Cloudflare TV

Next Generation Security & Performance

Presented by Jen Taylor, Rustam Lalkaka
Originally aired on 

Best of: Cloudflare Connect - 2019

*Session 1 *

Next Generation Security and Performance

Join Cloudflare's Head of Product Jen Taylor for a look at Cloudflare's product suite and where we're headed.

Session 2

Building the Network of the Future

Cloudflare Director of Product Rustam Lalkaka presents an overview of Cloudflare's network architecture, and how it is transforming the way businesses keep their sites performant and secure.

Cloudflare Connect

Transcript (Beta)

This episode is presented by Jen Taylor and Rustam Lalkaka Hi, I'm Jen Taylor.

I'm head of product here at Cloudflare and I could not be more excited to be here with you all in New York today.

I'm going to start by first saying thank you.

Thank you on behalf of everybody in this room and those who can't even be here today wearing the yellow lanyard.

You are the inspiration for what we do.

You drive us to out -innovate and out-deliver and please keep pushing us because we love the opportunity to work with you.

So today I'm going to spend some time talking through where we are from a product perspective and give you a glimpse of where we're heading in the future.

I like to start any conversation about the product though by grounding in the mission and I know you've seen this slide multiple times already today but it's because we are very much a mission-driven company and our mission is simple but bold and it's to help build a better Internet.

That means one that is more performant, more scalable, more secure, more reliable for anything that's connected to it and for anyone everywhere.

Now why does the Internet need help?

Well Michelle already flashed this slide, it's sort of the story of sort of the old adage of what got you here won't get you there.

We believe that there's a need to continue to deliver new technologies, new scale, new performance, new security and do it in partnership with the ecosystem of the broader web, the community and the developers who live on top of it.

And to do this we're building a global cloud platform which means that we are giving you a scalable, easy to use, unified control plane to make anything connected to the Internet faster, safer and more reliable regardless of how you build your infrastructure whether it's on-prem, private cloud, public cloud, SaaS, whatever it may be we want to help you out.

Now we deliver this as a portfolio of solutions that we talk about from the perspective of security, performance and reliability and as Usman just dug into that whole platform down below we build API first so you can build on Cloudflare as well.

Now I'm going to spend some time digging in on each of these different categories.

Now the interesting thing for me though as I start to do that is I just showed you the what but the secret sauce, the superpower of what truly differentiates Cloudflare four things.

The first is shared intelligence.

Now you've heard today that we service over 20 million Internet properties across the globe.

This breadth, this depth, this diversity gives us unprecedented signal and information that we then learn from and fold back into our products to make them better, faster, stronger and more secure.

The second superpower is network scale. Again you've heard this today already.

We're in 194 data centers. That's amazing but one of the things that's actually key from a product perspective is the homogeneity of that network.

Every box in every data center is doing the exact same thing.

It's built the same way which means that we can quickly and easily use all of that capacity to deliver and accelerate traffic, protect or distribute.

That homogeneity also helps us deliver quickly.

It enables us to push instantaneously around the globe as we deliver new product.

And that's actually a benefit we extend to our customers so that as you're deploying a new firewall rule or a new worker application you too take advantage of that instant push to the edge.

The third is ease of use and I have to tell you as a product person like this is one of my absolute favorites because people who live in product aspire to take complicated things and make them simple.

And this is really truly one of the superpowers of Cloudflare as we take the latest and greatest innovations across the industry and we work to make them addressable and usable by a broad and diverse group of people.

And then finally you know as I talk to customers as they're in this journey to the cloud they say I want performance but not at the expense of security and I want security but not at the expense of performance.

And frankly at Cloudflare we don't believe that this is a trade-off.

We believe in the and and so we have built from the ground up an integrated platform to deliver these things and I'm going to dive into those now.

Now first up I'm going to talk a little bit about security. When it comes to security our vision is to enable teams of any size or any technical sophistication to be able to keep their sites and applications secure.

And again so a key focus for us is leveraging the superpowers.

Now one of the things that's hard for people sometimes to understand is what it means to actually operate a Cloudflare scale.

And so for me I always strive to make things visual. So I said well we protect from 44 billion attacks per day.

So I went into the engineering team I'm like you can be a graphic that actually shows the attack map and they're like we can't even compute a graphic that will get you that.

I said okay what can you give me they're like well we can give you a slice of 30 minutes.

So this is 30 minutes in the life of Cloudflare DDoS.

And I like this graphic because what it does is it shows you a bunch of things one is hundreds and thousands of attacks are happening every moment across the web.

It also shows you the breadth and the depth of the diversity of the security challenges we're all facing.

Now you got the big juicy volumetric things right but you also see the smaller attacks the low and slow attacks.

And what I like about this map is that the people on the receiving end of these attacks never knew they happened.

Because Cloudflare was able to detect and mitigate them at scale.

And that really is the truth and the backbone of what we do from a security perspective.

But it's not just broad attacks we're thinking about.

We're really thinking about how do we address the critical security use cases that many of you are facing.

When I talk to security folks whether it's an individual security engineer or a CISO three consistent themes come up.

The first is how do I stay one step ahead of the people who are attacking my applications and working to take them down.

The second is it's not just enough for me to think about how do I protect and keep my applications secure but how do I make sure that the underlying network on which these all run are also secure and performant.

And then finally how do I make sure that the security I am creating and delivering is also easy to use and flexible so that my workforce can get easy access to the systems they use on a regular basis.

So I'm going to start by clicking into the first use case here which is really thinking about how do we protect ourselves from these application layer challenges.

Now as Michelle talked about, Usman talked about, if you ever talk to Matthew Prince our co-founder and CEO he will say that one of the things we do is actually patch the Internet.

Now if you think about this, especially in this changing landscape, it's really difficult to think about where would you put that patch because the landscape of the Internet is constantly changing.

And so our focus and our emphasis has been to build and deploy scalable secure solutions on the edge of our network to do that detection and mitigation for you.

One of the most powerful ones for us, one of the things we're best known for is actually our DDoS solution.

We are actually the only provider in the market that not only offers a always on DDoS solution, we are also the only provider in the market that offers you unmetered mitigation, which means we don't actually charge you for that malicious traffic.

How do we do that? It's about the superpowers, right?

So start first with that network scale. Again, that 194 data centers worth of boxes in that homogeneous architecture means that we have unprecedented capacity to absorb those attacks.

Our shared intelligence actually acts like an immune system.

So every attack we see is a learning experience and we use it to make our detection and mitigations stronger and more powerful.

And finally, when it comes to ease, frankly, our DDoS solution could not be any more easy to use because it's just on.

Now sometimes you want more fine -grained control and that's been a big investment for us over the course of the past couple years, which has been continuing to enhance our firewall.

What I'm actually showing you here in this graphic is a solution that we launched about a year ago, which is what we call our firewall rules builder.

I mentioned before that our security vision, our strategy, and our goal with security is to make sure that teams of any size or technical sophistication can author deploy solutions at scale.

So our goal here from a design perspective was make it as easy to use as writing an email filter and that's what we've delivered.

But it also takes huge advantage of that shared intelligence.

So for example, we have a robust corpus of IP reputation and we make that available to you as you're authoring these rules and you're looking to protect your site.

And finally again, that network scale enables you to author and deploy a firewall really instantaneously.

So if you find yourself under attack or dealing with a malicious or difficult situation, we got you covered in a matter of seconds.

Now one of the big concerns I've heard growing from our customers is bots.

And by our math, we believe that about 40 percent of traffic on the Internet today is bot related.

The hard part is are they the good guys or the bad guys, right?

Because there are some bots that are actually mission critical to our business, right?

The Google bot that actually indexes you and puts you in their search index, that's critical.

You don't want to block that. You also don't want to block out your customers.

But you do want to stop the malicious folks who are scraping information off your site, stuffing credentials, and stealing your information.

Bots is a business we've actually been in since day one and it's a place where our shared intelligence really shines.

We're able to use that intelligence and detection to quickly and easily identify and help customers classify that traffic so they can put in place the appropriate level of pass -through or challenge.

The thing I also really like about with bots is that that shared intelligence also makes our solution incredibly easy to use.

Unlike other solutions where when you sign up you need to integrate with them and then you need to train their product for a matter of weeks if not months to help them understand the patterns on your site, we're an instant on solution because we're able to bring our shared intelligence to you the moment you connect your solution, we're able to start helping you mitigate from there.

A great example of our bot solution at work is the work that we've been doing with Last Minute.

So Last Minute is a company that runs travel sites in over 40 countries and they deal with close to about 60 million unique visitors across the globe.

So they're dealing with a lot of breadth, a lot of depth, and a lot of diversity.

They found themselves on the receiving end of quite a few bot attacks and the bot attacks were challenging for them on two fronts.

First, it made it difficult for them to understand and make sense of the analytics.

Is this information I'm seeing in my analytics true or false? The other challenge they had is that these bots were stealing the crown jewels of the company.

They were scraping price information and using it to compete with Last Minute.

Now Last Minute had a bot solution in place but they were pulling their hair out because it was taking them too long to do the detection and mitigation and the complexity across their entire portfolio.

So they partnered with Cloudflare and using our API we were able to quickly and easily migrate that large portfolio sites onto our platform.

By partnering and working with Cloudflare we're now helping to block over 200,000 attacks each month and again because of that and that performance and security they also saw a 20 percent performance improvement as a result of the work of working with us.

Now it's always most interesting when we have a chance to actually talk to a customer live and I want to bring on stage Erin Dearing, our Edge architect from Garmin, to join me here on stage and talk a little bit about the work that we've been doing together.

Okay Erin, so I think many folks are probably already familiar but can you tell me a little bit about Garmin and a little bit about your role?

Sure, so I am the Edge architect at Garmin.

I've been there about almost two years now. I came from a very very large tech company in California previous to this.

Garmin as a whole, a lot of people know Garmin from the old personal navigation devices that you would have on your car and dashboard and stuff like that.

That's actually not where Garmin got its start.

In fact we are more of an aviation company, a marine company more than anything else.

So we build flight systems, weather systems for small aircraft and then some larger aircraft and then we build a bunch of marine solutions for mapping, charting, plotting, etc.

Cool. So what encouraged you guys to bring Cloudflare into the fold here?

So I was brought into Garmin to shake things up with our previous CDN provider.

We were with them for 15 years. I won't mention their name but we all know who they are.

And Cloudflare provided solutions to us such as bot mitigation, always on DDoS protection.

With our previous provider the issue was always, you know, we're paying for traffic in the WAF, out of the WAF, etc.

And we weren't really able to quickly deploy new code or changes. In some cases with our previous provider it would take us 45 minutes to propagate a change and then if we made a mistake 45 minutes to revert that change.

And that was very very painful for a company like Garmin.

And Cloudflare allowed us to fix that within seconds.

Testing and production which is not something we were able to do before. That's fantastic.

And so where do you see this going? With Garmin our products are focused a lot on, and I have one of them with me right now, which is the inReach Mini.

So this device is used and can be used anywhere in the world. It connects to the Iridium satellite network and if you mash the SOS button on the side of it a team will allow you, or will come find you within a matter, depending upon if you're on the top of a mountain or wherever, within minutes or hours.

With Cloudflare the nice thing is we never had the ability to load balance that satellite-based traffic.

And we're able to do that now. We're creating highly available solutions. One of the newer products that Garmin just released was a system for planes that if the pilot is incapacitated it can, you mash a button, the plane will radio to a tower, find an airstrip, and land itself.

That systems are being powered by Cloudflare.

So a lot of what we're focusing on, and what my team is focusing on, is Internet connected devices, IoT, 5G connected stuff.

With the presence of the new Starlink systems, the low satellite systems that are being developed, we're producing more and more products.

They're going to rely on satellite communications that work and save lives all over the world.

That's amazing. Now so if you step back and you look over the horizon, what are some of the challenges you see and as an edge architect how are you thinking about them?

For us it's how can we create a, how can we move stuff to the edge as close as possible?

Garmin, when I started, my VP would joke that we were about 10 years behind when it came to Internet technologies, and now we're on the bleeding edge, which is great.

But the issue is, is how do we create and remove the origin from the equation?

How can we push as much stuff as possible to the edge?

With Key Value Store, with workers, etc., it's made it a lot easier for us to give our customers an amazing experience.

That's fantastic.

Thank you so much for partnering with us and working with you. As I said, our customers are inspiration and you inspire me daily.

So thank you so much.

Thank you. So I asked Aaron to share a little bit about where he sees his future going, and now I want to share with you a little bit about where we see some of these security products heading in the future.

So I talked about DDoS and I talked about the visualization I'm providing to you to help you quantify that benefit.

Providing those types of robust visualizations and alerting is a key part of where we're thinking we're heading with DDoS.

Another area that we are never done with is continuing to think about how do we improve our detection and mitigation?

How do we continue to build and learn upon that shared intelligence at scale so we can handle new protocols, new challenges, and new types of attacks?

And then finally, one of the things we're looking to do is provide our customers that ease of use, so better fine-grained control and the ability to really think about and leverage a firewall at layer 3 and layer 4.

For firewall, a key area of emphasis, as I mentioned before, over the course of the past year has been ease of use.

I talked about the democratization of the interface, the creation of the firewall rule builder.

Now many of you existing customers know that for certain types of rules you still need to contact support, have them author a rule, and deploy it.

That's silly.

That's silly, silly, silly. As a product person, I want to end that. I want to put the power in your pocket and your hand and your ability to do that.

And so we're adding capabilities to the firewall this quarter that are going to make it easier for you to author those kinds of custom rules yourself.

Now the other thing we're continuing to focus on is providing more robust visualizations and understanding so you can dive in and use the visualizations to help navigate the complexities and the traffic that you're facing.

The other thing we've heard consistently is that you want to make it easy to share that information and those insights across your organization, and actually the GIF that you saw just run is our new firewall report builder.

We actually just shipped this yesterday, and it now gives you the ability to create custom PDF-based reports that you can now print out and share across your organization.

But when we think about configuration, it's not just about at the firewall level.

It's also thinking about how do we enable you to do more robust configuration at the account level.

How do we enable you to create firewall rules that you can deploy across all of the zones in your account, and how do we give you that version configuration that you need to stage and test and actually, if you need to, roll them back quickly.

And then finally, continuing to tackle new use cases and new challenges.

So continuing to think about ways in which we can help you protect your APIs and solve challenges like data loss.

And then finally with bots, a big area for us here is giving you greater insight into what is happening on your service at any point.

Any customer I talk to who's struggling with bots tells me job one is fewer false positives.

And so we want to make sure that we're giving you the tools and the power that you need in the interface and in the logs to do that analysis and make those changes on the fly.

We're also making it quicker and easier for you to deploy those bot rules yourself so you have faster time to deployment and mitigation.

And speaking of mitigation, again, we're never done with that machine learning.

So we're constantly looking to improve that detection and mitigation.

We're also looking to start publishing and sharing that information with the community as a bot directory.

So again, tons of amazing things going on at the web application level.

I'm going to switch now really to that second use case, which is really thinking about how do we help you protect not only the application but the entire network.

And with that, I would like to invite Rustam, the product manager here at Cloudflare, to talk through our efforts there.

So I'm Rustam Lalkaka.

I manage our performance and networking product management team.

And so as Jen mentioned, our bread and butter is making your presence on the Internet more secure, more reliable, and more performant.

And historically, Cloudflare's really focused on protecting and accelerating HTTP applications.

We made a bet on HTTP when we started. It was a really important protocol then.

It's become even more important over time. But one thing we've heard from customers is that the services Cloudflare provides for my HTTP endpoints are great, but I run a lot of other things on other TCP and UDP ports and over other application protocols.

And so we took that feedback and we turned that into a product we call Spectrum.

So Spectrum allows you to place the Cloudflare network and proxy in front of any layer 4 TCP or UDP application.

We've seen people apply this to custom business applications running in their data center or in the cloud, a lot of gaming and media applications to protect and accelerate gaming and video delivery experiences, and then also in front of industrial IoT devices and other interesting workloads.

So by applying Spectrum in front of those applications, you're able to protect them from DDoS using the same exact DDoS stack that protects our HTTP applications or HTTP applications in Cloudflare and also benefit from things like Argo smart routing and our firewall.

So Spectrum launched last year and sort of took off like wildfire.

And then our customer said, you know, great, you've solved my problems at layer 4 now, you support all my TCP and UDP applications, but I still have applications running at the IP layer in my data center.

Can you protect my whole data center? And we thought about that a little bit, and we said, yes, we can.

And so we moved our Cloudflare product suite from layer 7 to layer 4 with Spectrum and now to layer 3 with Magic Transit.

So it turns out being a product manager at Cloudflare is pretty easy.

You just have to be able to subtract numbers to go from 7, from 4, to 3.

So what Magic Transit does is allow you to take your whole data center or your whole IP space and bring it to Cloudflare and then have us apply, again, same DDoS mitigation and same firewalling logic you would use with our other products to your entire IP space.

And this is particularly useful if, say, you don't know what's running in your data center, right?

You might manage the network and other folks are managing the applications.

This allows you to protect all those applications without going and provisioning individual applications separately.

So one really neat thing about this is that all of these products coexist together and are controlled from the same single pane of glass dashboard and API that you're familiar with.

This allows you to protect your whole data center with Magic Transit and then stack Spectrum in front of specific layer 4 applications and then put our CDN, WAF, bot management, et cetera, all the other sophisticated HTTP products in front of applications that would benefit from that.

So what's actually available today? That fully integrated suite is live today.

So in one prefix, you can mix all those products. The same DDoS protection you've sort of grown to trust to protect critical infrastructure applies to all that traffic.

And you get access to our network firewall, which runs at the edge and prevents bad traffic from ever reaching your premises.

On the roadmap, things that will sort of land very quickly to make this product even more powerful, we're going to provide API access to allow you to control that firewall in really interesting new ways.

We'll talk a little bit more about that in a session later today.

We're going to allow you to turn Magic Transit on and off on demand, if you'd like.

Right now it's always on, but on-demand support is coming later this year.

Jen showed a screenshot of some really interesting and sophisticated dashboard for layer 3 and layer 4 attack mitigation and management.

And then on the last two pieces, connectivity and traffic acceleration, these are two things we're really excited about.

So we're working really hard to allow you to connect your data center and your network to Cloudflare using private network interconnects.

In addition to that, we'll allow you to support ingress and egress flows over that private network interconnect.

And so what that means is, if you wanted to, you could use Cloudflare as your only connection to the Internet.

This allows you to really lock things down, manage everything going in and out of your network from one place, and removes another vendor from the equation.

You don't have to pay for transit anymore if you don't want to.

Once we've done that, we're planning on applying our Argo smart routing technology to both the ingress and egress flows from your network.

And this opens up really, really interesting use cases for things like VoIP, large file transfer workloads, something you might use Aspera for today.

We can basically provide quality of service and traffic-shaping services at the edge, in addition to the acceleration of the traffic across the Internet.

So all things we're very excited about.

I'll be around today if you have any questions about any of this.

So thank you. Thanks, Rustam.

It is such a pleasure to get to the opportunity to work with folks like Rustam.

And I really do encourage you all to spend some time this afternoon with our product managers who are doing a track on performance and security, and then also on workers.

And then we'll be diving in more on the capabilities and the roadmap as we go.

Okay. But click and ride along. We had that third use case for security. And this is about how do I make it easy for the right people to get in?

Because when you think about security, it is as much about keeping the bad guys out as it is about making it easy to get the right people in.

But this is getting harder and harder for all of us.

Because, frankly, the way we work is changing. We used to run desktop applications and clients on computers.

But the majority of our teams today are running cloud-based applications on their mobile devices.

While that profile has changed, the need to keep the applications and the content within them and the data within them secure remains.

It used to be, back in that old days, that you could actually just create a secure perimeter using a VPN and just focus on securing the perimeter as the way that secure the applications.

But that just won't work in this quickly changing heterogeneous landscape that we all live in today.

And that's where Zero Trust comes in. Zero Trust is the mindset that you can no longer just rely upon the notion of trusting based on what is on the inside or outside of your perimeter.

You actually need to authenticate and identify at each and every application and access point.

Our solution for this Zero Trust mindset is Cloudflare Access.

Now, Cloudflare Access is, again, another great example of these superpowers at work.

What Cloudflare Access does is enables admins to create and configure access rules to applications for specific users to specific devices at specific times and quickly and easily use that network scale to deploy them on the edge of the network.

In terms of ease of use, well, frankly, it couldn't be easier to use and configure because we integrate with all of the leading identity providers.

So this means that it's not only easy for the admin to create and configure, it also means that it's easy for end users to quickly and easily access those applications.

There's no pesky client to wrest your work from. And as a result, also, we're able to make it highly performant and highly secure.

Now, with Cloudflare Access, it's, frankly, just the tip of an iceberg for us as we start thinking about where are we heading as an organization.

So we've talked a lot about the efforts that we're making around securing web applications and we're securing the network.

We're also thinking increasingly about how do we leverage some of those same technologies to help you secure your enterprises.

And, of course, the way that we build product, as Michelle alluded to before, is that we build and we dog food it ourselves.

And so we have a solution that we're running internally right now that we call for business, or as I call it, Quad 1 for business.

Now, this is actually a funny use case. So some poor unsuspecting new employee at Cloudflare, I kid you not, at orientation recently, within hours of joining the company, went to a phishing site and accidentally tried to download a Google Chat client.

Poor, poor, poor person, right? They wanted the company. But the good news is they weren't successful in actually downloading the malicious software because we're running Quad 1 on the edge of our network and we're actually paying attention to all the traffic that goes in and out of our network.

And so we were actually able to detect and identify the malicious site, leveraging our shared intelligence, we're actually able to block the download.

Now, many of you are thinking about, sort of, how would this apply to me?

And, frankly, anybody that has their internal network connected to the Internet needs a solution like this.

And part of the power of this solution is that it's built on top of our resolver, our consumer-facing resolver, 1 .1.1.1.

So it's highly performant, highly scalable, and highly secure.

So it's just the tip of the iceberg as to how we're thinking about extending that Zero Trust model and our solutions into the enterprise.

So as you look at the roadmap for access going forward, we're thinking deeply about how do we integrate more deeply with your security solutions?

How do we support your device postures?

How do we give you the tools that you need to be successful, like a forward proxy and the robust analytics to understand what's going on?

And then how do we help support those additional use cases? How do we help with the data loss prevention and create that secure web gateway for your organization?

And, again, as I mentioned, we'll be doing some talks on this later today, and you definitely should check out Irta's session on access.

Okay, shifting gears now to performance.

And, frankly, when it comes to performance, we are maniacally focused on one thing, which is reducing the amount of time it takes to get one bit of data from one place in the globe to the next.

A bit about how we think about doing that.

The first and foremost thing is just own it end to end. And this is really the power of what we've been able to build with our integrated global cloud platform, because we are able to see traffic as it goes from the eyeball all the way to the origin.

And this insight gives us the opportunity to think about how do we optimize each and every one of those steps for performance.

The second is really to be everywhere.

And we've showed you this map multiple times today.

194 cities globally. We're within 100 milliseconds of 99 percent of the Internet connected population.

Now, a blink of an eye is 300 to 400 milliseconds, so you get a sense of really how close we're actually getting the information.

It's not just about building the network, it's also about building that robust infrastructure that enables you to cache those static assets quickly and easily on the edge of the network to be able to take advantage of that proximity to the eyeball.

In cases where caching isn't possible, when you really want that dynamic site acceleration, our solution is Argo.

And as we talked about Argo already, we think of Argo effectively as ways for the Internet, because we're using that shared intelligence, that 8 million requests we get per second, to identify traffic bottlenecks in the Internet and dynamically route the content and the data around them.

So it's quick and easy to get the content into the hands of the users anywhere they may be on the globe.

Now, when it comes to performance, it's not just about the network.

It's also about the content that passes across that network.

Content optimization can have huge performance benefits, but for many it's a timeless, it is a heartbreakingly timeless and difficult and never-ending effort to manually do it.

For example, if you have to identify and optimize every single aspect of your site, you have to constantly do it again and again.

But part of the power of what we do in our network is we use that shared intelligence not just to think about how we route traffic, but also to learn.

To learn at scale what type of optimizations will really matter, and then we package them up and we make it quick and easy for you to be able to take advantage of them.

A couple of examples I want to use here.

So the first is image resizing. All of us are used to engaging with, building, and delivering applications that have big juicy images that drive engagement.

Now, the challenge you have is that all of your users have different devices with different screen resolutions operating on different networks.

To ensure you have a highly performant experience, you would need to optimize all of those images constantly and then store them and then manage them, and that's a headache.

So with image resizing, we actually do this for you on the fly.

We do it from the edge of our network and we enable you to just hand us your images and we give the right one, the highest profile image, to your end user.

The second is H2 prioritization.

Each and every one of you are building sites and applications that are made up of dozens, if not hundreds, of different resources.

The order in which those resources load has a huge impact on how your user experiences your application.

You're only as fast as your slowest resource.

So, left to its own devices, the browser's kind of lazy, right?

It's just like, I'm gonna start at the top. I'm just gonna keep going and going and going and going and going, but no attention to detail as to actually what's holding us up.

With H2 prioritization, you hit a toggle on the dashboard and we automatically detect and identify what is the optimal order in which those resources should load to create a fast experience for your end user.

And finally, with our speed tab, frankly, you can't fix it if you can't see it.

And with the speed tab, what we're doing is we're giving you great insights into your end user's experience through their website so that you can identify the optimizations that you can choose to make on the fly.

I want to double click on the speed tab because it's super fun.

We've had it out now about six months and I think the uptake of this feature has been phenomenal.

One of my favorite features on the speed tab is what we call the filmstrip.

And what the filmstrip does is actually shows you frame by frame time to first byte for every single one of your users.

And it helps you identify where things are working and where things are sticking.

In addition to giving you that insight, it also gives you hints around the optimizations you could be turning on within Cloudflare to realize the performance benefits that you have at your fingertips.

Another one that we recently announced, Michelle touched on it earlier, is browser insights.

Now on the product front, we always talk about walking a mile in your customer's shoes.

And many of us rely upon synthetic tests to help us assess what that end user experience is with our sites, whether it's catch points, whatever it may be.

But the problem is you're not dealing with synthetic people, you're dealing with real people.

We have the intelligence, the insights, because we deliver that traffic end to end to know what your real end users are experiencing.

And so with browser insights, we're giving you that real insight into the loading pattern, the time spent on each and every one of those resources, so you can get a sense of where they are sticking, where they are working, and where those performance improvements can be made.

We're also giving you a sense of what that impact is to your global audience, enabling you to think again, what about the optimizations I could be making to improve that performance for every single one of our users.

One of the things I love about working with e-commerce companies is that there really are very few places in the industry where there is no clear indication that time is money.

We've had the pleasure of working with All Saints. Many of you may be familiar.

They're a British e-tailer. They have presence in over 200 stores in 27 countries, as well as a huge online presence.

Now the problem that they had is that their site, like all e-commerce sites, are dynamic experiences.

And as they were trying to engage with their users across this broad global footprint that they had, they were experiencing incredibly high latency, which was impacting their bottom line.

By partnering with Cloudflare and turning on Argo, they were able to realize a 21% performance improvement right out of the gate.

And again, because we deliver performance and security, that we're not only able to deliver a more performant experience, but also a more secure experience, blocking over 88,000 attacks within the context of a 24-hour period.

Speed and security. So where are we going from a performance perspective?

You know, Michelle and Usman both talked about our network and the power of our network.

If you think about it, and as Usman talked about, we continue to innovate and think about how do we encroach upon the speed of light?

How do we continue to remove that latency that is the world of pure physics?

But until we're actually able to do that, the most important thing we can do is continue to bring the edge of the network closer to more and more users.

And so we're going to continue to focus on how we expand our network as your end users' experiences continue to grow.

So you can continue to deliver more and more performant experiences to a larger and larger population.

The second is we're continuing to think about how do we make our network smarter?

I talked a little bit about Argo, again, the ways for the Internet using that shared intelligence to think about how we dynamically route that traffic.

We continue to look and optimize each and every one of those aspects and continue to learn from that traffic to continue to make the underlying strategy of Argo faster.

Now, I talked about our superpowers, and what I like to think about sometimes is when we're able to bring some of those superpowers together and bring those innovations together.

So bringing the power and the optimization that is Argo to Spectrum for those applications, and also as Rustam talked about, bringing Argo and Magic Transit together to ensure not only security but also a highly performant network layer.

And then finally, thinking about how do we continue to give you the insights that you need to better understand what is happening with your site and application at any time.

So we're continuing at actually full force right now to make a big push around product analytics, and you'll see a bunch coming out from us on this really soon.

We're also focused on how do we start bringing you the analytics not just at your zone level but at your account level.

And because we build API first, we want to give you access to those same APIs.

We're going to be making our GraphQL API available to you. So if we're not giving you the visualization that you need, you have easy access to the API and the data to build them yourself.

And then finally, we're also focused on not just giving you the visualizations but also making it quicker and easier for you to take action on them.

And so we're actually bringing to market some monitoring services where we're able to not only alert you but also then roll over to different services to make sure your other site stays up online.

We actually have a team here today.

We're doing quite a bit of research on alerting right now. And so during lunch, there'll be a couple folks over in this podium here in the corner doing some research on alerts.

So if you have a moment to stop by and give us your thoughts, we would love your input.

As I said, you guys are the inspiration. So just in closing, I close again with a mission.

Our focus really is to help build a better Internet, to help create an Internet that is more performant, more reliable, and more secure for anybody and anything connected to it.

We've made great strides in the nine years that we've been here, but as Michelle likes to say, it does feel like we are just getting started.

So with that, I would like to thank you.

I believe we're going to break now for lunch, and then after lunch, we'll be breaking into afternoon sessions.

Thank you again. So I'm going to talk to you today about how Cloudflare built the network of the future, and also how Cloudflare is eating the boxes.

I'm Rustam Lalkaka, and I'm a director of product here at Cloudflare focused on performance and networking.

So our entire network and product suite is built on a couple principles, and I'll talk to you about a couple of them today.

And I'm also going to announce a new product built on those principles.

So let's dive in. One thing we've been focused on at Cloudflare since the start is how we can scale our network out instead of scaling it up.

That means how can we add more data centers and add more machines in response to increased demand instead of just making machines bigger and special?

Now, in 1992, Bill Clinton ran for president of the United States, and his campaign slogan was, it's the economy, stupid.

If I ever run for president, my campaign slogan is going to be, it's the network, stupid.

It's the basis of everything we do at Cloudflare.

Combining that network with really, really smart software, we're able to deliver incredible experiences to you, our customers, and your users.

By combining that network and that software, we're able to disrupt what's historically been the domain of really expensive, specialized network security and performance hardware.

And as we've built that software to eat those boxes, we've been really focused on how we can allow you, our customers, to not pick between performance and security.

You should be able to have both at the same time because they're better together.

Now, here's our network map, which you've seen a couple of times already today.

And again, this is really the basis of every product we deliver.

By being in 185 cities around the world and being so close to so many Internet users, we're able to deliver our performance and security products with unprecedented speed and security.

So again, we're in 185 locations around the world.

We have 30 terabits per second of network capacity. And at peak, we're serving over 14 million HTTP requests per second.

One thing we've heard from customers is you guys want to know more about how the service is actually delivered, what hardware is running underneath the covers, how these things are actually networked together, and what software is actually running.

So we're going to peel back the covers a little bit here.

So hardware at the edge. This can roughly be broken down into two categories.

We have network devices like routers and switches that take traffic from our transit providers and distribute it to our computers.

And then we have those computers themselves, the server hardware.

So on the router side, we procure from multiple vendors, Cisco, Juniper, Arista, no Huawei, like John mentioned this morning.

And that's partially to avoid one vendor-specific bug taking all of our devices and all of our data centers down at the same time.

We want some diversity there. And by using multiple vendors, that also means we can't rely on vendor-specific features.

We kind of have to play to the lowest common denominator here.

And on the server hardware side, we use a workload-specific chassis, motherboard, and custom Intel CPUs.

But at the end of the day, these servers are very similar to the laptops you're using right now.

They're x86 hardware. So here's a blown-out view of one of our Generation 9 servers.

So this is the most recent generation to enter our data centers.

On the left, you can see some hard drives. The middle is a 2U rack -mount chassis.

And on the right is four compute sleds and two power supplies. So those compute sleds, each of those contain 256 gigabytes of RAM and 48 Intel Xeon cores.

So in this 2U rack-mount unit, we're able to pack 192 latest generation Intel Xeon cores.

So very, very dense configuration. Now, every single one of these machines in our data centers is performing all roles.

So each generation of machines is exactly the same hardware, and they're all running exactly the same software.

This allows us to highly automate our provisioning process, so much so that we've actually written the book on network automation at scale.

We might be able to find copies of this if anyone's interested.

So first principle, we've maintained this maniacal focus on allowing ourselves to scale out, be able to deploy more data centers and more machines quickly instead of making any one machine more powerful.

And that allows us to manage our fleet of machines like cattle instead of like cats, because this is a lot easier to manage and scale than this.

And that focus has allowed us to go from 100 data centers in December of 2016 to 185 today, a little more than two years later.

Okay, so that's the network map. How do we actually connect all these dots?

How do we actually bring traffic to these data centers, and how do we move traffic around between them?

So any conversation here at Cloudflare has to start with Anycast.

Anycast is traffic and network management technique that allows us to treat all of our data centers the same way we treat our servers.

Every data center is the same and can handle any traffic at any time.

And this homogeneity allows automated provisioning and advanced traffic management.

So let's walk through an example. Here's a very constrained baby example Cloudflare network map.

We have data centers in six cities here and users on the Internet.

So say a user in Amsterdam requests content from one of your sites.

BGP and Anycast combine to do the right thing and send that user to our Amsterdam location where they're able to retrieve cache content, interact with our security products, etc.

Now as we add data centers, say one in Lagos, Nigeria, users in Nigeria immediately see improved performance because they're that much closer to the Lagos data center.

And again, Anycast takes over here and makes sure that the right users end up in the right place.

Similarly, if we were to add a data center in Geneva.

So going back to that campaign slogan, it's the network, stupid.

How can we deliver more value to our customers using our network? Both this sort of how large it is and how much data is flowing over it.

So Argo is one of the ways we do that.

Because of that huge volume of traffic we carry every day, we have really, really good insight into what real-time traffic conditions look like on the Internet.

Which links are slow, which are fast, which transit providers are having trouble at any given time.

And so using that real time traffic data, just like Waze might for real drivers, we're able to push your Internet traffic across the Internet over uncongested, fast, reliable pads.

And so one of the ways we're augmenting that as we go forward is with something called the Cloudflare Global Private Backbone.

This is dark fiber linking 16 of our sites in North America and Europe right now.

And one of our major focuses for 2019 is expanding this worldwide.

Running our own dark fiber allows us to deliver even better performance with higher reliability than we would over the public Internet.

Okay. So we've talked about the hardware, we've talked about the networking, let's talk about the software that actually runs in these data centers.

So you might be noticing a trend here.

We run the same configuration everywhere on every machine in every data center.

It's all built on Linux and most of it is built in-house on and with open source software.

We try and be good citizens and open source things where we can and go upstream where we can as well.

There's no virtualization in the actual edge data centers, everything is running on raw metal.

And we're running every application on every machine.

So that includes the things that support HTTP, DNS, Spectrum, and lots more.

So nine years ago when Cloudflare started, we really focused on HTTP and building a really, really cool, performant, reliable, secure HTTP reverse proxy.

So we're really, really good at handling HTTP at this point.

And part of the reason we made that bet in 2010 was that HTTP was increasingly going to displace more application-specific protocols on the Internet.

So back in the day, if you wanted to stream live video, you might use something like RTMP.

Today you use HTTP live streaming. Even DNS, which is a sort of really reliable bedrock of the Internet, is increasingly being done over HTTP.

So in the OSI layer model, which is how networking experts talk about this sort of stuff, HTTP is a layer 7 application protocol.

So HTTP requests flow over TCP connections at layer 4.

And those TCP connections are made up of IP packets at layer 3.

As a request flows through our data center, it touches software that specializes in handling each of these classes of traffic.

So at the IP layer, layer 3, you'll find our DDoS mitigation software, an IP firewall.

At layer 4, the TCP or UDP layer, you see layer 4 load balancing, TLS termination, and advanced protocol support.

And then at layer 7, you see our HTTP specific features.

This includes our web application firewall, content optimization, and our caching layer.

And if content is not available in our cache or it's dynamic, we pass it through to your origin.

So let's walk through each of these in turn.

And one thing to focus on is that in that previous diagram, there was no hardware.

Each of those network functions is handled in software. So at layer 3, we've built an ultra high performance packet data plane, one that's able to do volumetric DDoS mitigation and the next generation IP firewall.

And we did this by basically taking a router and stuffing it into the Linux kernel.

Now, historically, this would have been a really bad idea.

Doing high performance networking on a computer was really, really slow at worst and really, really hard at best.

And to understand why, we need to peel back the covers on how an operating system works.

So if this is your computer, it's sort of conceptually separated into kernel space and user space on the software side.

And so in the kernel, you have things like network drivers that interact with your networking card.

And in user space, you have your application software, things like web servers, databases, etc.

And so as network data flows into the kernel from the network card, the kernel needs to send it to the application that handles it.

And so it copies it from kernel space to user space.

And when the user space application, like your web server, is done crafting a response, it sends it back to the kernel.

Now, the problem here is every time this purple line crosses that line in the middle, the computer is spending a lot of time copying data back and forth.

And this slows things down drastically.

So what we had to do to build things like DDoS mitigation on x86 hardware is figure out how to avoid that context switch.

And we've done that with the Express Datapath.

This is a Linux networking concept that Cloudflare invented to do high-performance networking on commodity hardware with the Linux kernel.

The Express Datapath allows us to push that high-performance networking code directly into the kernel, avoiding that context switch into user space.

And the end result is extremely complex networking logic can operate at wire speed running on commodity hardware just using the Linux kernel.

We're doing similar things at layer 4 to TCP and UDP, including stateful connection management.

So you might have noticed there's no hardware load balancing running in our data center.

So how can we distribute traffic efficiently from those routers to our computers?

And this is where something called Unimog comes in. Unimog is not a big truck.

Unimog is a versatile, performant software load balancer, also built using our new friend, the Express Datapath.

It moves packets from where they come in to where they need to be in 60 microseconds or less.

Now, when I first saw that number, I was like, wow, that's kind of slow.

And then someone reminded me that a microsecond is a thousandth of a millisecond.

So very, very fast. So the lesson here is that Cloudflare is using software to eat traditional network hardware boxes.

Traditionally, when you deployed a data center, you had to buy a router from Cisco, DDoS mitigation hardware from someone like Arbor, and a hardware load balancer from F5.

What we've figured out how to do over the past nine years is replace each of these specialized, expensive, hard-to-scale pieces of hardware with generic x86 hardware.

This allows us to scale out rapidly and deliver consistent experiences to you, our customers, and your customers' customers.

Now, just like your parents told you, it's not what you look like on the outside that matters.

It's the software running inside that matters. The software we write on these generic machines is what powers our security and performance products.

So as we build that software, we've maintained a maniacal focus on not forcing you to pick between performance and security.

You really should be able to have both at the same time.

And a good example of that is our Layer 7 application-aware security and performance suite.

So HTTP requests have full access to our security and performance products with every request.

That includes our web application firewall that Alex just spent a bunch of time talking about, Layer 7 rate limiting, caching, and content distribution, and web content optimization, including our new image resizing service.

So that's a super high-level overview of how an HTTP request flows through our data center.

Now, one thing we've heard from you guys is that for HTTP applications and increasingly TCP applications, our offerings are great.

They protect you from DDoS. The firewall works really well.

But many of you still run infrastructure on-premise, and you'd love the same DDoS mitigation and IP firewall we offer for HTTP traffic for your actual data centers.

And we were looking at this diagram, and we realized that we could actually carve off our best -in-class DDoS mitigation and IP firewall and separate it and sell it directly to you as a product and allow you to put it directly in front of your data center.

This is Layer 3 infrastructure protection. We're announcing infrastructure protection and acceleration for the modern network, whether that's our network or yours.

So why would we actually go and do this? You've got on-premises infrastructure and your own IPs.

You're using BGP to manage that.

That infrastructure gets attacked. It's a really juicy target. And those attacks take down your data center, potentially just taking down your entire presence on the Internet.

Traditional DDoS scrubbing is really expensive, inflexible, and kind of slow.

We want to change all that. So with Cloudflare infrastructure protection and acceleration, you'll get access to the best-in-class DDoS mitigation and next-generation firewall, the same thing we just talked about.

We're going to make your traffic faster than the Internet, not slower, using things like Argo smart routing and our global backbone.

And we're going to give you full access to our programmable network edge with the insight and control you expect.

So here's a company that we're working with as we build out this product.

They're a prominent Swiss company.

They don't want to be named. They get attacked every day. And they're tired of interacting with their scrubbing provider over a telephone.

They want to use APIs and human contact to manage their service.

And they're looking for a modern take on DDoS scrubbing.

They think Cloudflare is that. Here's another example.

Bowdoin College is a college in Maine in the US. It was founded in 1794, which makes it one of the oldest schools in America, probably really, really young in the European context.

But they have a very large IP space. They have a slash 16 IPv4 block.

And so that's 65,000 IPs. And existing providers see that large IP space, even though they're not carrying a bunch of traffic.

And they deliver these giant quotes to Bowdoin.

And so we want to fix that. We want Bowdoin to be able to afford best-in-class DDoS mitigation.

So we're going to be disruptive both on the technology front, but also on the pricing front in this market.

So let's just run this down, what we're building versus what's existing in the market.

So just like everyone else, we're going to use BGP and allow you to bring your own IPs to the Cloudflare network.

We're going to return traffic to you over GRE, or what's called a private network interconnect, if you want to physically plug into our network.

But that's really where the similarities end.

We're going to scrub your traffic with our entire global network, so 185 data centers around the world, instead of just a handful like the incumbents.

Turning Cloudflare on and using us to scrub your traffic is going to make it faster, not slower.

And we're going to do that by being close to users and by using things like Argo.

And we're going to really work hard to integrate our Layer 3, 4, and 7 products.

So if you're using Layer 3 DDoS mitigation, you don't have to forego our Layer 7 CDN.

You can have both together.

You're going to get the best DDoS mitigation in the business, and it's all built in-house on commodity hardware by experts in this building.

So we don't need to rely on external vendors to troubleshoot problems as they come up.

So we're applying all these principles that have built the Cloudflare network and product suite into what they are today to Layer 3 infrastructure protection and acceleration.

We're going to use our massive scale. We're going to use our massive network.

We're going to do this all in software without specialized hardware boxes.

And we're not going to force you to pick between performance and security.

We're going to be always scrubbing, all the time, from everywhere. This is coming really soon.

So if you want to learn more, know more, please get in touch.

Rustem at Thank you.

Thumbnail image for video "Cloudflare Connect"

Cloudflare Connect
Connect to the future of networking and security. Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable. Connect is Cloudflare's flagship event that will connect attendees directly...
Watch more episodes