic gets optimizations at the network level as well.

And with these integrations that we're announcing, you'll also be able to put Argo Smart Routing that's layer three through seven controls in place for any traffic that's delivered again with any on or off ramp.

And I mentioned I'm sounding like a little bit of a broken record now, any on or off ramp, any piece of functionality.

One of the things that I think is the coolest about this whole suite of use cases that we're introducing with this post is that the engineering effort that's required to make this happen isn't actually integrating all of these individual products with every single on and off ramp.

You can imagine if you'd approached the architecture and sort of the development of this service fabric as we're going to create all of these individual services at their own things, deploy them on different servers or in different containers and different props around the world, and then figure out how to make the connective tissue and wiring across every individual one, then you're sort of talking about like an end by end or like a mesh problem.

How do I get every one of these things to connect and work with every other one?

But that's actually not what's happening here. The way that we've architected our systems makes it such that we can develop an integration one time.

We can say, OK, we're going to create one new wiring path or packets or requests to be able to go through this stack of products.

And then we get access to a lot of this functionality that customers can then take advantage of essentially for free.

And so while we're building these integrations and testing this out, there's tons of use cases that we probably haven't even thought of yet or tested out yet that we're hearing from customers about newly every single day that we'll be able to deliver super quickly because there's not that additional engineering work to put in of integrating every individual on and off ramp.

And so, again, talking about sort of uniqueness of Cloudflare's platform, that's something you only really would be able to see from us with the architecture approach that we've got that no other provider out there is able to deliver, at least with the pace of and sort of speed and iteration of innovation that we're able to do here.

And I love that you mentioned, too, one of my favorite things about Cloudflare is that we do offer a lot of free services as well.

Right. So we have that advantage of we have a lot of free customers.

We have a lot of enterprise customers.

And so we really do have this huge global network and the advantage of we get to help so many people across so many organizations, individuals as well.

So it's really exciting to hear sort of the future of Cloudflare and how we made these really strategic architectural decisions that have really set us up for success to keep building and keep adding new functionality without having to completely start over every single time.

So last but not least, there was one other piece of this announcement, which was private DNS.

So what is it and what sorts of use cases will this unlock for customers?

Yeah, sure. So like our web application firewall, DDoS, SSL, these other functions that we talked about so far, Cloudflare has an industry leading DNS product to protect millions of Internet domains.

And customers can use that for external DNS today. So we talked about public host names.

You can take any application and put it behind Cloudflare by making a DNS record change and using us as a reverse proxy.

And then that's the way that the key way that customers enable access to most of those other services that we just talked about, the way that they sort of require traffic to flow through Cloudflare.

But some organizations want to be able to resolve queries to private domains only when their users are actually connected to the Zero Trust private network that they define within Cloudflare.

They don't want to create a public host name and have the users navigate to that.

They want to keep it all sort of internal to their private network.

And again, these concepts get really fuzzy, right, because we mentioned earlier this idea of Castle and Moat and private versus the public Internet.

And it's all really blurred because the boundaries here are just have just kind of dissolved, right?

Users can can work from anywhere. Most applications now are hosted on the Internet or in SaaS.

And so concepts of private network get really tricky to define.

You could sort of think of it as Cloudflare can act as like an underlay fabric.

And then the overlay is your applications or the private network that you define on top of it.

And so we're making the Internet usable as an underlaying fabric for all of the private network applications that you'd want to create and define in the policies to route and get to them.

And so private DNS is a really integral piece of this. It's going to offer all of the really great features of our authoritative DNS from support for all common DNS record types, the ability to resolve DNS queries to overlapping IP addresses, especially for customers that are managing acquisitions or really complex network architectures where you've got a lot of IP address management challenges.

We're going to make that really seamless for you. And then also all of the other Zero Trust filtering control that's offered by Cloudflare secure web gateway DNS filtering is going to be built into this private DNS offering from day one.

And so this feature is really going to help our customers streamline and simplify the management and operations that their IP teams have to use and do.

It's going to help network and security teams do more with less.

And then we also expect it to bring our customers really significant savings in terms of time and the operational costs that they have to manage their network.

Again, consolidating more of these functions, managing them from one single central control plane, that is the Cloudflare dashboard.

We can help simplify a lot of things. And that's really what we're all about, right?

Helping make the Internet a better place, make it simpler for the teams that are managing anything connected to it.

Absolutely, and adding those additional security layers, right, like we talked about, so helping organizations become more secure.

So in terms of where people can learn more about these, where can they go to find out?

Yeah, we published a blog post today, so you can check out the Cloudflare blog to read about all of these new integrations that we talked about, kind of learn about them in more depth.

We'd love to hear your feedback on these two.

So many of these are either in beta access or still in development.

And we really value feedback from our customers, anyone from a free customer to an enterprise customer to help inform what we should be building in our product roadmap.

So please engage with us if anything in that blog post stands out to you.

It's especially exciting. Or if you see anything new that would be exciting for us to develop that isn't mentioned there, but kind of fits in the scheme of integrations between our app services and private networks.

There's a link in the end of the blog post for a form that you can use to sign up for beta access to these functions.

So you can be the first to try them out and pick tires when they're available.

And yeah, just engage with us, ask questions.

We love hearing your feedback, that network of free customers that continue to sort of funnel ideas and innovation into our product engine is one of my favorite things about being here.

So don't be shy about getting involved. I love that.

Well, thank you so much, Anika, for your time and insights into what's coming next here at Cloudflare.

Was there anything else that you wanted to add to this or should we go ahead and wrap up?

Oh, yeah, just one last thing we said at the top of the call or at the top of the Cloudflare TV segment, this is CIO week.

So this is just one.

It's a bunch of announcements in one post, but this post is just one of a jillion announcements that have come out through the week.

New products, new partnerships, new ways to use Cloudflare.

And specifically this week has been really focused on CIO organizations and Cloudflare one, this concept of how do we make your internal and private networks more secure, faster, more reliable.

So I really encourage anyone watching who is excited about this to go and check out the rest of the announcements from CIO week.

There's a fantastic wrap up blog that was published this morning that's got links and sort of short summaries across all of it.

So you can start there as a way to kind of guide your journey.

And then also for every one of these blogs that we publish, there's an accompanying Cloudflare TV segment just like this one.

So if you prefer to consume information in sort of this format or you want an accompaniment to the blog content, check it out.

And there's recordings of all of those sessions that have happened throughout the week available at Cloudflare.TV.

Awesome. Well, thank you for joining us today.

And like we said, if you're interested in any of these features, make sure to follow the link in the description below to reserve your spot for beta access.

Thank you so much.