Cloudflare TV

⚡️ Speed Week: Project Turpentine

Presented by João Sousa Botto, Sven Sauleau
Originally aired on 

Join our product and engineering teams as they discuss our newest release, Project Turpentine!

Read the blog posts:

Visit the Speed Week Hub for every announcement and CFTV episode — check back all week for more!

Speed Week

Transcript (Beta)

So welcome everyone. We're live here on Cloudflare TV. I'm João Sousa Botto. I'm a PM here at Cloudflare amongst other projects.

I have Project Turpentine that we're introducing today and I'm here with Sven.

Sven, who are you? Hi, I'm Sven. I'm working for Cloudflare as well and I'm one of the lead architects of the Turpentine project.

Well, you are the brains behind Turpentine so I I love it. No need to be modest.

For those of you that don't know Project Turpentine just yet, Project Turpentine is being announced today as a way of migrating from your legacy VCL -based configuration to a modern configuration on Cloudflare.

And the whole goal of Turpentine is that it's pretty much zero work for you.

You don't need to train your IT teams.

You don't need six, seven-figure budgets for migration. You don't need to spend a bunch of months.

What we do is actually some really automated stuff.

And I'm using the royal we here obviously because Sven is the brains behind this entire thing.

So how does Turpentine work? Turpentine essentially is a parser for your VCL.

So you give it your VCL, you go to your configuration dashboard.

If you're another provider and you want to migrate off of it, you export your full VCL.

You send it through the tool and Turpentine parses it. And on the other side, we get TypeScript code that is running on a Cloudflare worker, which by the way, shameless plug here, you may have seen that Cloudflare workers are now the fastest serverless platform in the world.

We announced that earlier this week.

And by the way, it's super flexible as well. Sven, do you want to tell us a little bit about, well, let's go backwards.

Let's start with the end. What does the output of Turpentine look like?

What do you get when you run this thing?

Yeah. So as you said, the goal is to have a new modern way to do VCL. And so Turpentine is going to emit a TypeScript project that is targeting Cloudflare workers.

And also for a few things like specific load balancing and firewalls, we may use Terraform as well.

So the output of Turpentine is actually an entire TypeScript with Terraform setup for your Cloudflare worker.

It's actually ready to be deployed once you add the API keys and that kind of stuff.

So TypeScript is also a new modern JavaScript and it's safe to work with.

And it's really the new, I guess, one of the best languages for Cloudflare Workers, in my opinion.

That's fantastic.

So one thing that we wrote a bunch about in the blog is that in the past, 15 years ago when VCL came into the picture, people were trying to configure their networks.

And so some people got really good at VCL and they were doing all kinds of spectacular things in configuring their networks using this technology.

But right now, you're stuck in a situation where one, you only have one, two, three people maybe in your entire company that know how to write in VCL code.

And so that's kind of hard for a company to maintain when only a few people can contribute.

And on the other hand, the other thing is that people don't just want to configure their networks anymore.

They want to really program it. They want to make their infrastructure live with the rest of everything else that is happening around them.

You have containers, you have all sorts of software running at your company, and you want to be able to have the same flexibility and to program your entire infrastructure.

And that's where Turpentine comes into play. Because Turpentine outputs code that, well, it's human readable, it's very well documented, and we're going to talk about it in a second as well.

But in addition to all of that, Turpentine produces code that is in one of the most commonly used programming languages in the world.

It's TypeScript. It's essentially JavaScript. And so many, many millions, billions of people know this programming language.

And those that don't, there's another equal number of people that are in the path of learning how to use those things.

So it becomes a lot more flexible. And again, you just get this code and you run it on a worker, and actually Turpentine does it all for you.

It creates the code and it moves it to the worker.

So tell us one thing. What does it actually do behind the scenes?

So I gave like a little quick introduction about what this is, but behind the scenes, what does Turpentine do?


So you can see Turpentine as some kind of compiler or transpiler more specifically.

So as you said, it's going to take that big VCL and pass it into some internal data structure where we can capture the meaning of the program.

Then we have a second, so that's the first phase.

Then we have a second phase that is going to look at the data structure, trying to optimize what we can, trying to remove things that we don't need.

We're also going to rewrite a couple of things to be compatible with Cloudflare and trying to make things a bit better.

And after that stage, we're going to start emitting some typescripts and some tail form, depending on what you need.

And so once you have those files written on disk, we start to create that worker setup for you.

So we use a technology that is called Wrangler.

That is the tool we use to deploy our worker. And it's something public.

It has been there for two years, I think, or one year. So you have that Wrangler project that is set up to compile typescripts and run tail form.

So everything is kind of set up in that last phase for you.

Everything is wired up and ready to go.

Fantastic. So it's all JavaScript and it's all Terraform. And Terraform, by the way, I know most of you probably already know this, but Terraform is widely used.

It's something that most infrastructure providers have available and that we've had available at Cloudflare for years.

We have Terraform for controlling your firewalls, load balancers, pretty much your entire caching infrastructure.

You can use that already for a bunch of things. And now, well, you can use this additional thing.

You can use this JavaScript code that we're essentially writing for you.

Well, there's no real human writing that code because it's smart enough because of Terpentine.

So tell us a little bit more about this. So we talked about the code that is output from Terpentine.

It's cleaned up. It's human readable.

It has lots of comments. We preserve the meaning from the initial VCL and we make sure that we're not only translating word for word what shows up in the VCL or function for function.

What we're actually doing is we're optimizing it to the features that exist on Cloudflare.

So one example when working with big customers is there was a bunch of VCL code that was written for rate limiting because their current vendor didn't support rate limiting natively and they had to write it in VCL.

And what did we do? Well, we translated that from our VCL, from the code that we find in the VCL to actual configuration of rate limiting natively on Cloudflare.

So how fast is it? When we get this code, we wanted to really make sure that it's readable, that people can understand, that people can contribute to it.

How fast is it running on a worker? It's actually pretty fast. You might have mentioned this in the beginning, but there's a blog post that went out this week, which shows how fast the worker actually is and compared to other how it is actually the fastest based on some external measurements.

So we know it's fast, we have measured it and it's fast.

And in the Cloudflare Workers core, you have the thing called V8, which is the JavaScript engine used in Google Chrome and other various places.

And this already has been well-optimized by the V8 team and many, many, many persons are using it and optimizing it further.

And so we integrate that and we integrate many other features that we have built ourselves.

And every time V8 releases a new optimization, we have this just routine.

And the next day we ship it and it's faster for everyone again.

And that's not exclusive to Turpentine, is it?

When we talk about V8 and the native support for JavaScript, that's part of workers because you can run your code on workers, any code that you want pretty much.

Yeah. Turpentine is just another customer of Cloudflare Workers. So Cloudflare Workers is the platform that enables us to be fast.

Yeah. And it's fully distributed, running on the edge.

We've seen companies build some pretty amazing things on top of Cloudflare workers.

It's fast, it's distributed, and it supports a lot of programming languages.

JavaScript, TypeScript, that's only a couple of them.

There's a bunch more. So with Turpentine, when we talk about Turpentine, we've been iterating on this thing with a bunch of big, big customers.

And today we're actually opening it up as a private beta. On our blog post, there's a link to connect to us and to sign up for this private beta.

And what we do is, again, you tell us that you're interested.

We'll ask you for some details about your configuration for your VCL, and we're going to convert it.

So have you tried out and run your staging environment on Cloudflare?

We want to make sure that you don't feel locked in, that you don't feel like you have to go through a heavy, painful migration process, and expensive, because, yeah, migrations are never cheap.

And so with the customers that we've worked with, we got pretty close to a full migration with this.

But we always find a little edge case here and there.

And so we're not opening it up as a public beta, as a website where you submit your VCL, and boom, you get a worker immediately.

But instead, we have our engineers working directly with our customers in this private beta.

In case we find something, in case the customer doesn't understand any step of the process, we're here.

We're helping people migrate. And it's smoother than most people imagine.

Isn't it, Sven? Yeah. Surprisingly good. Yeah. I think soon we'll be ready for another announcement where we say, hey, this thing is open for everyone.

But so far, we just want to know who's interested and who wants to try it out.

With so many announcements, so many fun new things that Cloudflare has been launching and has been talking about this week, and a lot more that you'll see in birthday week, that is just a couple of weeks from now.

And yeah, we think you'll love to see this.

Sven, anything else that you want to tell us about Cloudflare, Cloudflare Turpentine, Project Turpentine?

I think it has been fun to work in.

It was one of my favorite languages, which I'm happy to work with.

And yeah, I'm happy to see more customers coming in and seeing how workers are working compared to VCL.

And yeah, looking forward also for some kind of automated website where people can just submit it and see what it outputs.

Well, we'll promise to have it soon.

So thanks everyone for watching this introduction to Cloudflare Workers and Project Turpentine.

And thank you, Sven, for participating.

Yeah, thank you. Have a good one. We are a food at work company.

We know the value of Zero Trust architectures, but we also know the incredible difficulty it is.

So I know the only way I have a chance of implementing this well, that's scalable, that can support itself over time is having the right partners.

And so I'm so excited to have Cloudflare as a security partner, because they're able to give me that tool set to do Zero Trust well.

My name is Connor Sherman.

I'm the head of security for EasyCator. When you want to feed a workforce of people, we are the go -to shop to making sure you've got everything you need.

It's my job to make sure anywhere you are in the world, you can safely log into our internal tool set.

There's a lot of inherent risk with the traditional VPN structure.

Part of the success of access for us is we were able to just bypass all that analysis.

And it was so easy just to get it going that we were able to save having to hire a specialized person to focus on VPNs.

As we are a marketplace, we have all these challenges, whether it be account takeovers, scraping, bot activity.

So being able to have risk ratings based on who's arriving at that login page really helped us remove things that were clearly bots, and then focus on dealing with more sophisticated attacks.

Bot management was a bit of a godsend for us.

It gave us a level of precision where we could show up with a scalpel, where historically we'd show up with a sledgehammer.

We block over 1.5 million attacks a day through Cloudflare, web application firewall, and bot management.

If EasyKey didn't have Cloudflare, we'd have a very bad day. Hello, my name is Jesús Muñoz.

I'm a sales specialist at Telefónica Tech. I'm a sales specialist at Telefónica Tech.

I'm a sales specialist at Telefónica Tech.

I'm a sales specialist at Telefónica Tech.

The real privilege of working at Mozilla is that we're a mission-driven organization, and what that means is that before we do things, we ask, what's good for the users, as opposed to what's going to make the most money?

Mozilla's values are similar to Cloudflare's. They care about enabling the web for everybody in a way that is secure, in a way that is private, and in a way that is trustworthy.

We've been collaborating on improving the protocols that help secure connections between browsers and websites.

Mozilla and Cloudflare collaborated on a wide range of technologies.

The first place we really collaborated was the new TLS 1.3 protocol, and then we followed that up with QUIC and DNS server HTTPS, and most recently, the new Firefox private network.

DNS is core to the way that everything on the Internet works.

It's a very old protocol, and it's a very old protocol, and it's a very old protocol.

It's also in plain text, meaning that it's not encrypted. This is something that a lot of people don't realize.

You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.

When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.

The idea was that Cloudflare would run the server piece of it, and Mozilla would run the client piece of it, and the consequence would be that we'd protect DNS traffic for anybody who used Firefox.

Cloudflare was a great partner with this, because they were really willing early on to implement the protocol, stand up a trusted recursive resolver, and create this experience for users.

They were strong supporters of it.

One of the great things about working with Cloudflare is their engineers are crazy fast.

So the time between we decide to do something, and we write down the barest protocol sketch, and they have it running in their infrastructure, is a matter of days to weeks, not a matter of months to years.

There's a difference between standing up a service that one person can use, or ten people can use, and a service that everybody on the Internet can use.

When we talk about bringing new protocols to the web, we're talking about bringing it not to millions, not to tens of millions.

We're talking about hundreds of millions to billions of people.

Cloudflare's been an amazing partner in the privacy front. They've been willing to be extremely transparent about the data that they are collecting, and why they're using it, and they've also been willing to throw those logs away.

Really, users are getting two classes of benefits out of our partnership with Cloudflare.

The first is direct benefits. That is, we're offering services to the user that make them more secure, and we're offering them via Cloudflare.

So that's like an immediate benefit these users are getting.

The indirect benefit these users are getting is that we're developing the next generation of security and privacy technology, and Cloudflare is helping us do it.

And that will ultimately benefit every user, both Firefox users and every user of the Internet.

We're really excited to work with an organization like Mozilla that is aligned with the user's interests, and in taking the Internet and moving it in a direction that is more private, more secure, and is aligned with what we think the Internet should be.

When the server crashed and all hell was breaking loose, I woke up in the morning and said, hey, what the hell's going on here?

Testing one, two, one, two.

Can you hear me all right? So I will begin from the top.

So tell us about the COVID Symptom Study app. The COVID Symptom Study app is an easy-to-use app that people download, and they self-report their symptoms every day.

Whether they're sick or not, it allows us to predict who is likely to have the virus, which areas of the country are going to get most affected, and it also allows us to predict which people are going to get sickest and need the most urgent care.

It's been an amazing success story, really. The app went viral, and within 24 hours, we had about a million downloads, and we now have over 3.3 million users around the world.

Julian, you must have been excited about the success of the app.

How did you handle so many people using it at once? At 7.55 in the UK, which is still pretty early, the database crashed.

Most of the team is actually still sleeping, and at that point, we're like, what's going on?

How is it that we're crashing so early in the day?

We launched the app really more in hope than anything else, and then it just took off.

When the server crashed and surrounded by media, we said, hang on, this has kicked off, and we can't go back now.

How are you working with Cloudflare to secure the app? I already knew some people working at Cloudflare from previous experience and just told them, this is what's happening.

We're having this great success. We could really benefit from not only your expertise, but your services.

Can you do something for us? By the end of the day, we were upgraded and part of the Galileo project.

We're using it mostly for managing DNS, proxying traffic, but a lot of things at small scales, managing SSL certificates.

We're also using some features to protect access to various parts of the website, basically the admin pages, and making sure that people are authenticated, coming from the company.

Tim, what are you learning about this virus from all the data you're seeing?

Data is power, data is knowledge, and basically, there's been no data out there on what's happening to this virus in the population.

We were able to use all the symptoms that people were giving us, and we've picked up through the app lots of symptoms that people weren't recording before.

We were the first large group to pick out the loss of smell and taste. It was incredibly important.

Pretty much every day, we're finding out something new about this virus with this amazing data.

How does it feel to be part of such a successful project?

This project was never about having one million people. This project is about delivering value to the population and the research, so that's really where the satisfaction comes from.

We just had the best team at the right place at the right moment.

That's what I'm super proud about, that every one of them did their bit, and that's why it worked.

My name is Aditya, and I'm one of the founders and CTO at LumaHealth.

We partner with over 500 healthcare systems across the United States to deliver a platform that they use to build their own patient journeys.

Starting last winter, we launched our Vaccine Operations Solution, which is a full suite of solutions that let healthcare systems craft, develop, and deliver vaccines for patients across the United States.

deliver and manage their COVID-19 vaccination strategies. We partnered with Cook County, Illinois, the second largest county in the United States, with a population of over 5 million residents.

As demand ramped up, our platform began to see over 500,000 requests per second.

Hundreds of thousands of patients were looking to get scheduled for their vaccines, getting checked in at clinics and mass vaccination sites, getting text or email reminders about their upcoming vaccinations, and more.

At LumaHealth, we've been a customer of Cloudflares for over six years, but to continue to scale further, we partnered with Cloudflare's Project FairShot to utilize their waiting room.

We were able to integrate the Cloudflare waiting room within 72 hours.

We're able to fine-tune the number of concurrent users within the Luma patient experience and provide accurate information about vaccine availability for users who are waiting.

Layering the waiting room with Cloudflare workers has allowed us to scale up to virtually unlimited demand.

The result? Over 1.5 million vaccines have been scheduled via LumaHealth, and we're not done yet.

We continue to work closely with our health systems and clinic partners to help address vaccine hesitancy, ensure vaccine access to all Americans, and to help all of us chart a way out of the pandemic.

In our industry and many industries, success is measured in milliseconds, and we try at any turn to make sure that every dollar we spend for a product gives us at least that dollar back in performance.

Cloudflare's relationship with us has far exceeded that by probably four to one.

My name is John Turner, and I am the application security lead for LendingTree.

LendingTree is an online marketplace where we match borrowers with lenders.

We have partnerships with the largest financial institutions in the world.

As security teams, it's not just our job to protect the data or keep us from getting hacked.

It's to facilitate the growth of the business in a secure manner.

Cloudflare has enabled us to meet that challenge head -on on many levels.

In one particular case, we were able to leverage Cloudflare to save about $250,000 within about a day of enabling these features on a particular endpoint that was being abused.

The cost savings across the board is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost of our service with Cloudflare.

While security is extremely important to our consumers, it's not the most important thing.

They just want to click on a button and have something load up and get what they need very, very quickly.

Some of our properties, just by leveraging the built -in Cloudflare performance features, increase a 55% to 60% on responsiveness.

Every time I log in, every time I turn around, we've got new features that are popping up.

It's exciting to see that we're partnered with a company that is so involved in this process and has such a vested interest in our success and all of their customers' success.

What I would say to anyone that's considering Cloudflare, there has never been a time where I've had an issue or a problem or a question where I have not been able to reach out to someone at Cloudflare and get answers, get solutions, and have things taken care of.

What is a bot?

A bot is a software application that operates on a network. Bots are programmed to automatically perform certain tasks.

Bots can be good or bad.

Good bots conduct useful tasks like indexing content for search engines, detecting copyright infringement, and providing customer service.

Bad bots conduct malicious tasks.

Like generating fraudulent clicks, scraping content, spreading spam, and carrying out cyber attacks.

Whether they're helpful or harmful, most bots are automated to imitate and perform simple human behavior on the web at a much faster rate than an actual human user.

For example, search engines use bots to constantly crawl web pages and index content for search, a process that would take an astronomical amount of time for any human user to execute.


Thumbnail image for video "Speed Week"

Speed Week
Relive Cloudflare's Speed Week with episodes showcasing how we keep everything fast, from lightning quick configuration updates and code deploys, to logs you don’t have to wait for, to ludicrously fast cache purges and real time analytics.
Watch more episodes