# Reference Architecture Guides and diagrams explain Cloudflare products and how to integrate with IT architectures > Links below point directly to Markdown versions of each page. Any page can also be retrieved as Markdown by sending an `Accept: text/markdown` header to the page's URL without the `index.md` suffix (for example, `curl -H "Accept: text/markdown" https://developers.cloudflare.com/reference-architecture/`). > > For other Cloudflare products, see the [Cloudflare documentation directory](https://developers.cloudflare.com/llms.txt). > > Use [Reference Architecture llms-full.txt](https://developers.cloudflare.com/reference-architecture/llms-full.txt) for the complete Reference Architecture documentation in a single file, intended for offline indexing, bulk vectorization, or large-context models. ## Overview - [Reference Architectures](https://developers.cloudflare.com/reference-architecture/index.md) ## How to use - [How to use](https://developers.cloudflare.com/reference-architecture/how-to-use/index.md) ## Find by solution - [Find by solution](https://developers.cloudflare.com/reference-architecture/by-solution/index.md) ## Implementation Guides - [Implementation Guides](https://developers.cloudflare.com/reference-architecture/implementation-guides/index.md) - [Use mTLS with Cloudflare protected resources](https://developers.cloudflare.com/reference-architecture/implementation-guides/application-security/mtls/index.md) - [Zero Trust](https://developers.cloudflare.com/reference-architecture/implementation-guides/zero-trust/index.md) - [Holistic AI Security with Cloudflare One](https://developers.cloudflare.com/reference-architecture/implementation-guides/zero-trust/holistic-ai-security/index.md) - [Replace your VPN](https://developers.cloudflare.com/reference-architecture/implementation-guides/zero-trust/replace-vpn/index.md) - [Secure your Internet traffic and SaaS apps](https://developers.cloudflare.com/reference-architecture/implementation-guides/zero-trust/secure-internet-traffic/index.md) - [Secure your email with Email security](https://developers.cloudflare.com/reference-architecture/implementation-guides/zero-trust/secure-your-email/index.md) - [Deploy clientless access](https://developers.cloudflare.com/reference-architecture/implementation-guides/zero-trust/ztna-web-access/index.md) ## architectures - [AI Security for Apps Reference Architecture](https://developers.cloudflare.com/reference-architecture/architectures/ai-security-for-apps/index.md): This article highlights how Cloudflare's AI Security for Apps complements Cloudflare WAF by providing an AI protection layer for detecting and mitigating threats to AI-powered applications. - [Content Delivery Network (CDN) Reference Architecture](https://developers.cloudflare.com/reference-architecture/architectures/cdn/index.md): This reference architecture discusses the traditional challenges customers face with web applications, how the Cloudflare CDN resolves these challenges, and CDN architecture and design. - [CrowdStrike and Cloudflare - A unified security ecosystem for automated, risk-based protection](https://developers.cloudflare.com/reference-architecture/architectures/cloudflare-sase-with-crowdstrike/index.md): This reference architecture outlines how Cloudflare and CrowdStrike solutions integrate to create a unified security ecosystem that combines endpoint protection with zero trust network access, threat intelligence sharing, and automated remediation workflows. Organizations can leverage this integration to implement risk-based access policies, improve threat detection, and orchestrate security responses across both platforms. - [Reference Architecture using Cloudflare SASE with Microsoft](https://developers.cloudflare.com/reference-architecture/architectures/cloudflare-sase-with-microsoft/index.md): This reference architecture explains how Microsoft and Cloudflare can be integrated together. By leveraging Cloudflare's secure network access, risky user isolation, and application and data visibility, organizations can consolidate management. - [Enhancing security posture with SentinelOne and Cloudflare One](https://developers.cloudflare.com/reference-architecture/architectures/cloudflare-sase-with-sentinelone/index.md): The integration between Cloudflare One and SentinelOne provides organizations with a comprehensive security solution. The integration works through a service-to-service posture check that identifies devices based on their serial numbers. - [Understanding Email Security Deployments](https://developers.cloudflare.com/reference-architecture/architectures/email-security-deployments/index.md): This reference architecture describes the key architecture of Cloudflare Email security. - [Load Balancing Reference Architecture](https://developers.cloudflare.com/reference-architecture/architectures/load-balancing/index.md): This reference architecture is for organizations looking to deploy both global and local traffic management load balancing solutions. It is designed for IT, web hosting, and network professionals with some responsibility over or familiarity with their organization's existing infrastructure. - [Magic Transit Reference Architecture](https://developers.cloudflare.com/reference-architecture/architectures/magic-transit/index.md): This reference architecture describes the key architecture, functionalities, and network deployment options of Cloudflare Magic Transit. - [Multi-vendor Application Security and Performance Reference Architecture](https://developers.cloudflare.com/reference-architecture/architectures/multi-vendor/index.md): This reference architecture describes how a multi-vendor approach for application security and performance can be accomplished. - [Evolving to a SASE architecture with Cloudflare](https://developers.cloudflare.com/reference-architecture/architectures/sase/index.md): This reference architecture explains how organizations can work towards a SASE architecture using Cloudflare. - [Cloudflare Security Architecture](https://developers.cloudflare.com/reference-architecture/architectures/security/index.md): This document provides insight into how this network and platform are architected from a security perspective, how they are operated, and what services are available for businesses to address their own security challenges. ## design-guides - [Designing ZTNA access policies for Cloudflare Access](https://developers.cloudflare.com/reference-architecture/design-guides/designing-ztna-access-policies/index.md): This guide is for customers looking to deploy Cloudflare's ZTNA service. It provides best practices and guidelines for how to effectively build the right policies. - [Extend Cloudflare's benefits to SaaS providers' end-customers](https://developers.cloudflare.com/reference-architecture/design-guides/extending-cloudflares-benefits-to-saas-providers-end-customers/index.md): Learn how to use Cloudflare to extend performance, security, and data localization to your end users. - [Leveraging Cloudflare for your SaaS applications](https://developers.cloudflare.com/reference-architecture/design-guides/leveraging-cloudflare-for-your-saas-applications/index.md): This document provides a reference and guidance for using Cloudflare for Platforms. It is designed for SaaS application owners, engineers, or architects who want to learn how to make their application more scalable and secure. - [Network-focused migration from VPN concentrators to Zero Trust Network Access](https://developers.cloudflare.com/reference-architecture/design-guides/network-vpn-migration/index.md): The traditional approach of installing and maintaining hardware for remote access to private company networks is no longer secure or cost effective. IT teams are recognizing the cost and effort to install and maintain their own hardware can be offset with more modern, and more secure cloud hosted services. - [Securely deliver applications with Cloudflare](https://developers.cloudflare.com/reference-architecture/design-guides/secure-application-delivery/index.md): Cloudflare provides a complete suite of services around application performance, security, reliability, development, and Zero Trust. - [Securing guest wireless networks](https://developers.cloudflare.com/reference-architecture/design-guides/securing-guest-wireless-networks/index.md): This guide is designed for IT or security professionals who are looking at Cloudflare to help secure their guest wireless networks. - [Streamlined WAF deployment across zones and applications](https://developers.cloudflare.com/reference-architecture/design-guides/streamlined-waf-deployment-across-zones-and-applications/index.md): Learn how to streamline WAF deployment across different zones and applications. - [Using a zero trust framework to secure SaaS applications](https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-saas/index.md): Learn how to eliminate the trade-off between security and performance by using Cloudflare's global network. - [Building zero trust architecture into your startup](https://developers.cloudflare.com/reference-architecture/design-guides/zero-trust-for-startups/index.md): Cloudflare Zero Trust is a simple, (sometimes free!) way for startups to develop a comprehensive Zero Trust strategy. This guide explains how to use Cloudflare to establish the foundation for a Zero Trust architecture. ## diagrams - [Content-based asset creation](https://developers.cloudflare.com/reference-architecture/diagrams/ai/ai-asset-creation/index.md): AI systems combine text-generation and text-to-image models to create visual content from text. They generate prompts, moderate content, and produce images for various applications. - [Composable AI architecture](https://developers.cloudflare.com/reference-architecture/diagrams/ai/ai-composable/index.md): The architecture diagram illustrates how AI applications can be built end-to-end on Cloudflare, or single services can be integrated with external infrastructure and services. - [Multi-vendor AI observability and control](https://developers.cloudflare.com/reference-architecture/diagrams/ai/ai-multivendor-observability-control/index.md): By shifting features such as rate limiting, caching, and error handling to the proxy layer, organizations can apply unified configurations across services and inference service providers. - [Retrieval Augmented Generation (RAG)](https://developers.cloudflare.com/reference-architecture/diagrams/ai/ai-rag/index.md): RAG combines retrieval with generative models for better text. It uses external knowledge to create factual, relevant responses, improving coherence and accuracy in NLP tasks like chatbots. - [AI Vibe Coding Platform](https://developers.cloudflare.com/reference-architecture/diagrams/ai/ai-vibe-coding-platform/index.md): Cloudflare's low-latency, fully serverless compute platform, Workers offers powerful capabilities to enable A/B testing using a server-side implementation. - [Automatic captioning for video uploads](https://developers.cloudflare.com/reference-architecture/diagrams/ai/ai-video-caption/index.md): By integrating automatic speech recognition technology into video platforms, content creators, publishers, and distributors can reach a broader audience, including individuals with hearing impairments or those who prefer to consume content in different languages. - [Ingesting BigQuery Data into Workers AI](https://developers.cloudflare.com/reference-architecture/diagrams/ai/bigquery-workers-ai/index.md): You can connect a Cloudflare Worker to get data from Google BigQuery and pass it to Workers AI, to run AI Models, powered by serverless GPUs. - [Bot management](https://developers.cloudflare.com/reference-architecture/diagrams/bots/bot-management/index.md): Cloudflare has bot management capabilities to help identify and mitigate automated traffic to protect domains from bad bots. - [Designing a distributed web performance architecture](https://developers.cloudflare.com/reference-architecture/diagrams/content-delivery/distributed-web-performance-architecture/index.md): A prescriptive pattern for building a Cloudflare-based L7 performance architecture that reduces latency, raises cache efficiency, and improves Core Web Vitals. - [Optimizing image delivery with Cloudflare image resizing and R2](https://developers.cloudflare.com/reference-architecture/diagrams/content-delivery/optimizing-image-delivery-with-cloudflare-image-resizing-and-r2/index.md): Learn how to get a scalable, high-performance solution to optimizing image delivery. - [Optimizing and securing connected transportation systems](https://developers.cloudflare.com/reference-architecture/diagrams/iot/optimizing-and-securing-connected-transportation-systems/index.md): This diagram showcases Cloudflare components optimizing connected transportation systems. It illustrates how their technologies minimize latency, ensure reliability, and strengthen security for critical data flow. - [Bring your own IP space to Cloudflare](https://developers.cloudflare.com/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare/index.md): Cloudflare allows enterprises to bring their IP space to the Cloudflare network. This allows them to gain the security and performance of the platform while still appearing to the rest of the world via their own public IP space. - [Optimizing device roaming experience with geolocated IPs](https://developers.cloudflare.com/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips/index.md): Cloudflare can use private mobile networks (APNs) to connect devices roaming across multiple countries through regional Internet breakouts. - [Protect data center networks](https://developers.cloudflare.com/reference-architecture/diagrams/network/protect-data-center-networks/index.md): This document focuses on the reference architecture of using Cloudflare WAN, Cloudflare Network Firewall, and Cloudflare Gateway services. - [Protect hybrid cloud networks with Cloudflare Magic Transit](https://developers.cloudflare.com/reference-architecture/diagrams/network/protect-hybrid-cloud-networks-with-cloudflare-magic-transit/index.md): Cloudflare Magic Transit provides cloud-native, in-line DDoS protection, and traffic acceleration for all Internet-facing networks. - [Protect public networks with Cloudflare](https://developers.cloudflare.com/reference-architecture/diagrams/network/protect-public-networks-with-cloudflare/index.md): This document explains how Cloudflare Magic Transit, Cloudflare Network Firewall, and Gateway work. The products offer in-line, automatic, scalable network protection for all Internet-facing networks. The architecture is designed to protect public networks across multiple clouds and on-premises. - [Protect ISP and telecommunications networks from DDoS attacks](https://developers.cloudflare.com/reference-architecture/diagrams/network/protecting-sp-networks-from-ddos/index.md): Learn how Internet service providers (ISPs) and telecommunications companies (such as T-Mobile or British Telecom) can protect themselves from DDoS attacks. - [Extend ZTNA with external authorization and serverless computing](https://developers.cloudflare.com/reference-architecture/diagrams/sase/augment-access-with-serverless/index.md): Cloudflare's ZTNA enhances access policies using external API calls and Workers for robust security. It verifies user authentication and authorization, ensuring only legitimate access to protected resources. - [Cloudflare One Appliance deployment options](https://developers.cloudflare.com/reference-architecture/diagrams/sase/cloudflare-one-appliance-deployment/index.md): Learn how to deploy Cloudflare One Appliance and evaluate your various deployment options. - [Deploy self-hosted VoIP services for hybrid users](https://developers.cloudflare.com/reference-architecture/diagrams/sase/deploying-self-hosted-voip-services-for-hybrid-users/index.md): Learn how Cloudflare improves over traditional VPN solutions by leveraging its global network. - [DNS filtering solution for Internet service providers](https://developers.cloudflare.com/reference-architecture/diagrams/sase/gateway-dns-for-isp/index.md): Learn how to use Cloudflare Gateway as a DNS filtering solution for Internet service providers. - [Protective DNS for governments](https://developers.cloudflare.com/reference-architecture/diagrams/sase/gateway-for-protective-dns/index.md): Learn how to use Cloudflare Gateway as a Protective DNS service for governments. - [Access to private apps without having to deploy client agents](https://developers.cloudflare.com/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/index.md): Learn how to provide access to private apps without having to deploy client agents. - [Secure access to SaaS applications with SASE](https://developers.cloudflare.com/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase/index.md): Cloudflare's SASE platform offers the ability to bring a more Zero Trust orientated approach to securing SaaS applications. Centralized policies, based on device posture, identity attributes and granular network location can be applied across one or many Saas applications. - [Zero Trust and Virtual Desktop Infrastructure](https://developers.cloudflare.com/reference-architecture/diagrams/sase/zero-trust-and-virtual-desktop-infrastructure/index.md): This document provides a reference and guidance for using Cloudflare's Zero Trust services. It offers a vast improvement over remote access to web applications with greater security. - [FIPS 140 level 3 compliance with Cloudflare Application Services](https://developers.cloudflare.com/reference-architecture/diagrams/security/fips-140-3/index.md): This document outlines a reference architecture for achieving Federal Information Processing Standard (FIPS) 140 Level 3 compliance using Cloudflare's Application Services. - [Securing data at rest](https://developers.cloudflare.com/reference-architecture/diagrams/security/securing-data-at-rest/index.md): Learn how Cloudflare's API-driven Cloud Access Security Broker (CASB) works and secures data at rest. - [Securing data in transit](https://developers.cloudflare.com/reference-architecture/diagrams/security/securing-data-in-transit/index.md): Data in transit is often considered vulnerable to interception or tampering during transmission. Data Loss Prevention (DLP) technologies can be used to inspect the contents of network traffic and block sensitive data from going to a risky destination. - [Securing data in use](https://developers.cloudflare.com/reference-architecture/diagrams/security/securing-data-in-use/index.md): Learn how Cloudflare's Remote Browser Isolation (RBI) works and secures data in use. - [A/B-testing using Workers](https://developers.cloudflare.com/reference-architecture/diagrams/serverless/a-b-testing-using-workers/index.md): Cloudflare's low-latency, fully serverless compute platform, Workers offers powerful capabilities to enable A/B testing using a server-side implementation. - [Fullstack applications](https://developers.cloudflare.com/reference-architecture/diagrams/serverless/fullstack-application/index.md): A practical example of how these services come together in a real fullstack application architecture. - [Programmable Platforms](https://developers.cloudflare.com/reference-architecture/diagrams/serverless/programmable-platforms/index.md): Workers for Platforms provide secure, scalable, cost-effective infrastructure for programmable platforms with global reach. - [Serverless ETL pipelines](https://developers.cloudflare.com/reference-architecture/diagrams/serverless/serverless-etl/index.md): Cloudflare enables fully serverless ETL pipelines, significantly reducing complexity, accelerating time to production, and lowering overall costs. - [Serverless global APIs](https://developers.cloudflare.com/reference-architecture/diagrams/serverless/serverless-global-apis/index.md): An example architecture of a serverless API on Cloudflare and aims to illustrate how different compute and data products could interact with each other. - [Serverless image content management](https://developers.cloudflare.com/reference-architecture/diagrams/serverless/serverless-image-content-management/index.md): Leverage various components of Cloudflare's ecosystem to construct a scalable image management solution - [Control and data plane architectural pattern for Durable Objects](https://developers.cloudflare.com/reference-architecture/diagrams/storage/durable-object-control-data-plane-pattern/index.md): Separate the control plane from the data plane of your application to achieve great performance and reliability without compromising on functionality. - [Egress-free object storage in multi-cloud setups](https://developers.cloudflare.com/reference-architecture/diagrams/storage/egress-free-storage-multi-cloud/index.md): Learn how to use R2 to get egress-free object storage in multi-cloud setups. - [Event notifications for storage](https://developers.cloudflare.com/reference-architecture/diagrams/storage/event-notifications-for-storage/index.md): Use Cloudflare Workers or an external service to monitor for notifications about data changes and then handle them appropriately. - [On-demand Object Storage Data Migration](https://developers.cloudflare.com/reference-architecture/diagrams/storage/on-demand-object-storage-migration/index.md): Use Cloudflare migration tools to migrate data between cloud object storage providers. - [Storing user generated content](https://developers.cloudflare.com/reference-architecture/diagrams/storage/storing-user-generated-content/index.md): Store user-generated content in R2 for fast, secure, and cost-effective architecture.