Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare's new Argo feature billing surprise
106 points by vladr on June 17, 2017 | hide | past | web | favorite | 40 comments
A heads up for any other Cloudflare customers that have enabled Argo. This feature is supposed to improve performance due to better routing but what is not mentioned is that any abuse traffic, even explicitly blocked traffic is still counted against the $0.10 / GB.

I had an attack come in a few days ago generating false traffic and blocked it via Cloudflare's IP firewall. All traffic, including blocked, still counts towards billable per gigabyte bandwidth as confirmed by their support staff. They may sometime in the future separate the counts but for now the support recommendation is to disable Argo.

Cloudflare CTO here. I'll look into this. Doesn't make sense we'd charge you for traffic we filtered out.

But is Argo counting ingress as billable traffic? Can you elaborate on that?

To me, this makes or breaks the deal.

This is definitely a bug and will be addressed.


I'm sorry your working on Saturday.

This is why most of the folks I know use you guys.

Thanks, looking forward to a speedy resolution!

I could get another job; I like this one. Answering a question from a customer in difficulty is a pleasure.

Plug-in: john would you be publishing/talking about the path selection algo you designed at some point?

I'm very interested as that's exactly my focus and, at your scale, data is really going to look interesting.


I used to main a firewall similar to CloudFlare's and we never charged for filtered traffic, as you say, it makes no sense. My guess is that the traffic that is being charged is not really being filtered out by the firewall in itself but by some other part of the infrastructure, part that is — for some reason — generating some cost. However, being sure that this is just a misunderstanding, I wonder why the CTO didn't know that this was already happening.

No, it looks like the OP is talking about traffic we filter and I'm the CTO and this isn't right.

I don't get that. The traffic is BLOCKED at first PoP by WAF / Firewall. Therefore NONE is hitting the backend usign Argo. *According to Cloudflare docs / website

Why you are getting billed for something you are not using (attack is mitigated by Firewall which is paid separately - page rules) ?

Can you please elaborate more. We been thinking to enable Argo too, but this is just strange experience you are describing.

Thank you

The attack looks like a layer 7 flood of HTTP requests with random but normal looking user agents. It is being mitigated using the firewall IP block in my specific case as the person is using a single specific dedicated machine.

I was also pretty surprised to hear that these requests also count towards bandwidth billing.

hi, i have similar issue and got a huge billing invoice today. i received a billing of $3193.60 which is huge billing for argo. I do not recognize the billing and will not accept it. Because the usage of bandwidths are from my backend api of my website. not the frontend script. and i have set page rules to bypass cloudflare system of my api.

argo should not charge for my api access, only the front end script access. and your argo is experimental. how can you charge me for this huge amount? you are kidding for a customer which spent monthly $20 of the whole system and suddenly for $3193 for a new experimental feature. this is ridiculous, pls cancel the billing and i have disabled your argo.

cloudflare should estimate the charge amount based on history bandwidth before user enables argo. or this is a rip-off. this is too much money compares to ordinary cloudflare charges. i will not pay the ridiculous invoice and cancel all my service if you insist charging me for this amount.

Please contact Cloudflare support

Crude joke, but this so reminds me of the line from the movie Argo. Specifically the joke[1] which later became synonymous with "break a leg" during the movie.

Not that Cloudflare won't fix it, but while reading the post, I couldn't stop hearing it in my head.

[1]: https://www.youtube.com/watch?v=MTjJTsrglDA&feature=youtu.be...

I have been thinking of enabling this feature. Aside from this issue, does it make visible difference in terms of performance?

For a large ecom site hosted primarily in the US, for our European customers it cut TTFB almost in half.

How are you testing this?

I really wonder why we see the opposite result.

Is the site on AWS? Maybe that's the reason for this.

TTFB = time to first byte

It really depends.

If your origin has poor upstream connectivity then it might.

We're on our second Argo experiment. So far it's actually made little difference for some locations and significantly decreased performance in others. Definitely not worth paying for... for us.

You can just enable it, test your performance metrics and disable it.

Replying to myself here but a pet peeve of mine (and all CDNs do this to some extent) is showing "improved" performance on something like... the Pingdom website tester (?) which is a one shot page and asset fetch.

There's really no valid metric that can be derived from a one shot test. Just because the 2nd run with the magic on is "faster" doesn't mean anything. Hundreds of variables could have changed between runs.

Most people use monitoring systems that run synthetics every minute and those are reasonable for an "overview" of trends, but they also don't show you the worst case times that are happening between runs.

If you start getting more granular and monitoring at 5 or 10 second intervals you get to see more real world response times.

On something like CloudFlare the averages (without Argo) are really good, but the max and standard deviation is very high. Hard to beat for $200/month but when you start paying per Gb you should start testing other providers.

Also with the minor but fun benefit of paying $5 each time you toggle the on/off switch.

They fixed that bug after we (and others?) reported it.

It now properly pro-ratas the $5 and even credits back the remainder of the month if you cancel it from the Billing tab.

And let's you re-enable it. :)

It's been hard to measure since turning on Argo coincided with a larger rewrite of the backend. Overall performance is up but the real culprit might have been more of the optimizations on the origin.

You guys should really retest with it off. Might save a bunch of money. :)

Already turned it off and will compare the numbers with the two weeks or so that it was on. Didn't have much of a choice as I did not want to continue racking up a larger bill from the abuse traffic being blocked.

Just to be clear: you're being billed for ingress? That's... odd.

jgrahamc's already in the thread going "this isn't right, I'll be looking into it".

Yeah but he's talking about blocked/filtered traffic.

No CDN that I have used (and we've used Panther Networks, CDNetworks, Cotendo, EdgeCast, Akamai and Fastly) has ever charged us for ingress.

Usually you pay for egress from edges and whatever is going between the edge and origin.

So it would be good to get that clarified so we know.

How is that any different from any other provider? If you have a link from an ISP and block it at your router, security appliance, WAF, etc, you are still charged for it. In this case, Cloudflare is going to be "charged" for it so they attribute the cost to the destination IP.

I assume the same would be true with Argo disabled? If traffic comes in for your IP, its going to be billed to you.

If I understand Argo correctly, you're basically paying extra for CloudFlare to send the traffic from their first PoP to the backends through their own network as much as possible instead over the public internet. The traffic to the first PoP happens both with and without Argo, so it shouldn't add extra cost over the normal plans.

The question then is if the traffic filtering does happen at the first PoP (and thus wouldn't use resources inside the cloudflare network, which is what you're paying the Argo fee for), or if it has to be sent on and is only filtered later.

That's not how most people using CloudFlare think about it since their plans are flat rate. So when you sign up for this you just expect to pay whatever shows up in your dashboard under bandwidth * 10 cents.

It is surprising to be billed for blocked traffic.

Without Argo, Cloudflare doesn't bill you per gigabyte.

Ah, Cloudflare doesn't bill you per GB as long as your usage fits into the normal plans.

I use Cloudflare and I have a per GB limit/billing without Argo.

What are these limits and what is not "normal"? I'm very curious what makes Cloudflare start charging you on a bandwidth basis. And what are you paying per GB?

General question on Argo - isnt "Argo" what CloudFlare should already be doing? Why is it an extra charge?

Does cloudflare block the traffic as close to the end user as possible? Curious if this is a case of "blocked traffic still uses a significant amount of their resources" or just a billing software limitation.

The firewall logs for the blocked traffic show it is all being stopped from a single PoP in France. I think this is just a billing limitation but one that might have been put in place on purpose. I honestly hope they change this soon as others are bound to experience similar scenarios.

Could cloudflare estimate the cost of Argo, from a previous months usage?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact