Overview
AWS and Cloudflare are not direct competitors; they occupy different layers of the stack. Cloudflare is the right choice for DNS, CDN, edge compute (Workers), DDoS protection, and object storage (R2) where egress pricing matters. AWS is the right choice when you need managed databases, ML infrastructure, complex IAM, compliance certifications (FedRAMP, HIPAA BAA, SOC 2 Type II on dozens of services), or a broad catalog of services that interact at the network layer without egress fees between them. Most production setups use both: Cloudflare in front for DNS, TLS termination, WAF, and CDN; AWS behind for databases, queues, and application servers. See cloudflare for the Cloudflare-specific rule set and aurora-vs-rds-postgres for database choices within AWS.
When Cloudflare wins
Cloudflare is the right choice at the edge and networking layer.
- DNS management: Cloudflare’s authoritative DNS is the fastest globally by most benchmarks and has no extra cost. Route 53 charges per hosted zone per month.
- CDN and cache: Cloudflare Cache Rules, Cache Reserve, and Tiered Cache require no configuration for most static workloads. The free tier serves unlimited cached bandwidth; AWS CloudFront charges per GB out.
- DDoS and WAF: Cloudflare’s magic transit and WAF absorb volumetric attacks at the network edge before they reach origin. AWS Shield Advanced is comparable but costs $3k/month base.
- Workers: edge compute runs JavaScript/TypeScript/Wasm in 300+ PoPs with sub-millisecond cold starts. AWS Lambda@Edge runs in fewer regions, charges per request, and has a slower cold start.
- R2: S3-compatible object storage with zero egress fees. S3 charges $0.09/GB egress. At high egress volume, R2 cuts storage costs substantially.
- KV and Durable Objects: globally replicated key-value and strongly consistent stateful actors at the edge; no AWS equivalent runs in every PoP.
- Price transparency: Cloudflare pricing is flat and predictable. AWS pricing has hundreds of line items with regional variations.
When AWS wins
AWS is the right choice when breadth, compliance, or stateful managed services are the requirement.
- Managed databases: RDS, Aurora, DynamoDB, ElastiCache, and Redshift are production-grade managed services with multi-AZ failover, automated backups, and encryption at rest. Cloudflare has no equivalent.
- Compliance: AWS holds FedRAMP High, HIPAA BAA, ITAR, DoD IL4/IL5, and SOC 2 Type II for dozens of services. Cloudflare has FedRAMP Moderate for a subset of services; the catalog is narrower.
- IAM: AWS Identity and Access Management is the most granular policy system in cloud. Cross-service resource policies, service control policies, and permission boundaries have no Cloudflare equivalent.
- Networking: VPC, PrivateLink, Transit Gateway, and Direct Connect let you build isolated private networks with on-premises connectivity. Cloudflare Tunnel is a proxy, not a private network.
- ML and data: SageMaker, Bedrock, Glue, Athena, and EMR have no Cloudflare counterpart.
- Container orchestration: ECS and EKS are mature; Cloudflare has no container runtime.
- Service breadth: 200+ AWS services cover storage, IoT, media, robotics, and satellite. Cloudflare’s catalog is deep in networking and shallow elsewhere.
Trade-offs at a glance
| Dimension | Cloudflare | AWS |
|---|---|---|
| DNS | Fast, free | Route 53; per-zone fee |
| CDN egress | Free on paid plans | $0.09/GB (CloudFront) |
| Edge compute | Workers; 300+ PoPs, cheap | Lambda@Edge; fewer PoPs, higher cost |
| Object storage egress | R2; $0/GB egress | S3; $0.09/GB egress |
| Managed databases | Not available | RDS, Aurora, DynamoDB, ElastiCache |
| Compliance certs | Limited | Extensive (FedRAMP High, HIPAA, ITAR) |
| IAM granularity | API tokens; no cross-service policies | Full IAM with SCPs, resource policies |
| Private networking | Tunnel (proxy) | VPC, PrivateLink, Direct Connect |
| Cold start latency | Sub-millisecond (Workers) | Up to seconds (Lambda) |
| Pricing model | Flat and predictable | Complex; per-service line items |
| Service catalog | Narrow; edge-focused | 200+ services |
Migration cost
Moving workloads between AWS and Cloudflare depends on the layer; edge and CDN migrations are low-cost, database and compute migrations are not.
- DNS from Route 53 to Cloudflare: export zone file, import to Cloudflare DNS, update registrar NS records. Low risk; plan one day per domain with a 48-hour TTL drain.
- S3 to R2: use the R2 migration tool or
rclonefor bulk object transfer. Update application clients with the R2 S3-compatible endpoint. Plan one day plus propagation testing. - Lambda to Workers: rewrite the handler to the Workers
fetchAPI. Workers does not support Node.js APIs directly; dependencies with native modules must be replaced. Plan one to two engineer-days per function for simple cases. - AWS compute to Cloudflare: not practical for applications requiring managed databases, queues, or VPC isolation. Cloudflare is a complement, not a replacement.
Recommendation
- DNS, CDN, and DDoS for any production site: Cloudflare, regardless of where the origin lives.
- API backend, database, or queue: AWS (or another cloud with managed services). Cloudflare has no managed database.
- High-egress static site or media delivery: Cloudflare R2 plus Workers. The egress cost difference at scale is significant.
- Regulated government or healthcare workload: AWS. FedRAMP High and HIPAA BAA coverage is broader.
- Edge personalization, geolocation routing, or A/B testing at the CDN layer: Cloudflare Workers.
- Full stack for a new SaaS: Cloudflare Workers + R2 + KV for the edge layer; AWS RDS or Aurora for the database. See aurora-vs-rds-postgres.