From legacy edge to Cloudflare, safely.
Tap a node on either side to focus the flow.
Migration flow
From Akamai, through Discovery → Mapping → Cutover → Operate, into the Cloudflare destinations on the right. Tap any node to focus the flow.
On this page
Nanosek provides Cloudflare CDN migration services for organizations moving from legacy CDN, WAF, and edge platforms to Cloudflare. The service includes discovery, current-state inventory, cache behavior mapping, DNS and certificate planning, origin validation, redirect and rewrite migration, edge logic assessment, WAF and bot alignment, logging setup, cutover runbooks, rollback planning, and managed Cloudflare optimization after launch.
Who this is for
What we migrate to Cloudflare
DNS zones and hostname onboarding
Plan full-zone or partial CNAME onboarding, hostname coverage, TTL changes, ownership, and rollback paths before traffic movement.
CDN cache behavior
Translate legacy cache behavior into Cloudflare Cache Rules, cache eligibility, cache status expectations, and path-specific behavior.
Edge TTL and browser TTL rules
Preserve the intended balance between origin freshness, browser behavior, and edge cache efficiency.
Custom cache keys
Map query string, header, cookie, device, locale, and application-specific cache-key behavior where needed.
Cache bypass logic
Protect login, checkout, APIs, account areas, previews, and dynamic paths from accidental caching.
Origin routing
Validate Host headers, SNI, ports, origin pools, path routing, and origin allowlisting before cutover.
Origin failover
Design health checks, load balancing, steering, and failover behavior for critical origins.
Redirects and rewrites
Move redirect and rewrite behavior into Redirect Rules, Bulk Redirects, Transform Rules, or Workers depending on complexity.
Header manipulation
Recreate request and response header behavior with Transform Rules or Workers, then validate application impact.
URL normalization
Align trailing slashes, casing, query handling, canonical paths, and SEO-sensitive URL behavior.
Edge logic and serverless functions
Assess legacy edge code and rebuild only logic that cannot be expressed with native Cloudflare rules.
TLS certificates
Plan Universal SSL, Advanced Certificate Manager, custom certificates, wildcard coverage, validation, and renewals.
WAF policies
Map WAF managed rules, custom rules, exceptions, and enforcement mode into Cloudflare with staged tuning.
Bot controls
Align Bot Management, Super Bot Fight Mode, verified bots, WAF rules, and path-specific challenge policies.
Rate limiting
Design safe limits for login, APIs, search, forms, scraping, and other high-volume abuse patterns.
API protection
Separate API security from public web paths using API Shield, schema validation, mTLS, WAF rules, and rate limits.
Logs, dashboards, and SIEM workflows
Preserve visibility with Logpush, Security Events, GraphQL Analytics, dashboards, and alert ownership.
Operational runbooks
Create cutover, rollback, escalation, validation, and post-launch tuning workflows that operations teams can follow.
Why CDN migrations fail
CDN migrations fail when teams treat them as a simple DNS switch. In reality, the current CDN often contains years of hidden application behavior: cache overrides, redirects, header logic, origin routing, security exceptions, API rules, WAF tuning, bot allowlists, and monitoring dependencies.
Our Cloudflare CDN migration methodology
Discovery and current-state inventory
- Review current CDN configuration, domains, DNS records, certificates, cache behavior, origins, redirects, header rules, edge functions, WAF controls, bot controls, logs, and monitoring dependencies.
- Identify critical paths such as login, checkout, APIs, uploads, search, static assets, and business-critical pages.
Cloudflare target architecture
- Define the Cloudflare zone model, DNS model, certificate strategy, origin model, cache strategy, WAF and bot approach, logging model, and rollback strategy.
- Decide which behavior should be implemented with declarative Cloudflare rules and which behavior requires Workers.
Rule and behavior translation
- Map existing CDN behavior into Cloudflare Cache Rules, Origin Rules, Transform Rules, Redirect Rules, Configuration Rules, Load Balancing, WAF Custom Rules, Bot Management, Rate Limiting, API Shield, and Workers where required.
Build and validation
- Configure Cloudflare in staging, test hostnames, partial onboarding, or non-production zones where possible.
- Validate cache HIT/MISS behavior, response headers, redirects, origin routing, TLS, WAF events, bot behavior, API behavior, and application flows.
Cutover planning
- Prepare DNS TTL changes, certificate validation, owner approvals, monitoring windows, escalation contacts, rollback steps, and success criteria.
Production cutover
- Move traffic using a phased approach where possible.
- Monitor error rates, cache hit ratio, origin load, latency, WAF events, bot events, API errors, and critical user journeys.
Post-launch optimization
- Tune caching, security controls, rate limits, bot policies, dashboards, alerts, Terraform or API automation, and managed operations workflows.
Architecture
Cloudflare controls we use
Cloudflare DNS
Used for authoritative DNS, hostname onboarding, TTL planning, and controlled traffic movement.
Universal SSL
Used for baseline TLS coverage across proxied hostnames once Cloudflare is authoritative or partially onboarded.
Advanced Certificate Manager
Used for custom certificate coverage, validation control, wildcard requirements, and enterprise hostname strategies.
Cache Rules
Used to define cache eligibility, edge TTL, browser TTL, bypass behavior, and path-specific caching.
Custom Cache Keys
Used when legacy behavior depends on query strings, headers, cookies, device type, locale, or application-specific variants.
Tiered Cache
Used to reduce origin load and improve cache efficiency during and after migration.
Cache Reserve
Used when large static assets or long-tail content need persistent cache coverage and reduced origin fetches.
Origin Rules
Used for Host header, SNI, origin ports, origin selection, and backend routing behavior.
Transform Rules
Used to adjust request and response headers or normalize request properties without custom code.
Redirect Rules
Used for declarative redirects and URL changes that do not require advanced dynamic logic.
Configuration Rules
Used to apply settings by hostname, path, or traffic class where legacy platforms used nested behavior rules.
Load Balancing
Used for origin pools, steering, failover, and traffic distribution across regions or backends.
Health Checks
Used to monitor origin health and support failover decisions during and after migration.
WAF Managed Rules
Used to replace baseline application protection from legacy CDN or WAF platforms.
WAF Custom Rules
Used to translate application-specific security policy, exceptions, bypasses, and path controls.
Bot Management
Used to protect high-risk flows from scraping, credential stuffing, fake accounts, and automated abuse.
Rate Limiting
Used for login, APIs, search, forms, scraping, and request-volume abuse patterns.
API Shield
Used to protect API endpoints separately with schema validation, mTLS, inventory, and endpoint controls.
Cloudflare Workers
Used only where legacy edge logic cannot be expressed safely with native Cloudflare rules.
Logpush
Used to preserve observability by sending HTTP, WAF, bot, and security events to SIEM or data platforms.
GraphQL Analytics
Used for reporting, trend review, cache analysis, and operational dashboards.
Security Analytics
Used to review WAF, bot, rate limiting, and challenge activity during rollout.
Terraform/API automation
Used to keep Cloudflare configuration repeatable, reviewable, and aligned with change management.
| Control | When Nanosek uses it |
|---|---|
| Cloudflare DNS | Used for authoritative DNS, hostname onboarding, TTL planning, and controlled traffic movement. |
| Universal SSL | Used for baseline TLS coverage across proxied hostnames once Cloudflare is authoritative or partially onboarded. |
| Advanced Certificate Manager | Used for custom certificate coverage, validation control, wildcard requirements, and enterprise hostname strategies. |
| Cache Rules | Used to define cache eligibility, edge TTL, browser TTL, bypass behavior, and path-specific caching. |
| Custom Cache Keys | Used when legacy behavior depends on query strings, headers, cookies, device type, locale, or application-specific variants. |
| Tiered Cache | Used to reduce origin load and improve cache efficiency during and after migration. |
| Cache Reserve | Used when large static assets or long-tail content need persistent cache coverage and reduced origin fetches. |
| Origin Rules | Used for Host header, SNI, origin ports, origin selection, and backend routing behavior. |
| Transform Rules | Used to adjust request and response headers or normalize request properties without custom code. |
| Redirect Rules | Used for declarative redirects and URL changes that do not require advanced dynamic logic. |
| Configuration Rules | Used to apply settings by hostname, path, or traffic class where legacy platforms used nested behavior rules. |
| Load Balancing | Used for origin pools, steering, failover, and traffic distribution across regions or backends. |
| Health Checks | Used to monitor origin health and support failover decisions during and after migration. |
| WAF Managed Rules | Used to replace baseline application protection from legacy CDN or WAF platforms. |
| WAF Custom Rules | Used to translate application-specific security policy, exceptions, bypasses, and path controls. |
| Bot Management | Used to protect high-risk flows from scraping, credential stuffing, fake accounts, and automated abuse. |
| Rate Limiting | Used for login, APIs, search, forms, scraping, and request-volume abuse patterns. |
| API Shield | Used to protect API endpoints separately with schema validation, mTLS, inventory, and endpoint controls. |
| Cloudflare Workers | Used only where legacy edge logic cannot be expressed safely with native Cloudflare rules. |
| Logpush | Used to preserve observability by sending HTTP, WAF, bot, and security events to SIEM or data platforms. |
| GraphQL Analytics | Used for reporting, trend review, cache analysis, and operational dashboards. |
| Security Analytics | Used to review WAF, bot, rate limiting, and challenge activity during rollout. |
| Terraform/API automation | Used to keep Cloudflare configuration repeatable, reviewable, and aligned with change management. |
Legacy CDN to Cloudflare mapping
Legacy CDN to Cloudflare mapping
DNS and hostnames
Cloudflare DNS, full zone, partial CNAME setup
Choose onboarding model based on control, risk, and rollback requirements.
Certificates
Universal SSL, Advanced Certificate Manager, custom certificates
Validate before cutover and align with hostname strategy.
Cache behaviors
Cache Rules, custom cache keys, browser TTL, edge TTL
Test per path, extension, header, cookie, and query string behavior.
Origin routing
Origin Rules, Load Balancing, Health Checks
Validate Host header, SNI, origin ports, failover, and origin allowlisting.
Redirects
Redirect Rules, Bulk Redirects, Workers
Keep simple redirects declarative and use Workers only for complex logic.
Header changes
Transform Rules, Workers
Validate request and response headers before cutover.
Edge functions
Cloudflare Workers
Rebuild only logic that cannot be expressed with native Cloudflare rules.
WAF policies
WAF Managed Rules, Custom Rules, exceptions
Start in log or simulate mode and tune before blocking.
Bot protection
Bot Management, Super Bot Fight Mode, WAF rules
Protect sensitive paths without blocking legitimate users.
Rate limits
Cloudflare Rate Limiting
Design by path, method, user behavior, API profile, and abuse pattern.
API security
API Shield, mTLS, schema validation
Protect APIs separately from public web paths.
Logs
Logpush, Security Events, GraphQL Analytics
Preserve observability before traffic moves.
Automation
Terraform, Cloudflare API, GitOps workflows
Keep configuration repeatable and reviewable.
| Legacy CDN area | Cloudflare target | Migration notes |
|---|---|---|
| DNS and hostnames | Cloudflare DNS, full zone, partial CNAME setup | Choose onboarding model based on control, risk, and rollback requirements. |
| Certificates | Universal SSL, Advanced Certificate Manager, custom certificates | Validate before cutover and align with hostname strategy. |
| Cache behaviors | Cache Rules, custom cache keys, browser TTL, edge TTL | Test per path, extension, header, cookie, and query string behavior. |
| Origin routing | Origin Rules, Load Balancing, Health Checks | Validate Host header, SNI, origin ports, failover, and origin allowlisting. |
| Redirects | Redirect Rules, Bulk Redirects, Workers | Keep simple redirects declarative and use Workers only for complex logic. |
| Header changes | Transform Rules, Workers | Validate request and response headers before cutover. |
| Edge functions | Cloudflare Workers | Rebuild only logic that cannot be expressed with native Cloudflare rules. |
| WAF policies | WAF Managed Rules, Custom Rules, exceptions | Start in log or simulate mode and tune before blocking. |
| Bot protection | Bot Management, Super Bot Fight Mode, WAF rules | Protect sensitive paths without blocking legitimate users. |
| Rate limits | Cloudflare Rate Limiting | Design by path, method, user behavior, API profile, and abuse pattern. |
| API security | API Shield, mTLS, schema validation | Protect APIs separately from public web paths. |
| Logs | Logpush, Security Events, GraphQL Analytics | Preserve observability before traffic moves. |
| Automation | Terraform, Cloudflare API, GitOps workflows | Keep configuration repeatable and reviewable. |
Cutover checkpoints
- Lower DNS TTLs before the migration window and confirm rollback DNS values are ready.
- Validate certificates, origins, Host header behavior, SNI, redirects, cache rules, WAF events, bot events, and Logpush before traffic movement.
- Move traffic in phases where possible and monitor error rates, cache hit ratio, origin load, latency, and critical journeys.
- Keep rollback owners, criteria, and timing visible in the live cutover runbook.
Validation signals
- Cache HIT/MISS behavior matches the approved test matrix.
- Login, checkout, API, upload, search, and static asset flows work through Cloudflare.
- WAF, bot, and rate limiting events are visible without unexpected false positives.
- Origin load, latency, and error rates stay within agreed thresholds.
Deployment steps
- 01 Inventory legacy CDN configuration, application flows, cache behavior, security controls, logs, automation, and operational dependencies.
- 02 Design the Cloudflare target architecture for DNS, certificates, origins, cache, security, logging, automation, cutover, and rollback.
- 03 Translate rules, redirects, headers, cache behavior, WAF policies, bot controls, rate limits, API protections, and edge logic.
- 04 Build Cloudflare configuration in staging, test hostnames, partial onboarding, or non-production zones where possible.
- 05 Validate cache, redirects, headers, origins, TLS, WAF, bot, APIs, logs, and critical user journeys.
- 06 Execute phased production cutover with live monitoring and rollback criteria.
- 07 Tune caching, security, observability, automation, and managed operations after launch.
Risks and mitigations
Cache behavior changes.
Build a cache test matrix and validate by path, extension, query string, cookie, and header.
Origin overload.
Use staged rollout, monitor cache miss spikes, and tune cache eligibility before full cutover.
Redirect loops.
Test redirects and rewrites with production-like hostnames and paths.
Host header or SNI mismatch.
Validate origin rules, TLS settings, and backend expectations before production traffic moves.
Certificate errors.
Pre-validate certificates and confirm hostname coverage.
WAF false positives.
Start in log or simulate mode and tune exceptions before blocking.
Bot false positives.
Use controlled challenge policies and protect sensitive paths gradually.
SEO impact.
Validate canonical tags, robots.txt, sitemap, redirects, and HTTP status codes.
Logging gaps.
Configure Logpush, analytics, dashboards, and alerting before cutover.
No rollback path.
Create a rollback runbook with clear owners and decision criteria.
| Risk | Mitigation |
|---|---|
| Cache behavior changes. | Build a cache test matrix and validate by path, extension, query string, cookie, and header. |
| Origin overload. | Use staged rollout, monitor cache miss spikes, and tune cache eligibility before full cutover. |
| Redirect loops. | Test redirects and rewrites with production-like hostnames and paths. |
| Host header or SNI mismatch. | Validate origin rules, TLS settings, and backend expectations before production traffic moves. |
| Certificate errors. | Pre-validate certificates and confirm hostname coverage. |
| WAF false positives. | Start in log or simulate mode and tune exceptions before blocking. |
| Bot false positives. | Use controlled challenge policies and protect sensitive paths gradually. |
| SEO impact. | Validate canonical tags, robots.txt, sitemap, redirects, and HTTP status codes. |
| Logging gaps. | Configure Logpush, analytics, dashboards, and alerting before cutover. |
| No rollback path. | Create a rollback runbook with clear owners and decision criteria. |
Migration validation checklist
- DNS records reviewed
- TTLs lowered before cutover
- Certificates issued and validated
- Origin connectivity tested
- Host header and SNI behavior validated
- Origin allowlisting updated
- Cache rules tested by path and file type
- Query string and cookie behavior validated
- Redirects and rewrites tested
- Request and response headers validated
- Login, checkout, API, upload, search, and static asset flows tested
- WAF rules reviewed in log or simulate mode
- Bot controls reviewed before enforcement
- Rate limits tested safely
- SEO-critical pages checked
- Canonical, robots, and sitemap behavior validated
- Error rates compared against baseline
- Cache hit ratio compared against expected behavior
- Logpush or analytics configured
- Rollback plan documented
- Stakeholders approved cutover
Deliverables
- Current CDN inventory
- Cloudflare target architecture
- CDN-to-Cloudflare mapping workbook
- Cache behavior test matrix
- DNS and certificate migration plan
- Origin validation plan
- Redirect and rewrite migration plan
- WAF and bot rollout plan
- Cutover runbook
- Rollback runbook
- Validation report
- Post-launch optimization backlog
- Managed operations handover
When Nanosek should help
Frequently asked questions
What is a Cloudflare CDN migration?
Is a CDN migration just a DNS switch?
Can Nanosek migrate from Akamai, Fastly, or CloudFront to Cloudflare?
Can we migrate without downtime?
How do you validate cache behavior?
What happens to existing WAF and bot rules?
Do we need Cloudflare Workers?
How do you reduce rollback risk?
Can Nanosek manage Cloudflare after the migration?
Move CDN traffic to Cloudflare with confidence
Nanosek helps you preserve critical behavior, reduce migration risk, and modernize CDN, security, and edge operations on Cloudflare.