To optimize your website or web application, Cloudflare provides DNS ↗ and CDN ↗ services, so we can reverse proxy ↗ the web traffic to and from your domain.
DNS explained
The Domain Name System (DNS) acts as the Internet’s phonebook, translating domain names (for example, cloudflare.com) into numerical Internet Protocol (IP) addresses (for example, 103.21.244.0).
The IP address is like a home address of where a website lives, and the domain name is the human-readable name.
A DNS query is like asking for directions to a place, and the DNS records are the source-of-truth for what exists where. DNS records live in authoritative DNS servers ↗ and provide information about a domain, such as the IP addresses ↗ of the servers that host the web content and services on that domain. With this information, Internet browsers know where to find a website or app, so they can render it for visitors using HTTP ↗.
Cloudflare as a DNS provider
When you onboard your website or application to Cloudflare, Cloudflare becomes the primary authoritative DNS provider for your domain. As the primary authoritative DNS provider, Cloudflare responds to DNS queries for your domain, and you manage your domain’s DNS records via the Cloudflare dashboard or API.
Note
Cloudflare only becomes the primary authoritative DNS provider when you use the default, full DNS setup. For alternative options, refer to DNS setups.
If your domain’s status is active and the queried DNS record is set to proxied, Cloudflare responds with an anycast IP address, instead of the origin IP address defined in your DNS table.
Your domain status is active when your nameservers are updated to point to Cloudflare and have been authenticated. The proxy status defines how Cloudflare treats queries for specific DNS records. The anycast IP address is used to distribute traffic amongst Cloudflare’s network, which protects your website or app from DDoS ↗ and other attacks, while optimizing site speed.
Cloudflare as a reverse proxy
A reverse proxy is a network of servers that sits in front of web servers and either forwards requests to those web servers, or handles requests on behalf of the web servers. Reverse proxies are typically implemented to help increase security, performance, and reliability of websites and web applications.
The flow of a request from a server through Cloudflare to the origin server when Cloudflare is a reverse proxy.
When Cloudflare receives a DNS query for your domain, the response is determined by the configuration set in your DNS table, including the type of the record, the record’s proxy eligibility, and its proxy status.
When DNS records in your DNS table have a proxied status, the record’s HTTP/HTTPS traffic will route through Cloudflare on its way between the client and the origin server. If the domain’s status is active, all HTTP/HTTPS requests for proxied DNS records route through Cloudflare.
Using Cloudflare as a reverse proxy has several benefits, including:
Load balancing A reverse proxy can provide a load balancing solution which distributes incoming traffic evenly among different servers to prevent any single server from becoming overloaded. In the event that a server fails completely, other servers can step up to handle the traffic.
Protection from attacks. With a reverse proxy in place, a web site or service never needs to reveal the IP address of their origin servers, which makes it much harder for attackers to leverage a targeted attack against them, such as a DDoS attack. Instead the attackers will only be able to target the reverse proxy, such as Cloudflare’s CDN, which will have tighter security and more resources to fend off a cyber attack.
Caching. A reverse proxy can also cache content, resulting in faster performance. For example, if a user in Paris visits a reverse-proxied website with web servers in Los Angeles, the user might actually connect to a local reverse proxy server in Paris, which will then have to communicate with an origin server in L.A. The proxy server can then cache (or temporarily save) the response data. Subsequent Parisian users who browse the site will then get the locally cached version from the Parisian reverse proxy server, resulting in much faster performance.
SSL encryption. SSL/TLS is essential. Without an SSL/TLS certificate, your visitors will find a warning on their browser stating your website or application is not secure. However, encrypting and decrypting SSL (or TLS) communications for each client can be computationally expensive for an origin server. A reverse proxy can be configured to decrypt all incoming requests and encrypt all outgoing responses, freeing up valuable resources on the origin server.
—
title: Traffic flow through Cloudflare · Cloudflare Fundamentals docs
description: Internet traffic is made up of people, services, and agents requesting online resources from wherever they are hosted. Your resources may be publicly available, like a website or application that anyone on the Internet can access. Or your resources may be privately available, like an internal app or network that only your employees and partners should be able to access.
lastUpdated: 2025-04-22T21:58:09.000Z
source_url:
html: https://developers.cloudflare.com/fundamentals/concepts/traffic-flow-cloudflare/
md: https://developers.cloudflare.com/fundamentals/concepts/traffic-flow-cloudflare/index.md
—
Internet traffic is made up of people, services, and agents requesting online resources from wherever they are hosted. Your resources may be publicly available, like a website or application that anyone on the Internet can access. Or your resources may be privately available, like an internal app or network that only your employees and partners should be able to access.
Both public and private resources can be connected to the Cloudflare network to ensure only good actors can access what they are supposed to be able to access with high performance.
For example, you may not always want the direct traffic because it can come from malicious sources, like hackers, or in the form of [DDoS attacks](https://www.cloudflare.com/learning/ddos/ddos-attack-tools/how-to-ddos/). Additionally, depending on the location where the request originated, you want to ensure the traffic is [routed through the most efficient and fastest path](https://developers.cloudflare.com/argo-smart-routing/).
## Cloudflare’s network
[Cloudflare’s global network](https://www.cloudflare.com/network/), coupled with [Anycast](https://www.cloudflare.com/learning/dns/what-is-anycast-dns/) IP addressing, ensures that requests are handled by a Cloudflare server that is as close to the source as possible.If you want to protect your traffic and ensure it travels efficiently, you need to configure Cloudflare to be in front of whatever you are trying to protect, such as your application, service, or server. How you put your resources behind Cloudflare’s network will depend on the type of traffic and how you want to control it.
## On-ramp and off-ramp traffic
Traffic that enters Cloudflare’s network is referred to as “on-ramping,” and traffic that exits Cloudflare’s network is referred to as “off-ramping.” You may also know this as ingress and egress or “routing your traffic” through a network.
### On-ramp traffic to Cloudflare
When you on-ramp traffic to Cloudflare, this allows Cloudflare to act on, secure, and increase performance of that traffic.
One example of on-ramping traffic to Cloudflare is updating your public website to use Cloudflare as the primary authoritative [DNS provider](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/#cloudflare-as-a-dns-provider) for your domain.
However, maybe you need to protect a private application that is not directly available on the Internet. In this scenario, you can:
* Connect your private application to Cloudflare using [secure tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/), and use a [device agent](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/) to connect as a user.
* For users already connected to a private company network, connect the entire network to Cloudflare using secure tunnels, and any request from a user device will access the private application through those tunnels.
With these options, any request from a user device can access internal private applications via the secure private tunnels.
Refer to the list below for products you can use to on-ramp traffic to Cloudflare.
* [Anycast routing](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) uses Anycast IP addressing to route traffic to the nearest Cloudflare data center. Selective routing allows an Anycast network to be resilient in the face of high traffic volume, network congestion, and[ DDoS attacks](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/).
* [DNS-based](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/#cloudflare-as-a-dns-provider) traffic resolves domains onboarded to [Cloudflare’s CDN](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/). Cloudflare’s DNS directs traffic to Cloudflare’s global network of servers instead of a website’s origin server.
* [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) connects your resources to Cloudflare without a publicly routable IP address so that your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.
* [Magic Transit](https://developers.cloudflare.com/magic-transit/about/) offers DDoS protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks by accepting IP packets destined for your network, processing them, and outputting the packets to your origin infrastructure.
* The [Cloudflare WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/) securely and privately sends traffic from corporate devices to Cloudflare’s global network while also applying advanced Zero Trust policies that check for a device’s health before it connects to corporate applications.
### Off-ramp traffic from Cloudflare
If you need to ensure traffic leaves Cloudflare’s network in a specific way, you can manage how traffic is off-ramped.
For example, if you need to adhere to [regional laws](https://developers.cloudflare.com/data-localization/regional-services/) that dictate user traffic and require data never leaves your country, you can configure off-ramp and on-ramp traffic on servers in the same geographical area.
Or maybe you want to force traffic to off-ramp in a certain country to maintain your user’s experience. For example, if you have employees in India who travel frequently, you can configure the off-ramp traffic to always appear to come from India so websites they visit maintain their language and preferences.
You can also utilize [caching](https://developers.cloudflare.com/cache/) to help with performance. Instead of off-ramp traffic going to a server across the globe, Cloudflare can cache that content locally for the user to reduce the overall time for their request.
Refer to the list below for products you can use to off-ramp traffic from Cloudflare.
* [Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/) detects real-time network issues and routes your web traffic across the most efficient network path, avoiding congestion.
* [Cache](https://developers.cloudflare.com/cache/) works with cached content to avoid off-ramping to origin servers and instead serving directly from Cloudflare’s global network.
* [Regional services](https://developers.cloudflare.com/data-localization/regional-services/) lets you choose which subset of data centers decrypt and service HTTPS traffic, which can help customers who have to meet regional compliance or have preferences for maintaining regional control over their data.