Overview
What Cloudflare is in 2026 — the unified network + edge + security + AI platform — who this track is for, and what you'll build.
Cloudflare started life in 2010 as a CDN + DNS service for small websites. Fifteen years later it’s something much weirder and more useful: a single platform that combines an anycast network at internet scale, a programmable edge compute runtime, a Zero Trust security suite, and a growing AI-inference layer — all reachable via one API, one CLI (wrangler), and one set of credentials.
This track is for engineers who’ve used Cloudflare for “the DNS and the CDN” and want to understand the rest of the platform — Tunnels, Zero Trust, Workers, Magic networking, Workers AI — and where each piece fits.
Who this is for
Engineers who:
- Know what DNS is, have set up a CNAME, and have heard of anycast.
- Have a website behind Cloudflare or want to put one there.
- Are running a backend or production application and are interested in moving more of it to the edge — or in protecting it without moving it.
- Want a real mental model for Zero Trust, ZTNA, SASE and where Cloudflare’s products fit those frameworks.
If you’ve never set up a Cloudflare account, do that first — five minutes, free tier — then come back here.
What you’ll learn
After the track:
- The anycast edge network as a primitive, and why it changes what’s worth doing at “the edge.”
- Cloudflare Tunnel — how to expose private origins to the internet without opening inbound ports or NAT-traversal pain.
- Cloudflare Zero Trust / Cloudflare One — the unified ZTNA + SWG platform; how Tunnel, Access, Gateway, and WARP fit together.
- Cloudflare Access — identity-aware proxy for internal apps; the replacement for VPN that doesn’t suck.
- Cloudflare Gateway — DNS + HTTP filtering for outbound traffic; the secure web gateway tier.
- Magic networking — Magic Transit, Magic WAN, Magic Firewall — Cloudflare as a layer-3 / layer-4 network plane for entire offices and data centers.
- Workers — the V8-isolate edge compute runtime; how it differs from Lambda; what it’s good and bad at.
- Workers data stack — KV, D1, R2, Durable Objects, Queues, Hyperdrive, Vectorize — the persistence primitives you’ll actually use.
- Workers AI and AI Gateway — running LLM inference on the edge, routing between providers, observability and caching.
- Pages — static and dynamic hosting via the same platform that runs this blog.
- The security stack — WAF, DDoS, Bot Management, Page Shield, API Shield — what’s automatic, what needs config.
- A capstone where you wire several of these together into one working system.
The 14-module map
| # | Module | What you build / understand |
|---|---|---|
| 00 | Overview (this page) | — |
| 01 | The Cloudflare Network | Anycast, PoPs, the data plane that everything else rides on |
| 02 | DNS and CDN fundamentals | The original products — set up correctly, with TLS modes that make sense |
| 03 | Cloudflare Tunnel | A private origin reachable from the internet without inbound ports |
| 04 | Zero Trust / Cloudflare One | The umbrella that ties Tunnel, Access, Gateway, WARP together |
| 05 | Cloudflare Access | Identity-aware proxy for an internal app, no VPN |
| 06 | Cloudflare Gateway | Outbound DNS and HTTP filtering for a fleet of laptops |
| 07 | Magic networking | Magic Transit / Magic WAN / Magic Firewall — Cloudflare as your enterprise network plane |
| 08 | Workers | A Worker that runs at the edge, deployed via wrangler |
| 09 | Workers data stack | KV, D1, R2, Durable Objects, Queues, Hyperdrive, Vectorize |
| 10 | Workers AI and AI Gateway | LLM inference on the edge + routing/caching across providers |
| 11 | Pages | Static + dynamic hosting with Pages Functions |
| 12 | Security stack | WAF, DDoS, Bot Management, Page Shield, API Shield — what’s on by default, what to tune |
| 13 | Capstone | Tie several of the above into one working system |
Each module is self-contained but assumes the previous ones at a high level. Plan 45-90 minutes per substantial module.
How to use this track
- Sequential. Start at 01; walk through 13. Best for first-timers and people building a mental model of Cloudflare’s platform.
- Reference. Sidebar; jump to the module you need. Best if you already know Cloudflare and want a refresher on one piece.
- Network-track or compute-track. Modules 01-07 are the network/security side; modules 08-12 are the developer/compute side. Pick the half closest to your job.
Prerequisites and setup
- A Cloudflare account — free tier covers everything in this track except some Magic networking features and some Workers AI quotas. Sign up at
dash.cloudflare.com. - A domain you control — to use as the playground.
.devor.xyzare cheap; .com works too. wranglerCLI for the Workers modules:npm install -g wrangler.- A small VM or laptop for the Tunnel module — either local or any cloud, doesn’t matter.
What’s not here
- Deep Cloudflare-internal architecture papers (e.g., how Pingora works). Mentioned where relevant; not the focus.
- Migration-from-AWS guides. Cloudflare is positioned alongside the hyperscalers, not as a strict replacement.
- Cloudflare for Teams positioning vs Workforce. Those are SKU concerns; the technical features are what this track covers.
Ready? Module 01 is the network underneath everything. Let’s go.