
CloudFlare Is Now a Google Cloud Platform Technology Partner - jgrahamc
https://blog.cloudflare.com/cloudflare-is-now-a-google-cloud-platform-technology-partner/
======
nivla
Recently I have been getting cautious about Cloudflare. I do use them and like
them a lot, also enjoy reading their technical blogposts. However from a
privacy stand point it makes me feel uneasy. Cloudflare is just everywhere
now: HN, Stackoverflow, Reddit and countless other sites. You can block a
cookie, connection to a third party script, but how do you block an internal
proxy? All your cookies, credentials, heck even HTTP request and response goes
through them. Also why is there cloudflare specific cookie (__cfduid) on sites
may not prefer tracking users? (eg: HN)

Maybe I am just being paranoid...

~~~
jgrahamc
What CloudFlare logs: [https://blog.cloudflare.com/what-cloudflare-
logs/](https://blog.cloudflare.com/what-cloudflare-logs/)

~~~
jsprogrammer
However, there is no way to verify that is all they log.

CloudFlare gets to see the cleartext of all traffic they serve as they MITM
HTTPS connections.

~~~
15155
From an engineering feasibility/cost standpoint: there is no scenario in which
they could log (as in packet capture) and dedupe all traffic without a nation-
state-like (alphabet orgs, interested companies a la Google) budget.

CloudFlare's (non-enterprise) prices simply aren't even in the required order
of magnitude.

Now: whether or not metadata, request bodies, etc. are logged, and to what
scale, is another story/discussion of possibility.

At some small, targeted scale, it's safe to say that total duplication
(certainly request bodies, etc.) is possible, if they were so interested.

------
throwaway000002
This is sorta an internet architecture question for those in the know.
Assuming there's no issue with client reachability/latency, what's stopping
CloudFlare from having a single IP?

Suppose the IP was behind a fat enough pipe, why not load balance behind it
instead of DNS load-balancing in front of it (and additionally behind each as
I presume now happens)? Also, if that IP was anycast then you could ignore the
issue of client latency as well, assuming you have the necessary private
network behind endpoints to manage state.

If you don't like/can't solve the problem at the level of IP anycast, when not
leverage a third-party anycast DNS and just have a few fixed IP for specific
geographic locales, again with fat enough pipes and load balancing behind
them.

I guess what I'm saying is that there's no reason for an organization, a
monolithic entity, to have more that a handful IP addresses at most.

~~~
philip1209
My understanding is that they basically "fast flux" IPs to funnel traffic for
targeted attack to a specific data center. So, while you normally may be
sharing IPs, if an enterprise customer's website example.com starts getting
attacked they will put it on dedicated IPs, then broadcast those IPs from one
or two data centers. They will then reroute all other enterprise traffic away
from those data centers, thus minimizing the attack effect on other customers.
If these websites were all on the same IP, it would be impossible to
distribute traffic selectively between data centers like this.

Another thing they can do is use anycast to load balance across data centers.
So, if a data center rather than a website is a target - the attackers will
need to know which IPs to attack. They can start flooding the broadcasted IPs
from a particular route. However, if this happens then hypothetically
Cloudflare could just stop broadcasting the IPs at this particular data
center, re-broadcast them at all the surrounding data centers, and basically
spread out the attack load across multiple sites. If the attackers change the
IPs that they target based on new routes, then Cloudflare can continue fast-
fluxing the IPs every 5 minutes and mitigate the attack.

It's pretty cool use of BGP and anycast, but being able to change IPs of
website and where they are broadcasted in real-time is core to Cloudflare's
security.

~~~
throwaway000002
Thanks for this comment. I guess, along with jgrahamc's sibling comment, you
have to make a routing decision based on (source, port) at most if you have a
fixed IP, since HTTPS ports are stupidly fixed. That is 32+16 bits of info at
most, so an ethernet MACs worth. So now I can clarify my question as follows:
with X bits of data, what is the present state-of-the-art latency wrt to
routing T Gbps of traffic. And it's not just that, you have to have good
latency for updating that routing table.

Any research on the real entropy of (source,port) entropy on the Internet? The
are also real issues like the distribution of (source, port) is hardly
uniform, and is especially nasty when undergoing an attack, i.e. you want to
manage latency based the both the distribution and authenticity of traffic.

This is a very interesting mathematical problem. I have to work on expressing
it a bit better before I can hope of formulating a solution, but yes I can
totally see now how leveraging BGP, anycast, and DNS TTL are all knobs to
heuristically solve this problem, instead of a some crazy genius way of making
use of router TCAM silicon.

~~~
throwaway000002
As a further observation, it makes the GitHub attack an interesting case
study. You now have to further route on the GET target, and if traffic is
encrypted, the routing decision is moved to a later stage.

In order to protect latency to other GET targets, you're going to have to
start doing interesting things.

One future solution I can see is multipath-tcp the anomalous traffic, and
closing the original connection. But at that point you have to refilter based
on genuine vs malicious traffic, and then there's the encrypted state you have
to share for the proper stream handover. Ooof... what a nightmare.

At least it's an interesting one. :)

------
relaunched
I wonder if this is one of those strategic deals that would lead to an
acquisition. With the push surrounding cloud and Google actively competing
hard in this space, it would make a lot of sense.

~~~
ryanlol
Problem is that (besides for the brand) Cloudflare really has nothing to offer
for Google. Google has spent the last 20 years solving the same problems CF is
aiming to solve, they've even got a competing service Google PageSpeed that
does exactly what CF does, except better (in my personal experience.).

~~~
nostrademons
Google sucks at productizing their infrastructure expertise. The underlying
tech at Google is indeed better than CloudFlare, but CloudFlare understands
marketing, ease-of-use, product simplicity, all those stuff that are necessary
to get people to actually use your offering.

~~~
MichaelGG
I was amazingly surprised by Google Compute Engine. I've never used such a
simple IaaS provider. Especially compared to the direction Azure's new portal
is taking, GCE is refreshingly simple. EC2 is alright but still feels a lot
more complicated than GCE. The UI is simpler, too.

------
nulltype
How is this different from before they were a GCP partner?

~~~
Artemis2
It sounds like they are now peering directly. Google could also be operating
Cloudflare's
[Railgun]([https://www.cloudflare.com/railgun](https://www.cloudflare.com/railgun))
software at the edge of their network to reduce content transfer times.

------
jhgg
What does this add? Before the partnership, could gce users not use
cloudflare? Does the peering agreement result in lower transit costs on my gce
bill?

~~~
brandonwamboldt
Did you read the post, specifically the benefits section? Or the Google page
they linked:
[https://www.cloudflare.com/google](https://www.cloudflare.com/google)

It sounds like they now have a peering agreement so Google can directly
communicate with CloudFlare's network, resulting in 2x faster performance. It
looks like that's the primary benefit (other than the regular benefits of
CloudFlare).

~~~
jhgg
They never actually say that the peering agreement results in 2x faster
performance, just that they use SPDY for 2x speed (which is something they've
been doing for a while now).

>2x Web Performance Speed - CloudFlare uses advanced caching and the SPDY
protocol to double web content transfer speeds, making web content transfer
times significantly faster.

------
abritishguy
"double web content transfer times"

That should be speeds.

~~~
josephmx
Maybe they're gonna be twice as slow now?

------
runn1ng
I misread the title and thought that Google has acquired CloudFlare.

And that made me _a little uneasy_.

------
henningschuster
Didn't Google announce their own DDOS protection service some month ago?

~~~
yla92
You mean the Project Shield[1] ?

[1]:
[https://projectshield.withgoogle.com/en/](https://projectshield.withgoogle.com/en/)

------
andygambles
So is this basically GCP and Cloudflare peering with each other?

------
growthape
Cloudways also became Google Cloud Platform Technology partner. And the
invester in more than 10 cloud companies Ben Kepes wrote about it on Forbes.
[http://www.forbes.com/sites/benkepes/2015/02/04/cloudways-
ad...](http://www.forbes.com/sites/benkepes/2015/02/04/cloudways-adds-google-
compute-engine-to-its-application-hosting-platform/)

And that's what they have built using Google Cloud Platform:
[http://www.cloudways.com/en/managed-google-compute-
engine.ph...](http://www.cloudways.com/en/managed-google-compute-engine.php)

------
nezo
Is it going to be beta or alpha, like most Google Cloud services?

~~~
oaktowner
Google Product Manager here.

Not sure why you think most Google Cloud Services are in beta.

The Google Cloud products page [1] lists 17 main products. Two are in alpha
(Container Engine, Deployment Manager), one is in beta (Pub/Sub).

The rest are fully supported. There are some beta features here and
there...but saying "most" are in beta is certainly not correct.

[1] [https://cloud.google.com/products/](https://cloud.google.com/products/)

~~~
rgbrenner
_The Google Cloud products page [1] lists 17 main products. Two are in alpha
(Container Engine, Deployment Manager), one is in beta (Pub /Sub). The rest
are fully supported._

Wait a second. I just clicked though the items on that page, and the following
are listed as alpha:

    
    
      Container Engine
      Cloud Dataflow
      Cloud Deployment Manager
    

The following are in Beta:

    
    
      HTTP/HTTPS Load Balancing
      Virtual Private Network
      Cloud Pub/Sub
      Cloud Monitoring
      Cloud Logging
    

If these aren't in beta/alpha, then maybe you should update your docs.

~~~
oaktowner
Actually, I just filed a bug internally to fix docs. You're right --
alpha/beta is not clearly shown consistently enough (I missed at least one in
going through that list).

In some cases, there are GA products with alpha/beta features & languages, so
it may be difficult to figure out the best way to communicate at the top level
(e.g., the examples pointed out for a given feature in a given language, or
HTTP load balancing vs Network Load balancing).

But in cases where it's clearly a beta product, it should be clear.

------
andrewpe
What percentage of the web traffic flows through CloudFlare now?

~~~
gabeio
Apparently around 5% [http://www.businessinsider.com/cloudflare-is-ready-to-
take-o...](http://www.businessinsider.com/cloudflare-is-ready-to-take-on-
cisco-2014-8)

------
higherpurpose
Does this mean it will be even harder to DDoS sites protected by Cloudflare
now?

~~~
sudhirj
It's always been hard to DDoS sites protected by Cloudflare. Their business
model is to promise to absorb any DDoS attack against you - and I think
they've delivered so far.

------
cmelbye
Do we have to do anything special to make this work? We've already been using
CloudFlare with our App Engine application, using a CNAME in CloudFlare DNS.

------
TeeWEE
Wait, isnt google appengine already using SPDY?

~~~
bingobob
HTTP/2 is replacing SPDY [http://blog.chromium.org/2015/02/hello-
http2-goodbye-spdy-ht...](http://blog.chromium.org/2015/02/hello-
http2-goodbye-spdy-http-is_9.html)

------
humanarity
CloudFlare hosts reddit, is that correct?

~~~
zuck9
Yes. The NS records list reddit nameservers (usually you need to use CF
nameservers for using their service, using your own nameservers require more
config) but the A records list CF IPs (free users just get two IPs, reddit has
quite a lot)

    
    
        reddit.com.		22	IN	A	198.41.209.143
        reddit.com.		22	IN	A	198.41.208.141
        reddit.com.		22	IN	A	198.41.209.137
        reddit.com.		22	IN	A	198.41.208.139
        reddit.com.		22	IN	A	198.41.208.143
        reddit.com.		22	IN	A	198.41.208.142
        reddit.com.		22	IN	A	198.41.209.139
        reddit.com.		22	IN	A	198.41.209.141
        reddit.com.		22	IN	A	198.41.209.138
        reddit.com.		22	IN	A	198.41.209.140
        reddit.com.		22	IN	A	198.41.208.138
        reddit.com.		22	IN	A	198.41.208.137
        reddit.com.		22	IN	A	198.41.209.142
        reddit.com.		22	IN	A	198.41.208.140
        reddit.com.		22	IN	A	198.41.209.136

~~~
breakingcups
Huh, interesting. I didn't even know they'd allow you to do that. I assumed CF
requires full DNS control to allow quickly switching over IP's in case of DOS
and such.

~~~
zuck9
HN does it via CNAMEs (this doesn't require manual editing of the IPs and CF
can do it when they need to):

    
    
        news.ycombinator.com.   76  IN  CNAME   news.ycombinator.com.cdn.cloudflare.net.
        news.ycombinator.com.cdn.cloudflare.net. 124 IN A 198.41.191.47
        news.ycombinator.com.cdn.cloudflare.net. 124 IN A 198.41.190.47

------
tux
Good time to stop using CloudFlare now :-) Thanks for the heads up OP.

