This would be funny, considering my local (EU) tax authority's website is protected by Cloudflare. And the state health insurance website. And the government information website. And the E-government gateway website. And the data protection authority(!) website. In fact I'm struggling to find any government-affiliated website that isn't protected by Cloudflare.
Someone has previously gotten fined for using Akamai, because it involves disclosing the user's IP address to a US company. (In fact, it was to a EU subsidiary of a US company, but due to the CLOUD Act this doesn't matter.)
In theory, IP address is considered personal data only under certain conditions. In practice, those "certain conditions" almost universally apply and you should treat IP addresses as always being personal data.
This blog post is incomplete with respect to Breyer. An IP address is always personal data to an ISP. It's also personal data to anyone who can ask/request/compel the ISP to identify someone based on the IP address. And one of the main conclusions of Breyer is that only happens in an obscure edge-case scenario, that's enough for IP addresses to be considered personal data all the time.
The case specifically was that in the local jurisdiction, there's a law that if a company gets DDOSed they can request the local regulator to ask the ISP to identify a user. This law only gets triggered in very exceptional circumstances, but its existence means that IP addresses are always personal data in that jurisdiction. While that law only covers one part of Germany, the analysis applies to any similar law, of which it is safe to assume there are many.
Sometimes as in it rarely is not. This is the reason you'll risk fines serving images, CSS, JS, fonts, and whatever from a third party web server without first ensuring users' consent to having their IP exposed to those servers.
Yes, US CDNs are definitely illegal under GDPR. They've fined people before for using Google Fonts' CDN because it transmitted residential EU residential IP addresses to someone within the reach of the US government. The law is that you have to have prior consent or it has to be necessary to take steps requested by the Data Subject. US CDNs are not considered necessary because an EU server could host those assets instead.
GDPR just has incredibly sparse, scattershot enforcement because of how disruptive complying with it would be to EU Internet users.
I mean, they're both US companies. Embedding assets from either would clearly be illegal. Arguably if your entire site is on one, accepting user's IP addresses might be considered necessary. I'm not sure a court has addressed that. (They might say you should use an EU host still.)
Or are IPs only a problem in connection with getting user data like name and address? Or is it the IP+cookie combo?