From legacy edge to Cloudflare, safely.
Tap a node on either side to focus the flow.
Migration flow
From Akamai, through Discovery → Mapping → Cutover → Operate, into the Cloudflare destinations on the right. Tap any node to focus the flow.
On this page
Nanosek provides Cloudflare migration services for organizations moving websites, APIs, DNS, CDN delivery, WAF policies, DDoS protection, bot protection, certificates, redirects, origin routing, edge logic, logging, and operational workflows to Cloudflare. The service includes discovery, current-state inventory, Cloudflare target architecture, configuration mapping, staged implementation, testing, cutover planning, rollback design, post-launch tuning, and managed Cloudflare operations.
Who this is for
What we migrate to Cloudflare
DNS zones and records
Review authoritative DNS, records, proxy status, nameserver cutover, DNSSEC, email records, SaaS records, and rollback requirements.
CDN and cache behavior
Map cache eligibility, cache keys, edge TTL, browser TTL, bypass rules, query string behavior, cookies, headers, and origin cache-control assumptions.
WAF policies and security rules
Translate managed rules, custom rules, exceptions, skip logic, false-positive handling, and staged enforcement into Cloudflare controls.
DDoS protection posture
Review DDoS readiness, cache strategy, HTTP flood controls, origin exposure, emergency response process, and post-attack tuning.
Bot protection and automation controls
Design Bot Management, verified bot handling, allowlists, challenge policy, rate limits, and false-positive tuning for high-risk paths.
API security controls
Map API endpoints, methods, authentication behavior, schema validation, mTLS options, WAF rules, rate limits, and API Shield controls.
TLS certificates and SSL settings
Validate Universal SSL, Advanced Certificate Manager, custom certificates, CAA records, hostname coverage, and SSL/TLS mode before cutover.
Origin routing and failover
Review origin pools, Host header, SNI, ports, firewall allowlisting, health checks, load balancing, and failover behavior.
Redirects, rewrites, and headers
Move redirects, rewrites, request headers, response headers, URL normalization, and transformation logic into declarative Cloudflare rules where possible.
Edge logic and serverless functions
Assess legacy edge code and rebuild only the logic that requires Cloudflare Workers instead of native rules.
Logs, dashboards, and SIEM workflows
Configure Logpush, Security Analytics, GraphQL Analytics, dashboards, alerts, and reporting before production traffic moves.
Zero Trust policies, where in scope
Migrate or introduce Access, Gateway, WARP, identity, device posture, and private application controls when migration touches access security.
Load balancing and health checks
Map legacy load balancing, origin pools, health checks, steering rules, failover expectations, and traffic distribution requirements.
Operational runbooks and ownership model
Document cutover, rollback, validation, monitoring, escalation, change ownership, and managed operations workflows.
Why Cloudflare migrations fail
Cloudflare migrations fail when they are treated as a simple DNS switch. Existing platforms often contain years of hidden production behavior: cache rules, redirects, header changes, WAF exceptions, bot allowlists, origin routing, TLS assumptions, API controls, and logging dependencies.
Our Cloudflare migration methodology
Discovery and current-state inventory
- Review domains, DNS records, CDN behavior, WAF rules, bot controls, DDoS posture, origins, certificates, redirects, edge logic, logs, application flows, APIs, and operational workflows.
- Identify critical paths such as login, checkout, APIs, file upload, admin portals, static assets, payment flows, and partner integrations.
Cloudflare target architecture
- Define the Cloudflare zone model, DNS onboarding approach, proxy strategy, cache model, certificate strategy, origin design, security model, logging model, and rollback approach.
- Decide what should be implemented with native Cloudflare rules versus Workers.
Configuration mapping and implementation plan
- Map existing behavior into Cloudflare DNS, Cache Rules, Origin Rules, Transform Rules, Redirect Rules, Configuration Rules, WAF, Bot Management, Rate Limiting, API Shield, Load Balancing, Logpush, Workers, and Zero Trust where relevant.
- Build a migration backlog with risks, owners, dependencies, and success criteria.
Build and controlled validation
- Configure Cloudflare in staging, test hostnames, partial onboarding, non-production zones, or monitor mode where possible.
- Validate cache behavior, redirects, headers, TLS, origin routing, WAF events, bot behavior, API flows, and logging.
Cutover readiness
- Prepare DNS TTL changes, certificate validation, origin allowlisting, monitoring windows, escalation contacts, stakeholder approvals, rollback steps, and success criteria.
Production cutover
- Move traffic using a phased approach where possible.
- Monitor error rates, cache hit ratio, latency, origin health, WAF events, bot events, rate limits, API errors, and critical user journeys.
Post-launch tuning and managed operations
- Tune cache, WAF, bot, rate limiting, API security, dashboards, alerts, documentation, and operational runbooks.
- Transition into managed Cloudflare operations where required.
Where customers migrate from
Cloudflare controls we use during migration
Cloudflare DNS
Used for authoritative DNS, hostname onboarding, proxy decisions, nameserver cutover, and rollback planning.
Full zone onboarding
Used when Cloudflare becomes authoritative for the domain and controls the complete DNS zone.
Partial CNAME onboarding
Used when selected hostnames move to Cloudflare while DNS authority remains elsewhere.
Universal SSL
Used for baseline certificate coverage on proxied hostnames.
Advanced Certificate Manager
Used for wildcard coverage, custom certificate needs, validation control, and enterprise hostname strategies.
Cache Rules
Used to define cache eligibility, edge TTL, browser TTL, bypass behavior, and path-specific caching.
Custom Cache Keys
Used when cache variants depend on query strings, cookies, headers, locale, device type, or app-specific behavior.
Tiered Cache
Used to improve cache efficiency and reduce origin load during and after migration.
Cache Reserve
Used for long-tail static assets or large content sets that benefit from persistent cache coverage.
Origin Rules
Used for Host header, SNI, origin ports, origin selection, and backend routing behavior.
Transform Rules
Used to adjust request or response headers and normalize request properties without custom code.
Redirect Rules
Used for declarative redirects and URL changes.
Configuration Rules
Used to apply settings by hostname, path, or traffic class.
Load Balancing
Used for origin pools, steering, failover, and multi-region traffic distribution.
Health Checks
Used to monitor origin health and support failover decisions.
WAF Managed Rules
Used for baseline application protection when replacing legacy WAF controls.
WAF Custom Rules
Used to translate application-specific rules, bypasses, exceptions, and path controls.
Rate Limiting
Used for login, APIs, search, forms, scraping, and request-volume abuse patterns.
Bot Management
Used to protect high-risk flows from scraping, credential stuffing, fake accounts, and automated abuse.
API Shield
Used to protect APIs with discovery, schema validation, mTLS, and endpoint-specific controls.
mTLS
Used for strong client authentication on APIs, partner integrations, or origin-facing flows.
Turnstile
Used when interactive or non-interactive checks are needed for suspicious forms, login, or abuse paths.
DDoS Protection
Used to reduce volumetric, HTTP, DNS, and API flood risk with origin hardening and response readiness.
Logpush
Used to export HTTP, WAF, bot, Zero Trust, DNS, and security logs to SIEM, storage, or analytics platforms.
Security Analytics
Used to review WAF, bot, rate limiting, DDoS, and challenge activity during rollout.
GraphQL Analytics
Used for reporting, trend review, cache analysis, and operational dashboards.
Cloudflare Workers
Used only where legacy edge logic cannot be expressed safely with native Cloudflare rules.
Terraform/API automation
Used to keep Cloudflare configuration repeatable, reviewable, and aligned with change management.
Zero Trust, where in scope
Used for Access, Gateway, WARP, identity, device posture, and private application migration workstreams.
| Control | When Nanosek uses it |
|---|---|
| Cloudflare DNS | Used for authoritative DNS, hostname onboarding, proxy decisions, nameserver cutover, and rollback planning. |
| Full zone onboarding | Used when Cloudflare becomes authoritative for the domain and controls the complete DNS zone. |
| Partial CNAME onboarding | Used when selected hostnames move to Cloudflare while DNS authority remains elsewhere. |
| Universal SSL | Used for baseline certificate coverage on proxied hostnames. |
| Advanced Certificate Manager | Used for wildcard coverage, custom certificate needs, validation control, and enterprise hostname strategies. |
| Cache Rules | Used to define cache eligibility, edge TTL, browser TTL, bypass behavior, and path-specific caching. |
| Custom Cache Keys | Used when cache variants depend on query strings, cookies, headers, locale, device type, or app-specific behavior. |
| Tiered Cache | Used to improve cache efficiency and reduce origin load during and after migration. |
| Cache Reserve | Used for long-tail static assets or large content sets that benefit from persistent cache coverage. |
| Origin Rules | Used for Host header, SNI, origin ports, origin selection, and backend routing behavior. |
| Transform Rules | Used to adjust request or response headers and normalize request properties without custom code. |
| Redirect Rules | Used for declarative redirects and URL changes. |
| Configuration Rules | Used to apply settings by hostname, path, or traffic class. |
| Load Balancing | Used for origin pools, steering, failover, and multi-region traffic distribution. |
| Health Checks | Used to monitor origin health and support failover decisions. |
| WAF Managed Rules | Used for baseline application protection when replacing legacy WAF controls. |
| WAF Custom Rules | Used to translate application-specific rules, bypasses, exceptions, and path controls. |
| Rate Limiting | Used for login, APIs, search, forms, scraping, and request-volume abuse patterns. |
| Bot Management | Used to protect high-risk flows from scraping, credential stuffing, fake accounts, and automated abuse. |
| API Shield | Used to protect APIs with discovery, schema validation, mTLS, and endpoint-specific controls. |
| mTLS | Used for strong client authentication on APIs, partner integrations, or origin-facing flows. |
| Turnstile | Used when interactive or non-interactive checks are needed for suspicious forms, login, or abuse paths. |
| DDoS Protection | Used to reduce volumetric, HTTP, DNS, and API flood risk with origin hardening and response readiness. |
| Logpush | Used to export HTTP, WAF, bot, Zero Trust, DNS, and security logs to SIEM, storage, or analytics platforms. |
| Security Analytics | Used to review WAF, bot, rate limiting, DDoS, and challenge activity during rollout. |
| GraphQL Analytics | Used for reporting, trend review, cache analysis, and operational dashboards. |
| Cloudflare Workers | Used only where legacy edge logic cannot be expressed safely with native Cloudflare rules. |
| Terraform/API automation | Used to keep Cloudflare configuration repeatable, reviewable, and aligned with change management. |
| Zero Trust, where in scope | Used for Access, Gateway, WARP, identity, device posture, and private application migration workstreams. |
Legacy platform to Cloudflare mapping
Legacy platform to Cloudflare mapping
DNS and hostnames
Cloudflare DNS, full zone, partial CNAME
Choose onboarding model based on ownership, risk, and rollback requirements.
CDN cache behavior
Cache Rules, custom cache keys, Tiered Cache, Cache Reserve
Validate per path, extension, header, cookie, query string, and origin response behavior.
Origin routing
Origin Rules, Load Balancing, Health Checks
Validate Host header, SNI, origin ports, firewall allowlisting, and failover.
Redirects and rewrites
Redirect Rules, Bulk Redirects, Transform Rules, Workers
Keep simple behavior declarative and use Workers for complex logic.
WAF policies
WAF Managed Rules, Custom Rules, exceptions, skip rules
Start in log/simulate mode and tune before blocking.
Bot controls
Bot Management, verified bots, WAF rules, rate limits
Protect sensitive paths without blocking good users, crawlers, partners, or mobile apps.
API security
API Shield, mTLS, schema validation, rate limiting
Protect APIs separately from public web paths.
DDoS posture
Cloudflare DDoS protection, cache strategy, origin hardening
Combine automated protection with origin lockdown and response readiness.
Certificates
Universal SSL, Advanced Certificate Manager, custom certificates
Validate certificate coverage before production cutover.
Edge functions
Cloudflare Workers
Rebuild only logic that cannot be handled with native Cloudflare rules.
Logs and SIEM
Logpush, Security Analytics, GraphQL Analytics
Preserve observability before traffic moves.
Operations
Runbooks, dashboards, alerts, reporting, managed services
Define ownership and post-launch change process.
| Migration area | Cloudflare target | Migration notes |
|---|---|---|
| DNS and hostnames | Cloudflare DNS, full zone, partial CNAME | Choose onboarding model based on ownership, risk, and rollback requirements. |
| CDN cache behavior | Cache Rules, custom cache keys, Tiered Cache, Cache Reserve | Validate per path, extension, header, cookie, query string, and origin response behavior. |
| Origin routing | Origin Rules, Load Balancing, Health Checks | Validate Host header, SNI, origin ports, firewall allowlisting, and failover. |
| Redirects and rewrites | Redirect Rules, Bulk Redirects, Transform Rules, Workers | Keep simple behavior declarative and use Workers for complex logic. |
| WAF policies | WAF Managed Rules, Custom Rules, exceptions, skip rules | Start in log/simulate mode and tune before blocking. |
| Bot controls | Bot Management, verified bots, WAF rules, rate limits | Protect sensitive paths without blocking good users, crawlers, partners, or mobile apps. |
| API security | API Shield, mTLS, schema validation, rate limiting | Protect APIs separately from public web paths. |
| DDoS posture | Cloudflare DDoS protection, cache strategy, origin hardening | Combine automated protection with origin lockdown and response readiness. |
| Certificates | Universal SSL, Advanced Certificate Manager, custom certificates | Validate certificate coverage before production cutover. |
| Edge functions | Cloudflare Workers | Rebuild only logic that cannot be handled with native Cloudflare rules. |
| Logs and SIEM | Logpush, Security Analytics, GraphQL Analytics | Preserve observability before traffic moves. |
| Operations | Runbooks, dashboards, alerts, reporting, managed services | Define ownership and post-launch change process. |
Cutover checkpoints
- Lower DNS TTLs where needed and confirm rollback DNS, certificates, origin allowlisting, and stakeholder approvals before the migration window.
- Validate cache, redirects, headers, TLS, origin routing, WAF, bot, API, rate limits, Logpush, and critical journeys before moving production traffic.
- Move traffic in phases where possible and monitor error rates, cache hit ratio, latency, origin health, security events, and API errors.
- Keep rollback criteria, owners, escalation contacts, and validation steps visible in the live cutover runbook.
Validation signals
- Critical paths such as login, checkout, APIs, upload, search, admin, payment, and partner integrations behave as expected.
- Cache HIT/MISS behavior, redirects, headers, certificates, and origin routing match the approved validation matrix.
- WAF, bot, rate limiting, DDoS, API Shield, and Zero Trust controls are visible and tuned before enforcement.
- Logpush, dashboards, alerts, and reporting are working before post-launch handover.
Deployment steps
- 01 Inventory domains, DNS, CDN behavior, WAF rules, bot controls, DDoS posture, APIs, certificates, origins, redirects, Workers or edge logic, logs, and operational workflows.
- 02 Design the Cloudflare target architecture for zone model, DNS onboarding, proxy strategy, cache, certificates, origins, security, logging, and rollback.
- 03 Map existing platform behavior into Cloudflare-native controls and build a migration backlog with risks, owners, dependencies, and success criteria.
- 04 Configure Cloudflare in staging, test hostnames, partial onboarding, non-production zones, or monitor mode where possible.
- 05 Validate cache, redirects, headers, TLS, origins, WAF, bot, DDoS, APIs, Zero Trust, logging, and critical user journeys.
- 06 Prepare cutover runbook, rollback runbook, stakeholder approvals, monitoring window, escalation contacts, and success criteria.
- 07 Execute production cutover, monitor live signals, tune controls, document findings, and transition into managed Cloudflare operations.
Risks and mitigations
DNS or proxy mistake.
Classify each record and hostname before cutover.
Certificate error.
Validate certificate coverage and SSL/TLS mode before production traffic moves.
Cache mismatch.
Build a cache test matrix and validate by path, headers, cookies, and query strings.
Origin overload.
Monitor cache misses, tune cache eligibility, and phase traffic where possible.
WAF false positives.
Start in log/simulate mode and promote rules gradually.
Bot false positives.
Review bot scores, verified bots, sensitive paths, and trusted automation.
API disruption.
Use API-specific controls and validate methods, headers, authentication, and rate limits.
Broken redirects.
Test redirect and rewrite chains with production-like hostnames.
Direct-to-origin bypass.
Lock down origin access and remove unintended direct DNS exposure.
Missing observability.
Configure Logpush, dashboards, and alerting before cutover.
Rollback confusion.
Create a rollback runbook with owners, conditions, and validation steps.
| Risk | Mitigation |
|---|---|
| DNS or proxy mistake. | Classify each record and hostname before cutover. |
| Certificate error. | Validate certificate coverage and SSL/TLS mode before production traffic moves. |
| Cache mismatch. | Build a cache test matrix and validate by path, headers, cookies, and query strings. |
| Origin overload. | Monitor cache misses, tune cache eligibility, and phase traffic where possible. |
| WAF false positives. | Start in log/simulate mode and promote rules gradually. |
| Bot false positives. | Review bot scores, verified bots, sensitive paths, and trusted automation. |
| API disruption. | Use API-specific controls and validate methods, headers, authentication, and rate limits. |
| Broken redirects. | Test redirect and rewrite chains with production-like hostnames. |
| Direct-to-origin bypass. | Lock down origin access and remove unintended direct DNS exposure. |
| Missing observability. | Configure Logpush, dashboards, and alerting before cutover. |
| Rollback confusion. | Create a rollback runbook with owners, conditions, and validation steps. |
Migration validation checklist
- Current DNS exported and reviewed
- Cloudflare zone model selected
- Proxy status decided per hostname
- Certificates issued and validated
- SSL/TLS mode reviewed
- Origin connectivity tested
- Host header and SNI behavior validated
- Origin IP exposure reviewed
- Cache rules tested by path and content type
- Query string and cookie behavior validated
- Redirects and rewrites tested
- Request and response headers validated
- WAF policies deployed in log or simulate mode first
- Bot controls reviewed before enforcement
- Rate limits tested safely
- API endpoints mapped and validated
- Login, checkout, upload, search, and admin flows tested
- Logpush, dashboards, or analytics configured
- Error rates compared against baseline
- Cache hit ratio compared against expected behavior
- Rollback plan documented
- Stakeholders approved cutover
Deliverables
- Current-state discovery report
- Cloudflare target architecture
- Migration risk register
- Legacy-to-Cloudflare mapping workbook
- DNS and certificate plan
- Cache behavior test matrix
- Origin validation plan
- WAF and bot rollout plan
- API security migration plan
- Cutover runbook
- Rollback runbook
- Validation report
- Post-launch tuning backlog
- Managed operations handover
Cloudflare migration service paths
Akamai to Cloudflare Migration
Akamai property, CDN, WAF, Bot Manager, EdgeWorkers, cache, and logging migration.
Cloudflare CDN Migration
Cache, origin, redirect, edge, DNS, and CDN behavior migration.
Cloudflare DNS Migration
Authoritative DNS, nameserver cutover, proxy status, DNSSEC, email records, and rollback.
Cloudflare WAF Migration
Managed rules, custom rules, exceptions, false-positive tuning, and enforcement rollout.
Cloudflare Bot Management
Bot score policies, verified bots, scraping, credential stuffing, API automation, and false-positive tuning.
Cloudflare DDoS Protection
DDoS readiness, origin protection, HTTP flood response, API protection, and incident runbooks.
Cloudflare Logpush and Observability
Logpush, SIEM, dashboards, alerts, analytics, and reporting.
Cloudflare Managed Services
Post-launch Cloudflare operations, change support, tuning, reporting, and incident support.
When Nanosek should help
Frequently asked questions
What is a Cloudflare migration?
Is migrating to Cloudflare just a DNS change?
Which platforms can Nanosek migrate from?
Can migration happen without downtime?
How do you reduce migration risk?
What happens to existing WAF and bot rules?
Do we need Cloudflare Workers?
Can Nanosek help after the migration?
Migrate to Cloudflare with confidence
Nanosek helps you preserve critical behavior, reduce cutover risk, validate production paths, and move to Cloudflare with a clear rollback and operating model.