Introduction
Web security is where the architectural philosophy differences between cloud providers become most consequential. The question is not just "which WAF has better rules?" — it is "how is security integrated into the platform, and what does that integration mean for coverage, cost, and operational complexity?"
Cloudflare's approach: security is a property of the network. Every request that traverses Cloudflare's network is inspected for DDoS attacks, application-layer threats, bot traffic, and API abuse — in a single pass, at every edge location, on every plan including free.
The hyperscaler approach: security is a set of services you purchase, configure, and assemble. AWS offers Shield (DDoS), WAF (application firewall), Bot Control (bot management), and Firewall Manager (centralized management) as separate products with separate pricing. Azure and Google follow similar patterns.
Neither approach is inherently superior. Inline security is simpler and often cheaper. Modular security offers more granular control and deeper integration with cloud-native workloads. Understanding these trade-offs is essential for choosing the right security architecture.
DDoS Protection
Architecture: How Each Provider Absorbs Attacks
Cloudflare mitigates DDoS attacks at the edge, using its full 296+ Tbps network capacity. Because every Cloudflare server runs DDoS detection and mitigation logic, attacks are absorbed at the nearest point of presence — traffic never reaches your origin. Mitigation is automatic, always-on, and applies to all traffic types (HTTP, HTTPS, TCP, UDP, DNS).
Cloudflare's DDoS detection uses a combination of dynamic fingerprinting, traffic analysis, and machine learning trained on the enormous volume of traffic flowing through the network. When an attack is detected, mitigation rules are deployed globally within seconds.
AWS Shield Standard provides automatic L3/L4 DDoS protection for all AWS resources at no cost. It protects against SYN floods, UDP reflection, and other volumetric attacks. Shield Standard is always-on and requires no configuration.
AWS Shield Advanced ($3,000/month, 12-month commitment) adds L7 DDoS protection, real-time attack visibility, the DDoS Response Team (DRT) for 24/7 expert assistance during attacks, and cost protection — AWS credits any scaling charges (EC2 auto-scaling, CloudFront bandwidth spikes) caused by DDoS attacks. Shield Advanced integrates with AWS WAF for application-layer DDoS rules.
Azure DDoS Protection comes in two tiers:
- DDoS Infrastructure Protection: Free, basic, automatic protection for all Azure resources
- DDoS Network Protection: $2,944/month per plan, covering up to 100 public IP resources. Adds adaptive tuning, attack analytics, rapid response support, and cost protection against DDoS-related scaling costs
Google Cloud Armor provides DDoS protection as part of its security platform, integrated with Google's global load balancer. Standard tier includes basic DDoS mitigation. Cloud Armor Managed Protection Plus (custom pricing) adds adaptive protection with ML-based threat detection and Google's DDoS response team.
DDoS Protection Comparison
| Dimension | Cloudflare | AWS Shield | Azure DDoS | Google Cloud Armor |
|---|---|---|---|---|
| Free tier | Full L3/L4/L7 protection | L3/L4 only (Standard) | Basic infrastructure | Standard tier |
| Premium tier | Included in all plans | $3,000/month (Advanced) | $2,944/month (Network) | Custom (Managed Protection Plus) |
| Network capacity | 296+ Tbps | Not disclosed | Not disclosed | Not disclosed |
| Time to mitigate | Seconds (automatic) | Seconds (Standard), minutes (Advanced L7) | Minutes | Seconds to minutes |
| L7 DDoS protection | All plans | Shield Advanced only | DDoS Network Protection | Cloud Armor |
| Attack analytics | All plans (dashboard) | Shield Advanced only | DDoS Network Protection | Standard and Plus |
| Response team | Enterprise plan | Shield Advanced DRT | DDoS Network Protection | Managed Protection Plus |
| Cost protection | N/A (no bandwidth charges) | Shield Advanced | DDoS Network Protection | Not available |
| Resources protected | All proxied traffic | AWS resources | Azure public IPs | Load-balanced resources |
The cost protection difference deserves emphasis. During a DDoS attack, AWS auto-scaling may spin up additional EC2 instances and CloudFront may serve additional bandwidth — generating charges that can reach thousands of dollars. Shield Advanced refunds these charges. Cloudflare sidesteps this entirely: there are no bandwidth charges to protect against, and the edge absorbs the attack without scaling origin infrastructure.
Notable DDoS Incidents
Cloudflare has publicly documented mitigating some of the largest DDoS attacks ever recorded, including a 71 million requests-per-second HTTP DDoS attack in February 2023 and multiple attacks exceeding 2 Tbps. These disclosures demonstrate both the scale of attacks the platform handles and Cloudflare's willingness to publish detailed technical analyses.
AWS, Azure, and Google have mitigated similarly large attacks but publish less detailed public information about specific incidents. AWS documented mitigating a 2.3 Tbps attack in 2020.
Web Application Firewall (WAF)
WAF Architecture
Cloudflare WAF runs inline at every edge location. Every HTTP request passing through Cloudflare is evaluated against WAF rules before reaching the origin. The WAF includes:
- Cloudflare Managed Ruleset: Rules maintained by Cloudflare's security team, covering OWASP Top 10, CVE-specific rules, and emerging threats
- Cloudflare OWASP Core Ruleset: Implementation of the OWASP ModSecurity Core Rule Set
- Exposed Credentials Check: Detects requests using leaked username/password combinations
- Custom rules: Write your own rules using Cloudflare's expression language (wirefilter syntax)
- Rate limiting rules: Configurable thresholds on paths, methods, headers, and more
AWS WAF attaches to CloudFront distributions, API Gateway, ALB, AppSync, or Cognito User Pools. You create web ACLs containing rule groups:
- AWS Managed Rules: Free rule groups maintained by AWS (Core Rule Set, Known Bad Inputs, SQL injection, etc.)
- AWS Marketplace Rules: Third-party rule groups from F5, Fortinet, Imperva, Trend Micro, and others
- Custom rules: Match on IP, headers, body, query strings, geo, labels
- Rate-based rules: IP-based rate limiting
- Bot Control: Separate managed rule group for bot detection
Azure WAF runs on Azure Front Door or Application Gateway:
- OWASP Core Rule Set (CRS): Standard OWASP rulesets (3.2, 3.1, 3.0, 2.2.9)
- Microsoft threat intelligence: Rules from Microsoft's security research
- Bot protection: Bot manager ruleset for Front Door Premium
- Custom rules: Match on IP, geo, request attributes
- Rate limiting: Custom rate limit rules
- Exclusions: Per-rule exclusions for false positive management
Google Cloud Armor integrates with the global HTTP(S) load balancer:
- Preconfigured WAF rules: ModSecurity Core Rule Set compatible
- Adaptive Protection: ML-based anomaly detection that generates suggested rules
- Custom rules: Match on headers, IP, geo, and request attributes using a custom expression language
- Rate limiting: IP-based and path-based
- Named IP lists: Google-maintained lists of known good/bad IPs
- Bot management: Via reCAPTCHA Enterprise integration
WAF Feature Comparison
| Feature | Cloudflare WAF | AWS WAF | Azure WAF | Google Cloud Armor |
|---|---|---|---|---|
| Deployment model | Inline (every PoP) | Attached to specific resources | Front Door or App Gateway | Load balancer integration |
| Managed rulesets | Cloudflare + OWASP | AWS + marketplace (20+ vendors) | OWASP CRS + Microsoft | ModSecurity CRS + Google |
| Custom rules | Wirefilter syntax | 5 conditions per rule | Match conditions | Custom expression language |
| Rate limiting | Flexible (path, header, cookie, method) | IP-based, 5-min windows | Custom rules | IP and path-based |
| IP reputation | Built-in (threat score) | IP sets (manual) | IP restriction | Named IP lists |
| Geo blocking | Yes (country, continent) | Yes (country) | Yes (country) | Yes (country, region) |
| Request body inspection | Yes (all plans) | Yes (first 8/16/32/64KB) | Yes | Yes (first 8KB) |
| Response inspection | Yes (Enterprise) | No | No | No |
| Managed rule updates | Automatic, global, seconds | Automatic, hours-days | Automatic, hours-days | Automatic, hours-days |
| False positive management | Per-rule skip/disable | Per-rule exclusion, scoped-down | Per-rule exclusion | Per-rule exclusion |
| Logging | Firewall Events (dashboard), Logpush | CloudWatch, S3, Kinesis | Azure Monitor, Log Analytics | Cloud Logging |
WAF Pricing Comparison
Prices as of February 2026.
| Component | Cloudflare | AWS WAF | Azure WAF (Front Door) | Google Cloud Armor |
|---|---|---|---|---|
| Base cost | $0 (free plan) / $20/mo (Pro) / $200/mo (Business) | $5/web ACL/month | Included in Front Door tier | $5/policy/month |
| Per-rule cost | Included | $1/rule/month | Included | $1/rule/month |
| Per-request cost | Included | $0.60/million requests | Included in Front Door pricing | $0.75/million requests |
| Bot management | Included (Pro+: Super Bot Fight Mode) | $10/month + $1-10/million requests | Front Door Premium | reCAPTCHA Enterprise pricing |
| Managed rulesets | Included in plan | Free (AWS) / $20-40/mo (marketplace) | Included | Included |
| Custom rules limit | 5 (free) / 20 (Pro) / 100 (Business) | 10 per web ACL (soft limit) | 100 per policy | 10 per policy |
Cost at scale example: 100 million requests/month, 10 custom rules, managed rulesets, bot protection:
| Provider | Approximate Monthly Cost |
|---|---|
| Cloudflare Pro | $20 |
| Cloudflare Business | $200 |
| AWS WAF + Bot Control | $85 (web ACL + rules + requests + Bot Control) |
| Azure Front Door Premium | ~$400+ (Front Door Premium base + traffic) |
| Google Cloud Armor | $120 (policy + rules + requests) |
Cloudflare Pro at $20/month provides WAF protection that costs $85-400+ on other platforms. At the Business tier ($200/month), you get advanced rate limiting and additional rulesets that compete with Enterprise-tier offerings elsewhere.
Zero-Day Response Speed
One of Cloudflare's most compelling security advantages is response speed to emerging threats. When a critical vulnerability is disclosed, Cloudflare can deploy WAF rules to all customers globally within hours — sometimes within a single hour.
Documented examples:
- Log4Shell (CVE-2021-44228): Cloudflare deployed WAF rules within hours of disclosure, protecting all customers before many could patch
- Spring4Shell (CVE-2022-22965): Rules deployed same day
- HTTP/2 Rapid Reset (CVE-2023-44487): Cloudflare detected the attack pattern in the wild, disclosed the vulnerability, and had mitigations in place before the CVE was published
This speed is an architectural advantage: Cloudflare pushes rules from a single control plane to every edge location in seconds. Hyperscaler managed rule updates typically take 24-72 hours to propagate, during which customers are exposed.
Bot Management
Bot traffic now represents a significant portion of internet traffic — estimates range from 30-50% of all web requests. Distinguishing legitimate bots (search engines, monitoring services) from malicious bots (credential stuffing, scraping, inventory hoarding) is a critical security capability.
Bot Detection Approaches
Cloudflare Bot Management uses multiple signals:
- Machine learning models trained on patterns across ~20% of global web traffic — by far the largest training dataset in the industry
- JavaScript fingerprinting (challenge pages) that detect headless browsers and automation tools
- Behavioral analysis tracking mouse movements, keystroke patterns, and interaction timing
- Bot score (0-100) available in Workers and WAF rules for custom logic
- Verified bot directory — known good bots (Googlebot, Bingbot) are automatically allowed
- Super Bot Fight Mode (Pro/Business): Simplified bot management with block/challenge options
- Full Bot Management (Enterprise): Bot score API, custom actions, detailed analytics
AWS Bot Control is a managed rule group for AWS WAF:
- Common level ($10/month + $1/million requests): Detects common bots via IP reputation, user agent analysis, and fingerprinting
- Targeted level ($10/month + $10/million requests): Advanced detection for credential stuffing and account takeover, using browser fingerprinting and behavioral analysis
- Bot score labels applied to requests for custom rule logic
Azure Bot Protection is available as part of Front Door Premium and Application Gateway WAF:
- Bot manager ruleset: Categorizes bots as good, bad, or unknown
- Microsoft threat intelligence: Bot IP reputation data
- Custom rules: Rate limiting and geo-blocking for bot mitigation
Google reCAPTCHA Enterprise is Google's primary bot mitigation offering:
- Score-based assessment (0.0 to 1.0) without user friction (invisible reCAPTCHA)
- Account defender: Detects account-level abuse patterns
- Password leak detection: Checks credentials against known breach databases
- WAF integration: Cloud Armor can use reCAPTCHA scores in security policies
Bot Management Comparison
| Dimension | Cloudflare | AWS Bot Control | Azure Bot Protection | Google reCAPTCHA Enterprise |
|---|---|---|---|---|
| Training data | ~20% of global web traffic | AWS traffic patterns | Microsoft traffic patterns | Google traffic patterns (Search, Ads) |
| Detection method | ML + JS fingerprint + behavioral | IP reputation + fingerprint + behavioral | IP reputation + rules | Score-based assessment + behavioral |
| Bot score/label | 0-100 score | Labels (verified, common, targeted) | Categories (good, bad, unknown) | 0.0-1.0 score |
| Customizable actions | Block, challenge, managed challenge, skip | Block, CAPTCHA, count | Block, allow, redirect | Score threshold actions |
| CAPTCHA/Challenge | Managed challenge (Turnstile) | AWS CAPTCHA | N/A | reCAPTCHA (invisible and interactive) |
| API protection | Yes (API Shield) | Through WAF rules | Through WAF rules | Account defender API |
| Cost (typical) | $20/mo (Pro) for basic, Enterprise for full | $10/mo + $1-10/M requests | Front Door Premium | $1/1K assessments (first 10K free) |
Cloudflare's Turnstile deserves mention as their CAPTCHA replacement. Unlike traditional CAPTCHAs that require users to solve visual puzzles, Turnstile runs a series of non-interactive browser challenges to verify humanity. It is available as a free standalone product — even for sites not on Cloudflare — which serves as a pipeline into the broader Cloudflare ecosystem.
API Security
API traffic is the fastest-growing attack surface. Traditional WAF rules designed for HTML form submissions are often insufficient for protecting JSON/GraphQL APIs.
Cloudflare API Shield provides:
- Schema validation: Upload your OpenAPI schema, and Cloudflare rejects requests that do not conform to the defined endpoints, methods, and parameters
- Mutual TLS (mTLS): Client certificate authentication for API consumers
- Sequence enforcement: Detect and block out-of-order API calls (e.g., checkout without cart)
- Volumetric abuse detection: ML-based detection of unusual API call patterns
- API discovery: Automatically identify and catalog API endpoints from traffic patterns
AWS handles API security through a combination of services:
- API Gateway: Authentication (IAM, Cognito, Lambda authorizers), throttling, request validation
- AWS WAF on API Gateway: Application-layer protection
- Amazon API Gateway REST APIs: Request/response validation against models
Azure API Management provides:
- Authentication policies (OAuth 2.0, JWT validation, client certificates)
- Rate limiting and quotas
- Request/response transformation and validation
- Integration with Azure WAF when deployed behind Front Door
Google Apigee (separate enterprise product) and Cloud Endpoints provide API management:
- API key management, OAuth 2.0, JWT validation
- Spike arrest and quota policies
- Analytics and monitoring
Cloudflare's API Shield is notable because it operates at the edge with no additional latency — schema validation happens inline at the same point where DDoS and WAF processing occur. On hyperscalers, API security typically involves a separate API gateway service with its own latency and cost.
Security Architecture: Inline vs Modular
This is the fundamental strategic question.
Cloudflare: Single-Pass Inline Security
When a request reaches Cloudflare, it passes through a single processing pipeline:
User → Cloudflare Edge PoP
→ DDoS detection
→ Bot scoring
→ WAF rule evaluation
→ Rate limiting
→ API Shield validation
→ SSL/TLS termination
→ (Optional: Workers compute)
→ Origin
Everything happens at the same edge location, in the same request processing path, with no additional network hops. Adding DDoS protection does not add latency because it is the same system. Enabling WAF does not route traffic through an additional service.
Advantages:
- Lower latency (single processing point)
- Simpler configuration (one dashboard, one rule engine)
- No "assembly required" — DDoS, WAF, bot management, and API security work together automatically
- Cost is predictable (plan-based pricing, not per-service billing)
Disadvantages:
- Less granular control over individual security components
- Limited ability to choose best-of-breed for each layer
- All-or-nothing proxy model for full features (DNS must point to Cloudflare)
Hyperscalers: Modular Security Stack
On AWS, a comparable security stack requires assembling multiple services:
User → CloudFront (DDoS: Shield Standard)
→ AWS WAF (application rules)
→ Bot Control (managed rule group)
→ Custom rules
→ Rate-based rules
→ API Gateway (API security)
→ Lambda Authorizer (auth)
→ ALB (load balancing)
→ EC2/ECS (application)
Each service is configured independently with its own pricing, IAM policies, logging, and monitoring.
Advantages:
- Granular control over each security layer
- Can choose different protection levels for different resources
- Deep integration with cloud-native services (IAM, KMS, CloudWatch)
- Third-party marketplace for specialized rule sets
Disadvantages:
- Complexity: configuring and maintaining multiple services
- Cost opacity: each service bills independently, total cost is hard to predict
- Integration gaps: services may not share context (e.g., WAF rules cannot easily reference Shield attack data)
- Latency: each additional service can add processing time
Pricing Philosophy
The pricing comparison reveals fundamentally different business models:
Security Cost at Different Scales
Small business (1 domain, moderate traffic):
| Provider | Configuration | Monthly Cost |
|---|---|---|
| Cloudflare | Pro plan | $20 |
| AWS | Shield Standard + WAF (1 ACL, 5 rules) + Bot Control | ~$30 |
| Azure | Front Door Standard + WAF | ~$50+ |
| Cloud Armor (1 policy, 5 rules) | ~$15 |
Mid-market (5 domains, significant traffic, 50M requests/month):
| Provider | Configuration | Monthly Cost |
|---|---|---|
| Cloudflare | Business plan (5 domains) | $1,000 |
| AWS | Shield Standard + WAF (5 ACLs, 20 rules) + Bot Control | ~$500 |
| Azure | Front Door Premium (5 domains) + DDoS Protection | ~$4,500 |
| Cloud Armor (5 policies, 20 rules) | ~$175 |
Enterprise (50+ domains, L7 DDoS protection, advanced bot management):
| Provider | Configuration | Monthly Cost |
|---|---|---|
| Cloudflare | Enterprise (custom) | Custom (typically $5K-50K+) |
| AWS | Shield Advanced + WAF + Bot Control Targeted | $3,000+ base + per-request |
| Azure | DDoS Network Protection + Front Door Premium | $3,000+ base + traffic |
| Cloud Armor Managed Protection Plus | Custom |
At the small and mid-market level, Cloudflare's bundled pricing is significantly cheaper for equivalent protection. At the enterprise level, pricing becomes custom and negotiated across all providers.
The critical difference: Cloudflare's security costs are fixed per plan. Hyperscaler security costs scale with traffic volume. A DDoS attack against your AWS infrastructure can increase your security bill (Shield Advanced protects against this, but that is an additional $3,000/month). A DDoS attack against your Cloudflare-protected site costs you nothing extra.
Calculate Your Costs
Use the calculator below to estimate costs for your specific workload:
DDoS + WAF Cost Calculator
Compare web security protection costs across providers.
Estimates based on published pricing as of February 2026. Actual costs may vary by region, commitment, and usage patterns.
Decision Framework
Choose Cloudflare Security When:
- Simplicity matters — you want comprehensive security from a single platform, not an assembly of services
- Budget predictability — plan-based pricing with no per-request charges for security features
- Speed of protection — Cloudflare's zero-day rule deployment speed (hours vs days) provides faster coverage
- DDoS is a primary concern — unlimited, unmetered mitigation on all plans is unmatched
- You serve web traffic — Cloudflare's inline model is optimized for HTTP/HTTPS workloads
- Bot management at lower cost — Super Bot Fight Mode on Pro ($20/mo) vs AWS Bot Control ($10+/mo with per-request charges)
Choose AWS Security Stack When:
- Deep AWS integration — Shield Advanced protects ALB, CloudFront, Route 53, Global Accelerator, and EC2 natively
- Granular control — you need different security policies for different services with different rule sets
- Third-party rule marketplace — WAF Marketplace offers specialized rulesets from 20+ security vendors
- Cost protection during attacks — Shield Advanced refunds DDoS-related scaling charges
- Compliance requirements — AWS security certifications and FedRAMP compliance for government workloads
- 24/7 DDoS response team — Shield Advanced includes dedicated AWS DDoS experts
Choose Azure Security When:
- Microsoft ecosystem — native integration with Azure AD, Sentinel (SIEM), and Defender for Cloud
- Enterprise governance — Azure Policy for security baseline enforcement across teams
- Hybrid architectures — Azure security extends to on-premises via Azure Arc and ExpressRoute
- Centralized security management — Azure Security Center provides unified security posture management
Choose Google Cloud Armor When:
- ML-based adaptive protection — Adaptive Protection automatically generates security rules based on traffic anomalies
- reCAPTCHA integration — if you already use reCAPTCHA, Cloud Armor can leverage scores for security decisions
- Cost-sensitive at smaller scale — Cloud Armor Standard tier is competitively priced for basic protection
- GCP-native workloads — tight integration with Google's global load balancer
The Strategic Picture
Web security is the domain where Cloudflare's "security is a network property" philosophy pays the largest dividends. When every request traverses a network that runs DDoS mitigation, WAF inspection, bot detection, and API security in a single pass, the result is:
- Lower latency — no additional hops through separate security services
- Simpler operations — one configuration surface instead of five separate services
- Predictable cost — plan pricing instead of per-request billing across multiple services
- Faster protection — centralized rule deployment in seconds, not days
The honest counterpoint: the hyperscalers offer deeper integration with their compute ecosystems, more granular per-resource policies, and third-party rule marketplaces that Cloudflare does not match. If your security requirements include complex per-service WAF configurations, compliance-specific rule sets from specialized vendors, or DDoS cost protection for auto-scaling infrastructure, the hyperscaler model provides capabilities that Cloudflare's bundled approach does not.
For web-facing applications — which is the vast majority of what needs protecting — Cloudflare's inline security model is both more effective and more cost-efficient. For complex cloud-native architectures with dozens of internal services requiring different security policies, the modular approach has genuine advantages.
The most common and pragmatic architecture: use Cloudflare for perimeter security (DDoS, WAF, bot management at the edge) and your cloud provider's security tools for internal service-to-service protection (IAM, VPC security groups, service mesh). These layers complement rather than compete.