What is our primary use case?
I'm just using the bare minimum amount of DDoS Protection out of the tier we use. We're a pretty small company, so we haven't been the target of any major DDoS attacks yet. That's why so far the basic DDoS is all we need.
If your company uses Cloudflare, then everyone in your environment inherits DDoS protection.
There is no such thing as maintaining this solution — everything is baked into it. Unless of course, you want to pay for the enterprise tier. Then maybe you could gain access to extra DDoS Protection.
How has it helped my organization?
In the case of an attack, Cloudflare provides an extra layer of security in front of our application server. It will take the blow rather than our applications should an attack occur. That's the whole idea. They protect us with this extra cushion.
What is most valuable?
We mostly use Cloudflare WAF, and gets basic Cloudflaire DDoS, caching as extra bonus . We like the factor these features are all integrated into 1 console, simple to manage. They work flawlessly in the background, nearly invisible to us.
What needs improvement?
The initial onboarding was causing us some confusion. Who's going to do what and what steps need to be taken? Once we got through it once, it became a no-brainer. At this point, I'm pretty happy with Cloudflare. Everything is straightforward once you've figured it out initially. It's just the very first day that can be a little confusing.
I recently sent some feedback to the company. There are thousands of rules in their WAF product, and I just wish I could have better insight. Right now, it's very superficial. You turn a radio button on or off for their rules, but when there's troubleshooting going on, it's very hard to figure out what's causing the rules to get triggered. With each rule, there may be hundreds to thousands of rules underneath it that are enabling the blocking.
Luckily for me, so far it hasn't occurred enough that it has required me to dig deep to figure out why or how to bypass it, but I could see this occurring a lot in a complex environment. It only happened to us three times, and I was always able to figure out a way to get through it.
For how long have I used the solution?
I have been using Cloudflare DDoS for roughly six months.
What do I think about the stability of the solution?
It's been very stable. Before we brought our server on behind Cloudflare, there was a reported outage which made us extremely concerned. However, since we've been onboarded, we have not noticed any downtime with Cloudflare.
What do I think about the scalability of the solution?
It's extremely scalable. That's the whole reason we use Cloudflare.
How are customer service and technical support?
Support has been good so far. Just the initial headache of onboarding. After onboarding, there was some tuning involved. We worked closely with support to get through that. Once we got the gist of it, we didn't really require support anymore. It's become very low maintenance.
Which solution did I use previously and why did I switch?
We are using AWS — that's our infrastructure. The only thing we compared on paper was the native AWS DDoS Protection. The reason we selected Cloudflare, is because it provides us with an extra security layer in front of our applications. It has all the security features built into one platform rather than managing different pieces. With AWS-native tools, I have to select AWS Web or AWS DDoS Protection. There are individual components I have to install and manage. With Cloudflare, because it's an all-in-one platform, everything is much easier.
What's my experience with pricing, setup cost, and licensing?
At this point, considering the size of our company and the traffic we have seen, there is no need for us to pay extra for the enterprise tier. That's our current state. Things could change; we'll have to wait and see. As our company grows and as we become more successful, it may attract more attacks.
If you were to just use a native AWS tool, it may be a little bit cheaper. But considering the headache of spending more time to figure out how to install and manage the individual pieces, cost-wise, I think Cloudflare would be the cheaper option.
What other advice do I have?
Before implementing this solution, consider the size of the individual company: their cost budget, their budget range, and their specific needs. What are they looking for? If you're looking for an all-in-one security tool with DDoS, WAF, and rate control, all in one package for a low price, Cloudflare seems to fit pretty well. It really depends on the individual company — what their application is based on.
Take TikTok for example. TikTok has heavy traffic laws, so their security needs will be very different from my company's needs. We're low profile, we don't generate tons of traffic. So, it really depends on your environment, your budget, all of those things.
Overall, on a scale from one to ten, I would give this solution a rating of nine.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)