Leveraging Cloudflare for your SaaS applications
When building a SaaS application, it is common to create unique hostnames for each customer account (or tenant), for example app.customer.com. It is important to ensure that all communication to this application hostname is done using SSL/TLS and therefore a certificate must be created for your customer's hostname on your application. Certificate management is hard, and often application architects and developers would use a multi-domain certificate ↗ (MDC), so they can buy and add just one certificate that has hundreds of domains listed. However, this does not scale well when your application reaches thousands and millions of customers.
Also, a customer of your application might wish to have their main website domain hosted directly on your application. So that, for example, www.customer.com is actually delivering content directly from your SaaS application.
Many SaaS applications have caching and security solutions, such as Cloudflare, in front of their applications and as such need to onboard these hostnames. This is often done using a "Zone" model, where inside Cloudflare, or another vendor such as AWS Cloudfront, a "Zone" is created for app.customer.com. This means that, as each new customer is onboarded, a new "Zone" must be created - this might be manageable in the tens and hundreds of customers but, when you get to thousands and millions, management of all these zones and their configurations is hard.
Cloudflare for Platforms extends far beyond this traditional model of most edge providers, by managing traffic across many hostnames and domains in one "Zone". You can now manage www.customer1.com and www.customer2.net, and millions more hostnames, through the same configuration while also customizing features as needed.
This document provides a reference and guidance for using Cloudflare for Platforms. The document is split into three main sections.
- Overview of the SaaS model and the common challenges Cloudflare for Platforms solves
- SSL certificate issuance in a SaaS model
- Customizing the experience for each of your clients
This reference architecture is designed for SaaS application owners, engineers, or architects who want to learn how to make their application more scalable and secure through Cloudflare.
To build a stronger baseline understanding of Cloudflare, we recommend the following resources:
- What is Cloudflare? | Website ↗ (5 minute read) or video ↗ (2 minutes)
- Cloudflare Ruleset Engine - We will discuss integrations with the ruleset engine. Familiarity with that feature will be helpful.
- Cloudflare Workers - We will also discuss integrations with Cloudflare Workers, our serverless application platform. A basic familiarity with this platform will be helpful.
Those who read this reference architecture will learn:
- How Cloudflare's unique offering can solve key challenges for SaaS applications
- How to customize the Cloudflare experience for each of your end customers
- Tools to integrate serverless applications, for each of your clients, through Workers for Platforms
Software as a Service (SaaS) has been a key innovation of the cloud computing era. On premises managed legacy enterprise software - such as accounting, HR, and CRMs - required dedicated attention from IT personnel to establish a platform (whether dedicated hardware, VMs, or cloud instances) for each application in the enterprise. The SaaS model allows providers, like Shopify and Salesforce, to extend their own platform to their customers instead. Now, the customer does not have to provision hardware or consider any other infrastructure concerns; instead, they subscribe to access to the SaaS platform which is always up to date, secure and available.
For many SaaS applications, it is important to provide a service under the client's own domain. Their domain is important for branding, security, and organization; and many clients have heavily invested in the right .com to represent their business. Many clients with domains linked to their brand will push back against deploying their applications on the provider's domain.
This is especially true for customer-facing applications like an e-commerce solution. You would want to expose this as shop.example.com, not example.shop.com. To secure traffic to the SaaS application, the provider ("shop") needs a certificate for their customer, example.com.
This is a challenge for SaaS solutions, as certificate issuance is tightly controlled through the DCV Validation process. The owner of a domain needs to authorize any certificates, and traditional methods of validation are driven by the domain owner and deliver the certificate only to them.
This poses a dilemma: the SaaS model offers clear advantages but introduces a new challenge of its own. A novel solution would let providers and end customers both get the most out of the SaaS model.
Cloudflare for SaaS provides a unique solution to these common challenges for SaaS providers. By leveraging Cloudflare's position as a low-latency, global network, we can transparently manage certificate issuance for end clients while also providing several other benefits to a SaaS platform.
Cloudflare has a unique ability to manage the Domain Control Validation (DCV) process in a SaaS scenario. In a traditional model, certificate issuers ask domain owners to place a particular token (either a DNS TXT record or a small text file) at their origin in order to validate that they are authorized for that domain. This has to be done repeatedly at certificate renewal, which has become more common with recent security improvements.
Since Cloudflare's network can easily sit in between the client and the SaaS provider, we can automatically respond with the correct DCV token on behalf of any domain that points traffic to the SaaS provider on Cloudflare.
Instead of repeatedly performing a complex process at every certificate renewal, the client performs a much simpler process only once.
Cloudflare for Platforms gives you much more than just SSL certificate management. We give you built-in features to control security and performance capabilities, at scale, for each of your clients. Cloudflare's security features, such as DDoS, WAF, Bot Management, and Rate Limiting are seamlessly extended to clients on your platform. Security posture can be customized within Managed Rules for individual customers, to exempt good traffic or tighten security. On the performance side, Cache, Argo Smart Routing, and HTTP/2 features like Early Hints provide scalable and customizable behavior for all of your customers. Customizable cache rules lets you drive high hit rates across all of your customers.
If you need even more flexibility than our rules provide, to give individual behavior to thousands or millions of customers, Custom Metadata allows complete per-client flexibility. By setting tags like WAF: On or Performance: Premium for each customer, you can customize their security and performance feature set. We have built features like WAF for SaaS which interface with this metadata directly; as well as an API within our Workers serverless environment to use them within custom code.
If you need more customization than even metadata can provide, or are running a service where your customers write or generate their own application code, Workers for Platforms lets you deploy a complete serverless application for each of your customers.
We provide several key features such as the Dispatch Worker, which gives you infinite flexibility in deciding which customer application to route to. For example, you can run security checks, then decode an HTTP header telling you the user's ID, and then load the appropriate serverless application for this user's request. Outbound Workers give you additional visibility and control into what Internet resources your customer's applications can access, providing a familiar security model in a distributed deployment.
We also provide features for observability, configuration, and many other tools needed for a production-grade platform deployment. These are detailed in other reference architectures and function the same way for platform cases as for the more standard models described in those guides.
Let's review three common use cases where Cloudflare for Platforms can enable providers to seamlessly extend SSL, performance, and security to their end customers.
In this common design, Cloudflare enables your platform to issue SSL certificates and provide performance and security features. We will not customize the features for each of your clients, but will provide common capabilities for everyone who uses the platform.
- Cloudflare secures traffic from your clients to your platform, at global scale, by validating and distributing SSL certificates.
- In this design, you will use the same L7 configuration - that is, all of the features that act on your traffic, and run after SSL, for each of your clients.
- Just set up a Cloudflare for SaaS zone and order a custom hostname for each client hostname. The system will take you through an easy flow to point each client's traffic to your platform, and order their certificate.
- You can almost always use our default settings through this process, but bespoke SSL customization is also possible.
- Origin traffic routing is also handled through the SSL for SaaS process. Our default configuration is secure for most needs.
- For highly secure use cases, you can use Authenticated Origin Pulls, dedicated egress IPs via Aegis, or an advanced design with Tunnels.
Here, we are not just provisioning a certificate for each client - we are giving each of them a custom configuration. For example, your Basic tier only gets essential WAF, Advanced tier gets Bot management. You can also run common features across all customers.
- In addition to securing SSL traffic, use an additional field provided when you add each customer (Custom Metadata) to tag the correct feature set.
- Cloudflare features read the Metadata to customize for each client. WAF features are the key security customization. Provide different levels of security, or even customized WAF rulesets.
- On the performance side, you can also add Argo Smart Routing, Cache, and Early Hints to level up the performance for chosen customers.
In the most advanced design, we are customizing a full serverless application in our Workers runtime for each of your customers. Simple Workers perform similar tasks to feature customization. Advanced Workers can run your entire platform on the Cloudflare network.
- Instead of deploying customized Cloudflare capabilities, each customer has their own "User Worker" JavaScript serverless application containing custom code.
- You retain control through Dispatch Workers, which determine which code to run, and Outbound Workers, which restrict the access of customer code.
- Use advanced Developer Platform capabilities like D1, Workers KV, and Queues to build your entire business on Cloudflare.
With Cloudflare for SaaS, you will be able to easily solve the common challenges that come with a growing platform business. From SSL certificate issuance, through Security, and on to custom serverless applications, Cloudflare for SaaS lets you scale our entire platform to your customers - at the scale of millions.
You can find further details on all of the features we have discussed here in the following links: