I don't think they care much about few "Pro" upgrades here and there. The real money, and their focus as a company, is in enterprise contracts. Note that, Matthew Prince, the CEO, had outlined a few reasons why they have such a generous free tier on an Stack Exchange answer[1]. I think the biggest reason is this:
> Bandwidth Chicken & Egg: in order to get the unit economics around bandwidth to offer competitive pricing at acceptable margins you need to have scale, but in order to get scale from paying users you need competitive pricing. Free customers early on helped us solve this chicken & egg problem. Today we continue to see that benefit in regions where our diversity of customers helps convince regional telecoms to peer with us locally, continuing to drive down our unit costs of bandwidth.
Cloudflare had decided long ago that they wanted to work at an incredible scale. I would actually be very interested in understanding how this vision came to be. Hope Matthew writes that book someday.
When you have low-paying (or zero-paying) customers, you need to make your system easy. When you're enterprise-only, you can pay for stuff like dedicated support reps. A company is paying you $1M+/year and you hire someone at $75,000 who is dedicated to a few clients. Anything that's confusing is just "Oh, put in a chat to Joe." It isn't the typical support experience: it's someone that knows you and your usage of the system. By contrast, Cloudflare had to make sure that its system was easy enough to use that free customers would be able to easily (cheaply) make sense of it. Even if you're going to give enterprise customers white-glove service, it's always nice for them when systems are easy and pleasant to use.
When you're carrying so much free traffic, you have to be efficient. It pushes you to actually make systems that can handle scale and diverse situations without just throwing money at the problem. It's easy for companies to get bloated/lazy when they're fat off enterprise contracts - and that isn't a good recipe for long-term success.
Finally, it's a good way to get mindshare. I used Cloudflare for years just proxying my personal blog that got very little traffic. When my employer was thinking about switching CDNs, myself and others who had used Cloudflare personally kinda pushed the "we should really be looking at Cloudflare." Free customers may never give you a dollar - but they might know someone or work for someone who will give you millions. Software engineers love things that they can use for free and that has often paid dividends for companies behind those free things.
Cloudflare offered all of this for free because it gets them positive mentions (like the one you’re reading right now) and they’re educating a bunch of developers on their entire product portfolio. And what does it cost to host my blog that 1000-2000 views a month? Literally nothing.
By using an open, interoperable tech stack, you maintain the freedom to switch to another cloud provider at will.
This shared fluid power also creates a compelling reason for cloud providers to remain honest and competitive in their dealings with customers.
For most companies free users are just a source of potential paid customers. Such companies squeeze the free users to force them to upgrade. For Cloudflare the millions of free users strengthen their negotiating power with ISPs around the world. We provide value to Cloudflare just by being Cloudflare customers. It is possible that Cloudflare might get a CEO who doesn't understand this, but possible doesn't mean likely.
In any case, I've built my website with Astro, pulling in the Cloudflare integration as a dependency. If I wanted to switch to Vercel or Netlify or whatever else, Astro makes it easy. As for database, others offer managed Sqlite.
If all else fails, I'll ditch the few dynamic parts of the website and deploy the bulk of the site as static html to Github Pages or something.
In some ways it's analogous to investing in your local community and arguably paying tax: it's rare that you would directly and personally benefit from this, but if the environment you live in improves from it, crime is reduced, more to do, etc. then you can enjoy a better quality of life.
I'd say this too. I'm giving LetsEncrypt 100% credit for making HTTPS so ubiquitous and free.
But CloudFlare certainly made things worse for "webmaster" era of the Internet, with everything centralized to CloudFlare. I live in Vietnam, and CloudFlare has made things super annoying with their captcha challenges everywhere.
Credit where it's due, CloudFlare pushed HTTP/2 and 3 adoption. More websites are available over IPv6, and their 1.1.1.1 DNS is actually quite nice.
Cloudflare has something called Turnstyle where the browser needs to do work. It's a bit of energy waste, but smooth for the user. Unless their algorithm comes to an incorrect decision and doesn't let you in. Then it's infuriating. For me in Europe that seems to be rare, but I have no idea how well it works in Vietnam.
Of course in general I do feel better about Cloudflare than Google making money.
I believe CF Turnstyle was only released in 2024. I believe they used reCAPTCHA up to 2020, and then switched to hCaptcha. I believe hCaptcha continues to be offered.
I wasn't aware that they have (had) alternative solutions. Probably because I've rarely seen them. Or if they used reCAPTCHA I got mad on Google, not noticing that Cloudflare had injected it.
My worries were paypal would take over but then came stripe.
SSL certificates were from Verisign until letsencrypt offered thek free. I didn't see Cloudflare changing that market.
Before them we had uunet and other backbone providers.
Cloudflare made their name from ddos protection attacks. They made that market.
My usage is pretty much limited to their DNS.
I live in India in such a situation, and most of the time it’s not too bad, but I still encounter Cloudflare CAPTCHAs pretty frequently. At times, it’s been almost half the web is blocking you. And occasionally, it actually is blocking you, not just a CAPTCHA. It’s also not rare, when being more aggressively blocked, for a site to break because it tries loading scripts from another domain, which is then CAPTCHAing so that scripts just won’t load.
Back when I lived in Australia, I practically never got Cloudflare blocks.
The mechanism may be understandable and even justifiable to a considerable extent, but the poor definitely end up suffering more from Cloudflare than the rich.
https://www.spamhaus.org/resource-hub/service-providers/too-...
I’d rather have them help everyone than make arbitrary decisions about who gets served. That’s what we have the legal system for.
The legal system is too slow and private companies have a dubious record of what they police. What’s a good model to follow?
Get the legal system in shape. Yeet everyone above pension age out of public office so that we finally may get people into power who grew up with smartphones instead of old farts who let their secretaries print out e-mails and type audio recordings into letters. Then, do the same for police leadership and DAs, yeet the brawns and get the brains. You can't prosecute IT crimes if your average police officer doesn't even know what a proxy or a money mule scam is or if the DA is too goddamn lazy to file a subpoena because the damage is less than 950 dollars.
Then, crack the whip on domestic telcos, ISPs and hosters. Whoever hosts anything connected with more than 200 users has to have a 24/7/365 abuse hotline that has the manpower and authority to investigate abuse claims and remediate them (i.e. disconnect whoever is causing the problem until this party has remediated the issue on their end) in less than four hours.
Then, crack the whip on manufacturers of smart devices. Mandate that every Thing sold with an internet connectivity get at least security updates for a decade, and that the full source code for everything in it including signing keys for firmware be submitted to Library of Congress or whatever archive and released when the manufacturer either goes bust or declares end of life for that Thing.
And then, get the State Department into shape. Countries from which malicious traffic operates or where money from scams gets exfiltrated to get half a year to get their shit in order and be good netizens, or they get cut off from Western nations. No SWIFT, no Internet, no SS7.
The Internet at its fundamental core (cough BGP) runs on the assumptions of a high-trust society, which has led to issues all over the place as the world has shifted towards a no-trust-at-all lawless society and as it is impossible to uproot probably trillions of dollars worth of infrastructure, drastic action needs to be taken to restore the Internet to a high-trust place again.
I think this makes small-scale hosting unaffordable. It would probably cost circa $150k to staff that hotline, which is then the lower bound on labor cost for the provider. That implies a $750/yr bill to each of those 200 customers before technical costs.
This is much needed as to not have a bunch of e-wast. Of course pretty sure this will cut into next year's new model's profit. Do we really this new model of phone/computer every few year?
How do you propose to disconnect them from the internet? As long as there is a country that peers with them that the west peers with, they will be reachable.
Nobody wants to get disconnected from being and to call the US. This would solve the spam/scam calls issue pretty much immediately.
For the internet it would be harder to enforce.
This makes the unsophisticated scams that rely on spray-and-pray and low-take-rate uneconomical, AND provides friction against offshoring legitimate customer-service.
Yeah, you can argue people will encrypt their way around being easily taxable, but it's the "tax evasion/AML" concept-- you create something easy to prove and to prosecute, even if it would be harder to hunt down the underlying scam.
These days, with everyone having a camera strapped to their hands or face, that might not work.
They don't get to have common carrier status without any of the regulation or obligations that go with it.
- Java is cool, actually
- Java would be just as uncool even if people weren’t required to use it in school
Large enterprise doesn't value "creativity" or any deviation from standards, but it does value plans and estimates - hence clueless, brainless "managers" and "architects" forced programmers to do absolutely insane bullshit busywork that a gang of monkeys on LSD could do, and that culture spread throughout the large-enterprise world.
On top of that come "design by committee" stuff like CORBA, XML, SOAP, Java EE, Enterprise Beans and everything associated with this particular horror show, JDBC...
You can do absolutely mind blowing stuff with Java and the JVM. But fuck corporate for torturing Java and the poor sods tasked with the busywork. Java got the image it has because programmers want to be creative but could not be so because their bosses were braindead.
I don't think it was ever uncool because of the core language, it was always uncool because of the standard libraries, UIs and culture.
Putting type-erasure vs. reification to side, I'm going to disagree here: for reasons unknown, Java's language designers have adopted a dogmatic opposition to class-properties (i.e. field-like syntax for invoking getters and setters), operator-overloading, or any kind of innovation of syntax.
I appreciate the problem of backwards-compatibility (and forwards-compat too), but the past 30 years of software and programming-language usage and design shows that field-like getters/setters (i.e. "properties") are a good and useful feature to have; so if Java is going to overlook something as basic as properties (pun intended), then it follows that Java's designers will similarly disregard other language design innovations (case-in-point: if "value types" are even an innovation).
I can say there is one thing that Java has done well, and that's make a good music video: https://www.youtube.com/watch?v=1JZnj4eNHXE
-----
Yes, Project Loom's reinvention of Green Threads is cool, but that's not anywhere near enough to address Java's declining relevance and credibility as an application-programming language in the era of C# 13, Rust and TypeScript (and yes, I know Rust doesn't have properties - but the rest-of-Rust more than makes up for it). My main take-away from the past 15+ years is that Java fell-behind everyone else; it's not that C# is Microsoft's take on Java, but that Java is now a third-rate C#.
There were other products aiming to be just as good at the same time that were actually protected with dongles and such.
The one that everyone could run at home is the one that took over the world.
Cloudflare's enterprise customer acquisition strategy seems to be offering free or extremely cheap flat-rate plans with "no limits", then when a customer gets a sizeable amount of traffic they will try to sell them an enterprise plan and cut them off if they don't buy (see https://robindev.substack.com/p/cloudflare-took-down-our-web...). IMO this is pretty shrewd, as it means that companies can't do real price comparisons between Cloudflare and other CDNs until they already have all their infrastructure plugged into Cloudflare.
I've used their free -> enterprise services in multiple companies and clients. Haven't had a single bad experience with them yet. Always helpful, if a bit delayed at times.
IMO the biggest problems are how Cloudflare kept inventing excuses like "issues with account settings" to get the customer on the phone with their sales team, and the mixing of "trust and safety" with sales (like deleting their account for ToS violations after the CEO mentioned talking to a competing CDN).
All i'm saying is we can't make a determination of right and wrong without more data. All things considered, it reads more to me that the data withheld is on the original OP side rather than the CF side.
Either way, it's a unique one off. Most of the mentions in this thread of this behavior all rely on this one experience. I think that in of itself is probably a positive on the side of cloudflare. If it were institutional that they treat clients like this we would hear it regularly.
iGaming is a euphemism for online gambling.
https://assets.ctfassets.net/slt3lc6tev37/4SyI8LW6SeJAGPWwZY...
Cloudflare's free tier specifically excludes video. See https://www.cloudflare.com/service-specific-terms-applicatio...:
Content Delivery Network (Free, Pro, or Business) Cloudflare’s content delivery network (the “CDN”) Service can be used to cache and serve web pages and websites. Unless you are an Enterprise customer, Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN. Cloudflare reserves the right to disable or limit your access to or use of the CDN, or to limit your End Users’ access to certain of your resources through the CDN, if you use or are suspected of using the CDN without such Paid Services to serve video or a disproportionate percentage of pictures, audio files, or other large files. We will use reasonable efforts to provide you with notice of such action.
The R2 overview page explicitly lists "Storage for podcast episodes", but a podcast host under the free tier would serve a disproportionate percentage of audio files.
I assume they don't want to become a file sharing website, but hosting a podcast is relatively easy on the bandwidth requirements.
A lot of people who had large image collections (like myself) online struggled with revenue relative to cost circa 2012, I saw a lot of sites I respected go down, though we did see some new style social sites such as Pinterest, Snapchat, Instagram, etc. Somehow YouTube was doing much better in terms of revenue/cost with video.
Compressing images for the web is not at all trivial, I over-compressed a few million images and really regretted it. When I post to social now I use Photoshop's "(Legacy) Save for web" which has a nice slider for the quality level and find I can get images I take with my Sony to look like they came from a pro camera between 80kb (small flower, blurry background) to 800kb. I see huge splash images on blogs that are smaller, they make a good first impression, look close and the blocking is awful.
It's these petty restrictions that make these pricing policies convenient, and it hurts the market :(
https://en.wikipedia.org/wiki/Dumping_(pricing_policy) https://pricecontrol.biz/en/dumping-from-a-to-z/
If they had a limit of 50MB average per page navigation, would you call that rule consistent? It would have largely the same effect and I don't think it would affect the ease of dumping.
If I was paying a flat rate for a no limit plan, that company tried to sell me an Enterprise plan which I declined, then they cut me off, we'd be in court as soon as the clerk would schedule it.
Cloudflare doesn't want their IP's (rotating) to be affected so advised bring your own IP, which is an Enterprise feature.
The customer ( a casino) was using dubious actions in different countries which impacted Cloudflare's IP trust. Tldr: Cloudflare didn't want an IP ban in their IP's due to government regulation.
The fix was to bring their own IP which is an Enterprise feature, as they weren't allowed to use Cloudflare's IPs anymore.
I'm not really sure how this works.
Suppose you have paying customers and for that you need X amount of bandwidth. If you add a bunch of free customers then you need X + Y bandwidth. But the price of X + Y is never going to be lower than the price of X, is it? So even if the unit cost is lower, the total cost is still higher and you haven't produced any additional revenue in exchange, so how can this produce any net profit?
[0]: https://www.cloudflare.com/partners/peering-portal/
[1]: https://openconnect.netflix.com/en/
[2]: https://support.google.com/interconnect/answer/9058809?hl=en
If you are a Tier 1 ISP, everyone is willing to pay you to carry their traffic and other Tier 1s just make peering agreements with you.
If you're johnscheapvps.com, you're likely to pay all your upstream ISPs for your traffic. If you're GCP or, say, digitalocean.com, everyone would love to be paying you to get faster access to all the sites hosted on your platform (and because paying you is probably going to be cheaper than their regular upstream)
So YouTube gets more favorable terms on transit bandwidth than the random site does.
Works for the ISP too, one off cost for them to drop there side of the bill down
I use Cloudflare for hobby projects 90% of the time because it’s free. That dramatically increases the likelihood I advocate for their offerings in the enterprise
(Stratechery is down now, but the web archive is up.) https://web.archive.org/web/20250108182845/https://strateche...
It’s the same principle behind predatory pricing, which is illegal but rarely enforced. The goal is to make it too expensive for new players to enter the market, or to force existing competitors out.
Cloudflare's main income is DDOS, which is incoming traffic they pay for.
They pay for that pipeline (which you pay for up and down traffic), so they have a generous free CDN because they already pay for it.
( Unrelated to workers, ... )
> Today we continue to see that benefit in regions where our diversity of customers helps convince regional telecoms to peer with us locally, continuing to drive down our unit costs of bandwidth
If you can peer your traffic you can send it for free.
So lots of small customers, despite not paying anything, is helping to reduce bandwidth costs for Cloudflare to zero.
If they've reduced bandwidth costs to zero then they can afford to give it away for free.
I can tell you from personal experience that getting some ISPs to peer with you is hard unless you are exchanging lots of traffic already.
This is a clever playbook that has made Cloudflare a tier 1 ISP in an age when that is extremely difficult.
This reminds me of the story of how Jeff Bezos bought relentless.com. The rest is history. https://pluralistic.net/2022/11/28/enshittification/
Today, I refuse to recommend any client or startup to them because of this extremely unethical practice. All around, I'm not sure they deserve so much positive press/attention, especially after screwing some of their own employees (one even got super famous live streaming the firing).
We had discussed our requirements, our scale, our product with the sales team multiple times but it was only when we wrote down something that we could potentially have used in court that they finally acknowledged their pricing was actually nearly two orders of magnitude higher.
You seem to be pretty cagey about what your usage actually was, and whether it was indeed "straining their network". Were you using more resources/bandwidth than a typical customer would? Most ToS contains clauses that allows the vendor to unilaterally cut customers off if they're an excessive burden, even if there aren't explicit quotas, or are explicitly "unlimited". ISPs don't let you saturate your 1Gbit connection 24 hours a day, even on "unlimited" plans, but I wouldn't call it a "scam" if they told you to upgrade to an enterprise plan.
If you claim you provide unlimited bandwidth, then don't call me tell me I'm straining your network.
I still really would like to hear a byte amount. How many bytes are you pushing per month?
I don't believe anything is ever free, and everyone promising "unlimited" will still have a point where you are just costing them too much. CF don't want to say the byte number themselves. Could someone please say the byte number. Someone?
I mean, in the business world, if you promise someone something, it has legal consequences, you can't just walk in and say "hey, remember I promised you something unlimited with no strings attached? Yeah, no"
That's exactly my problem with CF. It's not like we are a large news network or anything. We are actually very small compared to their other customers, that much I can tell you.
On the other hand, this entire HN thread was kicked off by a blog post gushing about how awesome it is that Cloudflare offers truly unlimited bandwidth for free.
I’ve been around the industry long enough to understand that anything marketed as free and unlimited is in fact a loss leader. But I also am fine with pointing out this obvious contradiction between marketing and reality.
Free of charge is different from free of restrictions. Cloudflare didn't trick anyone into signing up for these plans, and it's never been a secret that they're a for-profit company.
> contradiction between marketing and reality
I think the important distinction is contradiction between expectations and reality. Cloudflare free plan's outside of Pages have never offered "unlimited free bandwidth" but "generous free bandwidth with conditions". It just so happened that for many the "generous" was unlimited, and this precedence somehow convinced everyone that "free plan" meant "unlimited free bandwidth" instead of "generous free bandwidth with conditions".
I'm with parent in the feeling that most the stories of Cloudflare acting in bad faith end up being the customer up to shady shit but expecting Cloudflare to subsidize them because "free plan". I'd be genuinely curious to read about an incident where I didn't side with Cloudflare.
Separate to this issue is that their Sales team employ strategies that the engineering crowd considers distasteful like phone calls, pressure tactics and private pricing. Most engineers never need to talk to a sales person outside retail, so it's a shock when you're suddenly talking to one trained and incentivized to exploit more from larger clients but is instead using those tactics on you. It's unsettling if you're not familiar with it, and leaves a bad taste in your mouth.
To be clear, Cloudflare's pricing pages have definitely included statements like "we never charge for bandwidth" for the free plan of the CDN. Here's a snapshot from exactly 10 years ago[1].
They removed it after a while, probably because it's just not true, and I don't think they make any such statements on their increasingly complicated pricing pages any more.
[1]: https://web.archive.org/web/20150116071824/https://www.cloud...
In the many years I've used Cloudflare I was never under the impression I received "free unlimited bandwidth", but "generous free bandwidth with conditions".
So if you're on a free plan you never pay for bandwidth, until you're not on a free plan (or any plan). It sucks to be one of the free plan users that doesn't have the ability to make a paid plan work, but I don't understand why Cloudflare needs to keep subsidizing something that wouldn't be tenable without their handout.
That was a great year.
If you have an actual number, the idea is that you must take them, or at least, you get paid extra if you don't.
That's why "unlimited" PTO exists. Defined PTO is a liability on the company's books.
if we believe the plan was $200 and the upgrade was to a $2,000 plan.. there's no way a $2,000 user would be "straining" Cloudflare's network.
We spend more than that. If we are putting a strain on Cloudflare, they're not at the scale we think they're at.
Invisible limits are an anti-pattern, simple as that.
Hidden limits are an anti-pattern.
There is no counter-argument.
If they have a hard limit they can cut people off well ahead of 1.2PB of bandwidth with less ambiguity: it's a strictly better situation.
>Hidden limits are an anti-pattern.
>There is no counter-argument.
Here's a counterargument: do you get similarly upset that restaurants advertising "free refills" cut you off after you've been at the place for 12 hours and you dispensed 8L of coke? Explicit limits is how you get "limit one refill per customer", leaving most customers worse off.
Do I think hidden limits are always better? No. It operates on a spectrum, and depends on how many "legitimate" customers are affected by the limit.
If the rule was "you have to leave after 2 hours" or "after an hour, you get one last refill", that would solve the problem and affect almost nobody else, while being nice and explicit about expectations. (Or cut those numbers in half if you want, it's just an example.)
A butt in seat doesn't cost the business any money as long as it's not displacing any paying customers (ie. the place isn't packed). Soda might be cheap but it's not free, so dispensing 8L of product does cost the business money.
>If the rule was "you have to leave after 2 hours" or "after an hour, you get one last refill", that would solve the problem and affect almost nobody else, while being nice and explicit about expectations. (Or cut those numbers in half if you want, it's just an example.)
See my other point about people riding up the limit. When you institute an explicit limit, you end up having to be more conservative because an explicit limit emboldens people to ride up right against the limit, rather than a fuzzy limit with the expectation that people act "reasonably". Instituting the limits you proposed would cause the problematic customers to chug soda within the allotted time, for instance. It also becomes a hassle for everyone else who's being reasonable. If I'm meeting with some friends after and need to kill an hour or two, I suddenly have to worry about whether I can stay without getting kicked out, etc. Most people, even above-average utilization customers lose out from this, and the only people who benefit are the ones taking advantage to an absurd degree.
How much soda do you think they're going to chug? That sounds weird and rare. I don't think it's a limit where you're going to have a problematic amount of riding.
> If I'm meeting with some friends after and need to kill an hour or two, I suddenly have to worry about whether I can stay without getting kicked out, etc.
That's not consistent with the idea that the business is fine with you sitting around for a while. If they're fine with that, they would only limit your refills after a point. That rule should give you no reason to worry about being forced to leave.
Though is buying a new drink after two hours a big deal in the first place...?
And when you build a SaaS that people build entire businesses on, you can state your limits transparently and openly.
Not sure this is the gotcha that you think it is.
I won't hold them to the same standards, they're not the same thing.
If you want to wax poetic about drink policies go right on ahead, no push back from me.
Cloudflare's limits can be formalized by imagining one of their PMs saying the following: "You can do things on our general infrastructure for free, as long as we don't offer more-specific infrastructure that's intended specifically for the thing you're doing. And even then, we will let you use the general infrastructure as a "workaround" to needing to engage with the domain-specific infrastructure... up until the point where — if you had been using the purpose-built domain-specific infrastructure from the beginning — the cost model for that specific infrastructure would have had you spending enough money, that the 'uncaptured revenue' you would represent, would begin to affect one of our salespeople's KPIs. Once you hit that point, our salespeople will come to 'convert' you."
For examples:
• You can force regular old Cloudflare to cache large image assets through Page Rules, with long TTLs, for free. Or you can stuff your large image assets into Cloudflare R2, lose the ability to set long TTLs, and pay per (origin-pull) GET request above a certain daily free-tier limit. If you serve enough image assets through Page Rules that you represent non-trivial uncaptured R2 revenue, then Cloudflare will contact you.
• You can force a Cloudflare Pages site to do small amounts of CF Workers logic in the routing phase of serving the page, for free. Or you can put an actual Worker in front of a regular static site, and pay per GET request + per CPU-second after some free-tier thresholds. If you use enough CPU-seconds inside the "unbilled" stage of your Cloudflare Pages site, Cloudflare will contact you. (Note that they're very unlikely to come after you for this, since the limit on the amount of work you can do here is pretty trivial, so you'd have to be getting a ridiculous amount of requests for this overhead to add up to anything meaningful.)
• Previously, you could force Cloudflare to resize images "on the way through" for free, using a /cdn-cgi/ path. These days, you're forced to go through Cloudflare Images, which charges per request and (IIRC) per processed byte. This is because everyone was using the free approach and ignoring the Cloudflare Images infra, and Cloudflare saw hundreds to thousands of accounts with potential non-trivial un-captured revenue here. Rather than address them all individually, they "sunsetted" the support for free image resizing, to force these accounts to either start paying or get out.
---
Note how this is exactly the same as a restaurant saying: "you can have water for free, and we'll put a lemon slice in your water, but we're not going to give you enough lemon slices and table sugar packets to make lemonade with — because we charge for lemonade. Just buy the gosh-darn lemonade; stop exploiting our kindness to make it yourself; by doing so, you're using way more of our resources than if you'd just let us make it."
There's nothing hidden about the cost of lemons or sugar packets. The restaurant is going to give you lemons and sugar packets for free right up until your consumption could have paid for a lemonade. Then they're gonna force you to buy the lemonade.
It's not like they threatened to remove you from their service. They asked you and gave you a "canned" reason.
If you don't mind me asking you had a $200 a month plan, and changed to another provider. Did the plan price go up or down?
Except now there isn’t a clear formalization on how much you were expecting to pay or how much runway or patience CF has left for you.
I've had a call from Cloudflare at my previous job, and it wasn't a "you're about to be fired" it was an attempted upsell.
This isn't a random sales person gone rouge—its a matter of how Cloudflare chooses to do business with and treat their customers.
The problem with this approach for customers is that it makes there costs entirely unpredictable. What's the stop them from increasing prices from $2,000 on the enterprise plan to $20,000 on the enterprise plus plan?
Aggressive commission structures, sales targets, and little oversights have visible impacts on how the sales team operate.
Compare to cloud providers like AWS where you certainly get "reminded" constantly about all the integrated services and features but much less so harassed and threatened into closing deals.
We had a pretty positive experience with a Cloudflare contract last year but it sounds like Cloudflare is more the former than the latter.
They routinely do exactly this
The fees are for sure ridiculous but i don't think Cloudflare was wholly unreasonable to request that the customer bring their own IP.
I don't buy the “was getting Cloudflare owned IPs blocked left & right” argument.
Remember we are talking about a platform that still protects 4chan despite the internet raids, violence threats, celebrity hacking + photos leak, the buffalo shooting, etc:
https://en.wikipedia.org/wiki/4chan#Controversies_and_harass...
Free is free until it’s not. When Cloudflare becomes the new Akamai and needs profits, guess who will get squeezed. If you’ve built your app around their vendor specific stuff like Cloudflare functions, that can be bad news.
There's nothing that "special" about Cloudflare Workers, its mostly "just" a WinterCG runtime. Where you'd encounter problems is if you used the provided interfaces for other adjacent Cloudflare products, like R2, D1, KV, Queues, ect. So what you do is commit a hour of engineering time to make wrapper functions for these APIs. If you're feeling extra spicy, commit another hour of engineering time to make parallel implementations for another service provider. If you allow your tech stack to become deeply intertwined with a 3rd party service provider, thats on you.
Also at face value, it may seem like “an hour of engineering time,” but I think cloud vendor lock in is real unless you try very hard to only use abstract constructs.
While I agree it’s scummy, you could argue you got $1800 worth of traffic for free for a while.
The hardest part of onboarding a new customer to Cloudflare is the bit where you need to switch over to having them manage DNS for you.
If you're under a DoS attack or similar, waiting for DNS changes to propagate is the last thing you want to have to care about!
Cloudflare's generous free tier is an amazing way of getting that funnel started: anyone who signs up for the free tier has already configured everything that matters, which means when they DO consider becoming a paying customer the friction in doing so is tiny.
"How can CloudFlare offer a free CDN with unlimited bandwidth?"
https://webmasters.stackexchange.com/questions/88659/how-can...
Unless you stay very small, you'll eventually get on the radar of the sales team and you'll realize the service is neither unlimited nor free. In fact, you'll likely have to look at a 5 or 6-figure contract to remain on the service.
But the gist of it is that CF sales are really good at identifying users that are both locked into their offerings and big enough to be able to sign an expensive contract.
CF do have an excellent offering and workers, in particular, are amazing for many things.
Once the above conditions hit though, you will invariably get a call from the sales team. There is no free lunch.
as I said in another comment, if you allow yourself to become deeply intertwined with a 3rd party service provider that's on you
So if cloudflare’s offer is really unlimited and free, they haven’t exceeded it.
I'd be shocked if CF actually allowed you to use a couple hundred PB/month for free. And that's still finite!!
Right. But the answer to the question posed in the title - "Why is Cloudflare Pages' bandwidth unlimited?" - is that the bandwidth is not, in fact, unlimited.
At the start of this thread, i_have_an_idea said "The reason it's free and with unlimited bandwidth is that it's not" I think they, you, and I all agree on that.
What I don't understand is the other people in this thread, who seem to take cloudflare's marketing puffery at face value.
OP said, "Unless you stay very small ... you'll realize the service is neither unlimited nor free" ... is what I commented on.
(disclaimer: I'm an employee but no commission is earned for this, we just work hard, opinions on HN otherwise don't reflect that of my employer)
- Marketing videos on stream
- Pages for multiple nextjs sites
- DNS + Domain Reg
- cloudflared / tunnels for local dev
- zaraz tag manager
- Page rules / redirect rules for vanity redirects we want to do.
The list gets longer every day and the amount of problems we can solve quickly is amazing. The value to money is unmatched
> So why is Cloudflare Pages' bandwidth unlimited?
> Why indeed. Strategically, Cloudflare offering unlimited bandwidth for small static sites like mine fits in with its other benevolent services
Those are not "benevolent". Seeing a substantial amount of name resolutions of the internet is a huge and unique asset that greatly benefits their business.
> like 1.1.1.1 (that domain lol)
It's an IP address, not a domain. And they paid a lot of money for that "lol", so that people have an easy time remembering it. Just like Google with 8.8.8.8. Not to be benevolent, but to minimize the threshold for you to give them your data.
> Second, companies like Cloudflare benefit from a fast, secure internet.
It's the exact opposite. The less secure the internet, the more people buy Cloudflare's services. In a perfectly secure intetnet, nobody would need Cloudflare.
They didn’t pay any money for it. They were given it for free for a collaboration with APNIC.
Oh, you are saying it's a mutual deal I'm having with my employer, they get sth out of it and I also do? You don't say..
Oddly, one.one is owned and redirects to the unrelated domain registrar one.com. I wonder how much cloudflare pay them to use that subdomain.
1.66M Unique visitors
24TB served
However, I do understand in their world, 24TB is chump change
Seems like a lot of traffic to me, probably is next to nothing or would cost more.
I feel like Google started on an extraction ratchet and hasn’t stopped. I used to put everything there and now barely anything. The change in brand for me has been massive.
Generous free tiers, pricing scales very competitively after that, and their interface is not nearly as bad as GCP / AWS.
I highly recommend this stack.
Underrated.
Until recently, all the features were grouped in a very clear manner within the dashboard. Now, even Cloudflare is complicating its management interface, but they still have a long way to go before reaching the level of confusion of AWS and GCP.
I managed to get R2 with their cdn in front of it up and working in under an hour. The same experience with s3 fronted by cloudfront was 2 very long days. Due to my misunderstanding, yes, but aws provided (1) incomprehensible docs, (2) an extremely complex UI; (3) stale help all over the internet; and (4) incredibly unclear error messages.
I have zero evidence to prove anything. Just gut feeling. Anyone else notice this?
I've had sites that don't use CF dropping positions in Google Search even though nothing changed on my end. Why? No idea.
I can't remember when it was the last time I've heard something bad about Cloudflare. Then again, I don't use any of their services, even if I have an old account with them. I never saw the need to use them, but like what I see about the products they offer.
They seem to be doing much more good to the internet than causing trouble.
Spamhaus also mentions the main problem with their abuse form, which is that it forwards abuse emails to the hosting provider and the web administrator. They pretty much never do anything by themselves and neither the web administrator or the hosting provider have much incentive to disconnect spamming customers (since the admin is hosting it and the hoster usually stays outside of the risk anyway.)
[0]: https://www.spamhaus.org/resource-hub/service-providers/too-...
I figure that the discord at the root of the issue you're describing can lead to more uncommon complaints against them, bringing this to mind: https://blog.cloudflare.com/kiwifarms-blocked/
> Second, companies like Cloudflare benefit from a fast, secure internet. If the internet is fast and reliable, more people will want to use it.
The author doesn't seem to have anything to say with any more substance than this gem.
The pleonasm is not helpful though.
But the presence of https://en.wikipedia.org/wiki/PRISM well over 10 years ago should be sufficient.
> "Prince co-founded Unspam Technologies, which supported the development of Project Honey Pot [2], an open source data collection software created by Prince and Lee Holloway designed to gather information on IP addresses used by email-address harvesting services."
> In 2008, the Department of Homeland Security (DHS) contacted Unspam Technologies, asking, "Do you have any idea how valuable the data you have is?" The DHS' email served as the impetus for Cloudflare, a technology company Prince co-founded with Holloway and fellow Harvard Business School graduate Michelle Zatlyn the following year
> The DHS' email served as the impetus for Cloudflare
Emphasis mine. I love Cloudflare, their tech is amazing, but to bury our heads in the sand that it wasn't started from day one to be a government spying program would be extremely naive.
> At CloudFlare, we have never been approached to participate in PRISM or any other similar program.
> To date, CloudFlare has never received an order from the Foreign Intelligence Surveillance Act (FISA) court.
The questions are not about if they were approached or participate in any programs, it's what they do and if they provide the data or not.
For example, in your link: "One of the ways we limit the scope of orders we receive is by limiting the data we store. I have written before about how CloudFlare limits what we log and purge most log data within a few hours. For example, we cannot disclose the visitors to a particular website on CloudFlare because we do not currently store that data."
So if they are MITMing everything they totally could just send everything out straight away and not contradict what they're saying at all. Them storing the data or not is completely beside the point.
But it's a natural double standard that when your potential spy says "I'm not a spy!", well it's no evidence AGAINST.
>> To date, CloudFlare has never received an order from the Foreign Intelligence Surveillance Act (FISA) court […because they never had to ask in the first place]
My paranoia was cemented by the book When Google Met Wikileaks. Silicon Valley types do not have to be coerced to share data with 3 letter agencies, they have aligned incentives to ensure American dominance. Which is fine with me, as an American, but I won’t pretend there’s some rivalry where Cloudflare won’t comply without a court order.
https://www.agwa.name/blog/post/cloudflare_ssl_added_and_rem...
Of course, I know an embarrassing number of people that won't touch it because they're convinced it's an NSA backdoor into your system.
When you file an abuse ticket with CF, CF takes the route of "oh we are only routing the data and content, not hosting it" and will refuse to terminate the CF accounts of someone being malicious. Threat actors know this which is why so many use em.
Their abuse page says they forward abuse tickets to the origin hosting provider. The origin hosting provider could ignore your tickets, but I don't see how that's any different than if they didn't use cloudflare to begin with.
Keeping them online generates more DDOSes, driving demand for CF’s DDOS protection product. Protecting such sites is a sound business strategy.
It reminds me of the counterargument to UFOs where they say "so the UFO flew here from 100 light-years away, through extreme cold, deep space, intense radiation, dodged space rocks, but as soon as it came into a lukewarm atmosphere with a modest gravity and tame weather, it crashed into a field in New Mexico?"
It wouldn't say much for the foresight of the alien designers, mind.
[1] "100 KILOpascals? KILO? I thought you said milli, you blithering nixflorp!"
The numbers were given in Universal Standard Units, but the manufacturer assumed Galactic Imperial Units
PRISM worked with numerous participants from well-oiled tech startups to aging why-wont-you-just-die companies.
CloudFlare, PRISM, and Securing SSL Ciphers, 2013-06-12 Matthew Prince https://blog.cloudflare.com/cloudflare-prism-secure-ciphers/
I think what you describe is closer to "TLS terminating reverse proxy", which does need to intercept every request.
- bandwidth is cheap but the bad actor data they gather directly helps their paid enterprise tools
- people wouldn't pay for it and move to a competitor that offers it free, so its basically a monopoly on a large portion of the sales funnel
- branding message as "we are the good guys we are so generous" as you can see from the comments has worked in their favor
> In Q1 of this year, I completed my yearly CDN pricing survey of over 500 customers and saw the lowest pricing rates I have ever seen for the largest customers, as low as $0.00038 per GB delivered in the US. Blended pricing globally at $0.0006. (Please note, this doesn’t mean these are the prices you should be asking for or paying!) Lower pricing is okay if traffic and commits are growing, but they aren’t
https://www.streamingmediablog.com/2024/05/cdn-pricing-press...
For example, less countries or companies, would ban cloudflare network IPs for whatever reason when it means a such big part of the Internet would be cut off. Something when you have to negotiate your peering agreements for interconnection with others.
Also, regarding their ddos and other network security protection, it means that a bigger part of internet is in their direct control and doesn't have to be firewalled like everything coming from the outside world.
It's the same thing as when you look at GMAIL, why it is so generously offered to everyone for so long. But now you imagine that any service provider in the world you limit or consider spam what is coming from gmail? Impossible
We had very generous policies for web pages hosted on our servers.
Those web pages generated outgoing traffic that balanced (partly) out incoming traffic and gave us a negotiating position for peering agreements with other ISP’s
Only in the context of developers. For non-tech people who only wants another Wordpress or blogger, there aren't that many choices.
The value proposition of WordPress is that grandma can run her knitting blog. Not quite as straight forward to teach nana Markdown, jekyll, the command line, SFTP... It's true that anyone who can roll their website with a SSG doesn't need WP, but those people were never WP's core audience anyway.
At the same time, everytime you need to buy something, you'll think "should I add a new cloud service or just buy Cloudflare?"
I don't like their almost monopoly-position but it's so good I use Cloudflare for all my projects and I keep recommending Cloudflare to all my clients.
In that regard, they remind me of a young Google.
You're the guinea pig to help them make the product better for paying clients and to help them market the product usefulness to those that pay.
If CloudFlare serves a lot of traffic (i.e. people on the internet are requesting stuff from CloudFlare's servers), they get better peering agreements (i.e. pay less) from internet network providers.
When "normal" people/companies connect to the internet, they're paying for the connection. Regional ISPs likewise pay Tier 1 network providers (i.e. "global internet backbone") for the connection, and are charged by bandwidth. When "popular" companies connect to the internet, they don't pay - e.g. a lot of ISPs would host Netflix servers for free (that way, they avoid having to pay for Netflix traffic to Tier 1 providers, but can serve it locally instead).
The linked Wikipedia article doesn't really explain the reason behind it.
You look at your network traffic and notice 5Gbps of it all seems to be going to a single AS: Google. Your customers just love Youtube, and they are pulling down a ton of video.
Rather than leaving that as an interesting factoid, you decide to reach out to Google and pitch them on cutting out Cogent. You run a cable (more-or-less literally) from your network to Google. That 5Gbps of Youtube traffic is running over your connection directly to Google.
Now you can go back to Cogent and drop your commit from 10Gbps to 5Gbps, saving you a bunch of money. Google doesn't have to pay them for transit either: they can serve content to your users straight through the cross-connect. Win-win.
If a particular company is _really_ big, say: Netflix, Cloudflare, etc: you, as a small ISP, might even offer to give them some space in your server racks to host local caches. This makes the performance better for your customers, and, again: saves transit costs.
Examples: https://pending-revew.pages.dev/ https://r2-cmq.pages.dev/ https://ampgoat-ligaciputra.pages.dev/
If you are the literal police, they will do something.
Most sites will have a hard time getting anywhere close to that and the ones that do will likely at some point want more advanced features than the free packages offer (or get force-upsold, see e.g. https://news.ycombinator.com/item?id=42713451).
Once people are in the Cloudflare ecosystem, they're much more likely to upgrade and start using additional services, or recommend Cloudflare to their employer.
I suspect they also benefit from the massive amounts of data gathering. A huge portion of the entire internet's traffic is going through Cloudflare, SSL-terminated. It's like being plugged into the server-side (unblockable) access log of every website. That would be worth a lot.
I also suspect their support of web attestation is not benevolent. With the level of control they already have, it's increasingly possible for them to flip a switch, with the full support of Apple and Google and Microsoft, so that only authorized devices have access to the web. curl on Linux? Not authorized. Outdated OS? It's up to Apple whether they feel like signing your request – can't expect them to support it forever! – but also you can't access that website without their approval.
I feel like a conspiracy theorist here but this stuff just seems way too close at hand.
I don’t think it requires a conspiracy, it’s just a market demand for such a product
They offer incredibly generous infrastructure components for individuals and small businesses.
If you’re looking to host a podcast with a custom domain name and need significant free storage, you’ll quickly realize there aren’t many (if any) free options—until you discover Cloudflare. With tools like R2 and Pages, they open the door to a world of possibilities.
I’ve even built an open-source podcast CMS/hosting solution using Cloudflare [1]. Thanks to R2, you can host up to 10GB of audio for free! It’s a game-changer.
[1] microfeed.org
I run an open-source project[1] tracking the performance of pension fund schemes in India and offer a free API and a query builder because of Cloudflare.
I think this free tier, is sort of their customer acquisition strategy. I work as a freelance developer and because my experience with CF is good, I recommend CF to all my clients!
[1]: https://npsnav.in
Works best at the extremes
For a small mostly-text blog post? Wtf are you talking about? That’s absurd.
"Account/Zone custom nameservers are available for zones on Business or Enterprise plans. Via API or on the dashboard."
Update: I say this to further illustrate how they operate.
Infra like Internet cables under the ocean are to me more obvious things to be purchased by other businesses. ISP-collocated content servers that came to be due to discovered mutual benefits of content and service provider seem to me more complex in terms of managing them in the face of business changes.
[1] https://www.wsj.com/market-data/quotes/NET/financials/annual...
The unit economics are sound. They have 76% gross margin, so it's not like they're selling $10 movie tickets for $8, and unlike companies like uber, they're probably not using their marketing spend to buy revenue (eg. spending $20 in promo credits to get $50 worth of sales). There's nothing wrong with a business that "unprofitable" when their unit economics work out, and are plowing their profits back into expanding the business.
I would suspect they're going the other way and will continue to double down into new areas of services to expand their product line.
The only thing that really stops me is the horror stories I hear about random billing issues and on top of that account closures.
That is something I'm _never_ worried about with AWS.
On the off chance that someone from CF is reading this feedback.
Drawback: less nodejs api, so limited apis.
It's made me not use cloudflare for future products. Just charge me upfront what you need to make a healthy margin and let's do business!
/s
Pricing is not about today's balance sheet, but about the future of the business. If pricing ever becomes about making this month's payroll, the business is probably in trouble. There are exceptions, especially for small businesses.
The free geo information in the header alone is already worth it for us so we save money on purchasing a separate ip db but also don't waste time for the separate db call looking up the location.
I was very disappointed by their kv store latency and that d1 does not replicate yet. So we ended up comparing a poor man solution in just providing the json at a http endpoint on our webserver vs. quite a few global kv providers.
We set up a promise race and did thourough global tests. Doing the http request beat the global kv store providers by far, even if they have a pop in syd, the cloudflare http request to europe or the us was still faster. We are using Argo though, this might have helped as well.
I then found bejamas where you can do some nice comparisons like: https://bejamas.com/compare/turso-vs-upstash-redis-vs-cloudf...
oh, btw, hello NSA o/
I had used CF Pages and I really really liked all the tools it gave me, but free didn't sit well with me. I switched to CDN bunny.net for hosting my personal site and DNS and I pay $1/mo, which is their monthly minimun payment. It doesn't have facny stuff like github intergation or such, but I feel more at peace actually knowing what I'm paying for.
I wish CF would have a personal pricing level, I'd be more than happy to pay them and have a customer relationship instead of a freemium user relationship with them!
It's not a blitz-scaling customer trap.