The conclusion is for an origin server halfway across the world from your users, CloudFront with Origin Shield is basically equivalent to CloudFlare with Argo (latency).
The other takeaway is AWS documentation is kind of dodgy for some services. But basically everyone knows that already.
This was probably the first article on hacker news that actually had some type of business impact for me, so thanks for posting!!! Have already added Origin Shield and it's made somewhat of a speed boost
Depending on what you're doing with it, that may technically be against the TOS on any of their "self-serve" plans, including the paid ones. You might get away with it anyway, especially if your traffic is low, but you'd be rolling the dice.
If it's consumed by a web app, doesn't it make it okay? Otherwise any api behind cloudflare would be violating the TOS...
> 2.8 Limitation on Serving Non-HTML Content
The Services are offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as part of a Paid Service purchased by you, you agree to use the Services solely for the purpose of (i) serving web pages as viewed through a web browser or other functionally equivalent applications, including rendering Hypertext Markup Language (HTML) or other functional equivalents, and (ii) serving web APIs subject to the restrictions set forth in this Section 2.8. Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service. If we determine you have breached this Section 2.8, we may immediately suspend or restrict your use of the Services, or limit End User access to certain of your resources through the Services.
Probably OK, but access it from Electron (let alone fully-native apps) and now you may not technically not be OK anymore—is that functionally equivalent to a web browser? Hard to say. And much of the benefit of web APIs, versus just serving pages and HTML fragments, is being able to serve those kinds of heterogenous clients, or to allow access to 3rd parties, and who knows what they might use to access it, so... yeah, you can push low-usefulness (browser-only, first-party-use-only) web APIs through Cloudflare and you're likely in the clear, but go beyond that and it gets murky fast.
And even then, the web API thing is subject to the rest of the restrictions in that same section ("serving web APIs subject to the restrictions set forth in this Section 2.8") so "serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited" (emphasis mine) meaning that if too much of your traffic is JSON or protobufs or what have you, they could send you a nastygram or simply cut you off, though they might choose not to.
Personally, I'd not rely on Cloudflare's free or $20 plans past MVP/experimentation or hobbyist use, precisely because the terms are restrictive and vague. Too risky. Then again, what can you expect for nothing-to-peanuts prices?
We do that with CloudFront. Default is no cache, but some API responses specifically enable caching in the response headers (mainly the version check API).
I did. If you need eviction, things get either suboptimal, complicated or costly. If you don't need that the only other thing to watch out is the upload size limit, and we'll only if that is ever relevant to you. You might want a direct endpoint for these.
We managed to get it working for analytical SQL queries [1] for our database. It's kind of questionable whether this is an intended use of Cloudflare, but it feels like it, since we use it for query results, which are essentially a static asset in our use case (dashboards and visualizations).
TLDR, adding an "edge" in front of your application incurs a connection setup cost which can be 2-3x RTT and is especially noticeable when you don't have a large QPS and are in a region like APAC where geographically close networks often have high latencies between each other. Both Argo and OriginShield seem to pool more aggressively, often going cross-datacenter to avoid hitting origin which sometimes saves this setup cost by coalescing onto warm connections, but only sometimes (notice how spiky their Argo graphs are, the p90 request is probably no faster than before).
depending on your origin and your users, having TLS terminate / be negotiated at the edge should _reduce_ your connection setup cost, by reducing RTT time for the handshake to the end user (typically the slowest bit / longest tail).
If you have 1 origin region/server and globally distributed users, in the data shown the RTT from Sydney could be 1000ms, so TLS negotiation of 3 roundtrips could be 3000ms. If you terminate TLS at the edge that could be order of magnitude less.. not more? depends on your setup though.
This is true, on average having an edge will be faster, but it is not a panacea for latency, especially if you don't move non-trivial QPS from every region.
No, Argo optimizes the route of traffic from the edge (your closest Cloudflare data center) to the origin (the server hosting your website). With Pages, everything is served from the edge.
Price is the main difference between AWS CloudFront/Fastly and CF. In most cases, CF prices are fixed, like $200 for business or $20 for the pro plan. If you like fixed prices VMs from Linode or DO, chances are high that you will like Cloudflare too. Of course, advanced addons features like CF Argo and CF Bot management cost more money at Cloudflare too.
Using CF as an initialism for Cloudflare when talking about CloudFront and Cloudflare is really confusing -- especially because Cloudflare doesn't capitalize the F but CloudFront does.
- Last I checked, the $20 plan has no SLA whatsoever and the $200 has a pretty poor one. Thought admittedly I don't know whether Cloudfront is better there.
- You can't serve all kinds of traffic with Cloudflare self-serve plans. Including some of the ones that tend to use the most bandwidth.
- According to the CloudFlare self-serve plan TOS, IIRC, if you start being a too-heavy user on the those plans CloudFlare can (and, I've heard, will) tell you to upgrade to an enterprise plan. Last I checked (this part's personal experience) they're not super interested in serving enterprise customers very far under a minimum $5k/month level, so there's a huge gap there in which other services are a much, much better value.
I have a small service for an nfp on the $20 plan and I remember working out cloudfront+aws was would have set them back roughly 1500 per month, and that's without looking into occasional viral traffic spikes. The price disparity is baffling.
I said the opposite ("cloud providers can't keep charging 5-10¢/GB egress") a few years ago, but I guess I was wrong. I still think their pricing is absolutely insane in a world where even the smallest companies can colo a server and get wholesale transit that works out to <$0.005/GB.
But I guess nobody's really pushing traffic so nobody cares about $/GB.
> I still think their pricing is absolutely insane in a world where even the smallest companies can colo a server and get wholesale transit that works out to <$0.005/GB.
Their pricing's insane in a world where you can get prices not too far from that wholesale rate for CDN service (which is a whole different beast from having one or two colo'd servers).
And anyway, nobody pushing serious bits is paying public rates, anywhere. Those discounts can be huge. In fact I wouldn't be surprised if part of the reason cloud providers have such high rates is so they can give their counterparts an easy, very impressive-looking "win" in negotiations.
Yeah I was going to say much the same. Nobody with a large cloud bill is paying anywhere near list price. It's very hard to compare services apples to apples without actually getting a private quote from each side's sales team unfortunately.
This applies to all "enterprise software" too, btw. We've had quotes from vendors that started at 50% off list price, and then negotiated down further from there. It's pretty ridiculous.
Erm... why not? Everyone knows cloud providers are gouging customers on egress bandwidth fees, it's great that someone bucks the trend and calls them out on it.
Origin shield is quite pricey; Argo tiered caching is free.
(The article discusses Argo smart routing, but in my experience Argo tiered caching has lead to the same kind of performance gains this article talks about).
Except for the fact that hosting Wikileaks and Parler with the content in question was always legally contentious.
What Kiwifarms or The Daily Stormer hosted was sufficiently odious (in my view at least), it is disingenuous to suggest that the content is at the same level as what Amazon took action against.
All of those sites are toxic customers. Continuing to host them will draw the government's ire.
For Parler, the Jan 6 Committee would have inundated Amazon with subpoenas for internal documents and demanded testimony from executives. It's understandable why Parler was deplatformed so many times: because nobody likes government scrutiny. The risk is clearly greater than the reward.
I'm not saying that this was the right decision for society, but I understand where they're coming from, and these companies should be transparent about their motivations.
So why aren't those sites on Amazon right now? Seriously, if Amazon is such an amazing bastion of allowing that disgusting content, why are KiwiFarms and the Daily Stormer not happily up and running on AWS with CloudFront?
The other takeaway is AWS documentation is kind of dodgy for some services. But basically everyone knows that already.