Introduction
Content delivery networks have evolved far beyond their original purpose of caching static files closer to users. Today's CDNs are full application delivery platforms that handle security, compute, routing, and optimization — often serving as the primary interface between users and your infrastructure.
This evolution raises a fundamental architectural question: is a CDN a feature of your cloud provider, or is your cloud a feature of your CDN?
Cloudflare, AWS CloudFront, Azure CDN (and its successor Azure Front Door), and Google Cloud CDN represent four distinct answers to this question. Each reflects a different philosophy about where intelligence should live in the stack, how security should be integrated, and what you should pay for.
This comparison goes beyond feature checklists. We will examine the architectural decisions that make each platform fundamentally different — and why those differences compound as you build on top of them.
Architecture and Network Design
The most important difference between these CDNs is not the feature list — it is the network architecture. Every other difference in performance, pricing, and capability flows from this foundational design choice.
Cloudflare: Every Server Runs Everything
Cloudflare operates a single-tier anycast network across 310+ cities in 120+ countries. The critical design decision: every server in every data center runs the full software stack. There is no distinction between "edge" and "origin shield" — every node is both.
When a request hits Cloudflare, the nearest server handles caching, DDoS mitigation, WAF inspection, bot detection, SSL termination, and Workers compute in a single pass. There is no internal hop from an edge node to a regional cache to a security inspection layer. This single-pass architecture reduces latency and eliminates the cascading failure modes that come with multi-tier designs.
For dynamic content, Argo Smart Routing optimizes the path between edge and origin by routing over Cloudflare's private backbone rather than the public internet, reducing latency by an average of 30% according to Cloudflare's published benchmarks.
The key insight: Cloudflare's network IS the product. The CDN, WAF, DDoS protection, and compute are all properties of the same network — not separate services bolted together.
AWS CloudFront: Two-Tier Cache Hierarchy
CloudFront operates a two-tier architecture across 600+ points of presence and 13 regional edge caches. Edge locations handle initial request processing and cache hits, but cache misses route to regional edge caches before reaching the origin. This tiered approach reduces origin load but adds an internal hop for uncached content.
CloudFront's architecture is deeply integrated with the AWS ecosystem. Data transfer from S3, EC2, ALB, and MediaStore origins is free when the origin is in AWS — a powerful economic incentive to keep your entire stack on AWS. Origin groups provide automatic failover between primary and secondary origins, and Origin Access Control (OAC) restricts S3 access exclusively to CloudFront.
The architecture assumes your origin lives in AWS. While CloudFront supports custom (non-AWS) origins, the deepest integrations and cost benefits are reserved for AWS-native workloads.
Azure CDN / Azure Front Door: Convergence in Progress
Microsoft's CDN story is a convergence narrative. Azure CDN historically offered three provider tiers — Microsoft, Verizon (Edgio), and Akamai — each with different capabilities, pricing, and management interfaces. This created confusion about which tier to choose and inconsistent behavior across tiers.
Azure Front Door is Microsoft's strategic direction. Front Door Standard and Premium tiers combine global HTTP load balancing, CDN caching, WAF, and DDoS protection into a unified service. It operates on Microsoft's global network (the same backbone that serves Microsoft 365, Xbox, and Bing) across 192+ points of presence.
Front Door's distinguishing feature is Private Link origin support, enabling secure backend connectivity without exposing origins to the public internet. For enterprises already running on Azure, Front Door provides native integration with App Service, Azure Storage, and Azure Kubernetes Service.
The consolidation is still in progress. You will encounter documentation, tutorials, and Stack Overflow answers referencing both Azure CDN and Azure Front Door, sometimes conflating the two. New deployments should use Front Door.
Google Cloud CDN: Coupled to the Load Balancer
Google Cloud CDN is architecturally inseparable from Google's global external HTTP(S) Load Balancer. You do not configure Cloud CDN independently — you enable it as a property of your load balancer backend. This tight coupling means you get CDN caching, health checking, and traffic distribution from a single configuration surface, but it also means you cannot use Cloud CDN without using Google's load balancer.
Google's network advantage is real: Cloud CDN runs on the same infrastructure that serves YouTube, Gmail, and Google Search. The backbone is one of the largest private networks in the world, with 180+ points of presence connected by dedicated fiber.
For streaming and media workloads, Google offers Media CDN as a separate product, built specifically for high-throughput video delivery with features like prefetching and token authentication.
The notable gap: Google Cloud CDN has no native edge compute capability. Unlike Cloudflare Workers or CloudFront Functions, there is no way to run code at Google's edge locations through Cloud CDN. Compute stays in regions.
Content Delivery Capabilities
Beyond architecture, the practical capabilities of each CDN determine what you can build and how much operational work is required.
| Capability | Cloudflare | CloudFront | Azure Front Door | Google Cloud CDN |
|---|---|---|---|---|
| Points of presence | 310+ cities | 600+ PoPs | 192+ PoPs | 180+ PoPs |
| Cache hierarchy | Single-tier (all nodes equal) | Two-tier (edge + regional) | Single-tier | Two-tier (edge + origin shield) |
| Cache purge speed | <150ms global | 10-15 min | Minutes | Seconds |
| Cache key customization | Comprehensive (headers, cookies, query strings, device type) | Cache policies (headers, cookies, query strings) | Route-based rules | Cache key policy |
| WebSocket support | Yes (all plans) | Yes | Yes | No |
| HTTP/3 QUIC | Yes (default) | Yes | Yes | Yes |
| Image optimization | Yes (Polish, Mirage, Image Resizing) | No (requires Lambda@Edge) | No | No |
| Edge compute | Workers (V8 isolates) | Lambda@Edge + CloudFront Functions | Rules Engine (limited) | No |
| Video streaming | Stream (separate product) | Via S3 + MediaConvert | Via Azure Media Services | Media CDN (separate product) |
| Origin shielding | N/A (every node is the shield) | Regional edge caches | Built-in | Origin shielding option |
| Brotli compression | Automatic | Configurable | Configurable | Configurable |
Cache purge speed deserves emphasis. Cloudflare's sub-150ms global purge means you can deploy content changes and know they are live worldwide almost instantly. CloudFront's 10-15 minute invalidation window means stale content may persist across edge locations — a meaningful difference for applications that require immediate content freshness.
Image optimization is another notable differentiator. Cloudflare includes automatic image optimization (Polish for lossless/lossy compression, Mirage for mobile image loading, and Image Resizing for on-the-fly transforms) as built-in features. On AWS, equivalent functionality requires building a Lambda@Edge function or using a third-party service — adding cost, complexity, and maintenance burden.
Security Features
Security integration is where the architectural philosophies diverge most sharply. Cloudflare treats security as inseparable from content delivery. The hyperscalers treat security as additional services you purchase and configure alongside the CDN.
DDoS Protection
| Provider | Offering | Cost | Capacity |
|---|---|---|---|
| Cloudflare | DDoS protection on all plans | $0 (included, unmetered) | 296+ Tbps network capacity |
| AWS | Shield Standard (L3/L4) | $0 (included) | AWS-scale |
| AWS | Shield Advanced (L3/L4/L7 + response team) | $3,000/month + data transfer | Dedicated response team |
| Azure | DDoS Network Protection | $2,944/month per plan | Azure-scale |
| Cloud Armor Standard | Per-policy and per-request pricing | Google-scale |
The pricing difference is stark. Cloudflare provides unlimited, unmetered DDoS mitigation on every plan, including free. AWS Shield Advanced costs $3,000/month with a 12-month commitment. Azure DDoS Protection costs $2,944/month. Google Cloud Armor charges per-policy and per-request.
This is not a minor pricing difference — it reflects a fundamental business model distinction. Cloudflare absorbs DDoS attacks as a cost of operating the network. Hyperscalers treat DDoS protection as a premium service.
Web Application Firewall (WAF)
| Provider | Offering | Cost (approximate) |
|---|---|---|
| Cloudflare | Managed WAF rulesets | Free (basic) / $20/mo (Pro) / $200/mo (Business) |
| AWS WAF | Custom + managed rules | $5/month per web ACL + $1/rule + $0.60/million requests |
| Azure WAF | Managed rules on Front Door | Included in Front Door Premium ($0.065/GB + $0.009/request) |
| Google Cloud Armor | Managed WAF rules | $5/policy/month + $1/rule + $0.75/million requests |
Cloudflare includes WAF rules in its plan pricing with no per-request charges. AWS WAF and Google Cloud Armor use per-rule, per-request pricing that scales with traffic — effective for small sites but expensive at scale. Azure bundles WAF into Front Door Premium pricing.
Bot Management
Cloudflare offers Super Bot Fight Mode on Pro+ plans and Bot Management on Enterprise, using machine learning across its entire network to identify bot traffic. Because Cloudflare sees a meaningful percentage of global HTTP traffic, its bot detection models have an unusually large training dataset.
AWS offers Bot Control as a managed rule group for AWS WAF at approximately $10/month plus $1/million requests. Azure and Google offer similar bot detection capabilities through their respective WAF products.
Pricing Models
Pricing reveals more about a CDN's strategy than any technical specification.
Bandwidth Cost Comparison
Prices as of February 2026. All prices in USD.
| Monthly traffic | Cloudflare | CloudFront | Azure Front Door | Google Cloud CDN |
|---|---|---|---|---|
| 1 TB | $0 | $85 | $81 | $80 |
| 10 TB | $0 | $850 | $810 | $800 |
| 50 TB | $0 | $4,000 | $4,050 | $3,800 |
| 100 TB | $0 | $7,500 | $8,100 | $7,000 |
| 500 TB | $0 | $30,000 | $35,000 | $25,000 |
CloudFront prices based on US/Europe tier. Azure prices based on Front Door Standard tier. Google prices based on North America. All providers offer volume discounts at higher tiers.
Cloudflare's $0 bandwidth pricing is the single most disruptive pricing decision in the CDN market. It makes cost comparison almost absurd at scale — at 500TB/month, you are comparing $0 against $25,000-$35,000/month for bandwidth alone.
How Is Free Bandwidth Sustainable?
This is a legitimate question to ask. Cloudflare's business model does not depend on bandwidth revenue. Instead, Cloudflare monetizes:
- Security services: Pro ($20/mo), Business ($200/mo), Enterprise (custom) plans with advanced WAF, bot management, and DDoS features
- Compute: Workers, Workers KV, Durable Objects, D1, R2
- Zero Trust: Cloudflare Access, Gateway, WARP
- Enterprise features: Custom SSL, dedicated IPs, premium support, SLAs
Bandwidth is a cost of operating the network, and Cloudflare's architecture (single-tier, anycast, no tiered caching) is designed to be bandwidth-efficient. The more traffic on the network, the better their security ML models work, which makes their paid security products more valuable.
Total Cost Considerations
Raw bandwidth cost does not tell the full story. Consider the complete stack:
| Component | Cloudflare (Pro) | CloudFront + Shield Standard + WAF | Azure Front Door Premium | Google Cloud CDN + Armor |
|---|---|---|---|---|
| CDN + 10TB bandwidth | $20/month | $850/month | ~$870/month | ~$800/month |
| DDoS protection | Included | Included (Standard) | Included (basic) | Cloud Armor pricing |
| WAF | Included | ~$25/month+ | Included in Premium | ~$25/month+ |
| SSL/TLS | Included | Included | Included | Included |
| Bot management | Included (basic) | ~$10/month+ | Extra | Extra |
| Image optimization | Included | DIY (Lambda@Edge) | Not available | Not available |
When you factor in security services that Cloudflare bundles into plan pricing, the cost gap widens further.
When Hyperscaler CDN Pricing Makes Sense
The analysis above does not mean Cloudflare is always cheaper when you consider the full infrastructure picture:
- AWS-native origins: Data transfer from S3/ALB to CloudFront is free. If your origin is on AWS, CloudFront avoids the egress cost that you would pay to send data to Cloudflare.
- Azure-native origins: Same principle — Azure CDN/Front Door eliminates internal data transfer costs for Azure origins.
- Google-native origins: Cloud CDN benefits from free internal networking within GCP.
- Existing enterprise agreements: Many enterprises have negotiated committed-use discounts with hyperscalers that significantly reduce published rates.
If your entire stack is on one hyperscaler and you have a negotiated enterprise agreement, the CDN from that provider may be cost-effective even before you factor in operational simplicity of a single vendor.
Calculate Your Costs
Use the calculator below to estimate costs for your specific workload:
CDN Cost Calculator
Estimate monthly CDN costs based on your bandwidth usage.
Estimates based on published pricing as of February 2026. Actual costs may vary by region, commitment, and usage patterns.
Developer Experience
Configuration Complexity
Cloudflare's dashboard is designed for a CDN-first workflow: you add a site, change nameservers, and the CDN is active with sensible defaults. Advanced configuration (Page Rules, Cache Rules, Transform Rules) uses a visual rule builder.
CloudFront configuration involves creating distributions with origin groups, cache behaviors, cache policies, origin request policies, and response headers policies. The mental model requires understanding how these layers interact. Infrastructure-as-code via CloudFormation or Terraform is almost essential for non-trivial setups.
Azure Front Door uses a routing architecture with front-end endpoints, routing rules, and backend pools. The configuration surface is smaller than CloudFront but still assumes familiarity with Azure networking concepts.
Google Cloud CDN is configured through the load balancer, meaning you must understand Google's networking model (VPCs, forwarding rules, target proxies, URL maps, backend services) before you can configure CDN caching. It is the most complex setup for CDN-only use cases.
Edge Compute
This is where Cloudflare pulls ahead dramatically:
| Capability | Cloudflare Workers | CloudFront Functions | Lambda@Edge |
|---|---|---|---|
| Runtime | V8 isolates | JavaScript (restricted) | Node.js, Python |
| Cold start | 0ms | 0ms | 100ms-5s |
| Execution location | Every PoP (310+) | Every PoP (600+) | Regional edge caches (13) |
| Max execution time | 30s (paid) | <1ms | 30s (viewer) / 60s (origin) |
| Memory | 128MB | 2MB | 128-10,240 MB |
| Network access | Full fetch API | No | Full |
| Languages | JS/TS, WASM (Rust, C, Go) | JavaScript | Node.js, Python |
Workers can run full applications at the edge. CloudFront Functions are limited to lightweight request/response manipulation (header modification, URL rewrites). Lambda@Edge is powerful but runs only at 13 regional locations with cold starts. Google Cloud CDN and Azure Front Door have no comparable edge compute.
Observability
Cloudflare provides real-time analytics in the dashboard with GraphQL API access for custom queries. Logpush streams logs to storage or analytics services. Workers Analytics Engine enables custom event tracking at the edge.
CloudFront integrates with CloudWatch for metrics and S3 access logs for detailed request-level data. Real-time logs are available via Kinesis Data Streams. The observability is comprehensive but requires assembling multiple AWS services.
Azure Front Door provides built-in analytics with Azure Monitor integration. Google Cloud CDN metrics flow through Cloud Monitoring with request-level logging available in Cloud Logging.
Decision Framework
Choose Cloudflare When:
- Security is a primary concern and you want DDoS, WAF, and bot protection without per-request charges
- Bandwidth costs are significant or unpredictable — Cloudflare's $0 bandwidth eliminates this variable entirely
- You need edge compute — Workers is the most capable and lowest-latency edge compute platform
- You are not locked into a single hyperscaler — Cloudflare works equally well in front of any origin
- You want operational simplicity — single dashboard for CDN + security + compute + DNS
Choose CloudFront When:
- Your origin is on AWS — free data transfer from S3, ALB, and other AWS services makes the economics compelling
- You need Lambda@Edge for server-side rendering, personalization, or A/B testing at the edge
- Deep AWS integration is required — IAM, ACM, WAF, Shield, and CloudWatch are tightly connected
- You have an existing AWS enterprise agreement with negotiated rates
Choose Azure Front Door When:
- Your infrastructure is on Azure — native integration with App Service, AKS, and Azure Storage
- You need Private Link origins for secure backend connectivity without public endpoints
- Enterprise Microsoft ecosystem — Azure AD integration, compliance certifications, Microsoft support contracts
- Hybrid cloud with on-premises — Azure Front Door works with Azure ExpressRoute and hybrid networking
Choose Google Cloud CDN When:
- Your origin is on GCP — tight integration with the global HTTP(S) load balancer
- Media and streaming workloads — Media CDN is purpose-built for high-throughput video delivery
- You are already using Google's load balancer — Cloud CDN is a checkbox, not a separate service to configure
- You do not need edge compute — if your workloads are region-based, the lack of edge compute is not a limitation
The Bigger Picture
The CDN market reflects a broader strategic divergence in cloud computing. Cloudflare is building a global network where every location is a full-capability node — the CDN, the compute platform, the security layer, and the database runtime are all the same thing. The hyperscalers are building regional data centers with edge locations that serve as lightweight cache proxies.
Neither approach is universally better. Cloudflare's model excels for latency-sensitive, globally distributed, security-critical workloads. The hyperscaler model excels for compute-heavy, region-specific workloads that benefit from deep ecosystem integration.
The honest assessment: if your entire stack is on one hyperscaler and your traffic is predictable, the CDN from that hyperscaler is likely the pragmatic choice. But if you are evaluating CDN capabilities independently — or if bandwidth costs, security, and edge compute matter — Cloudflare's architecture is genuinely differentiated in ways that go beyond pricing.
Understanding these architectural differences is more valuable than memorizing feature comparisons. The features change quarterly. The architectural philosophies change over decades.