Akamai to Cloudflare mapping guide
This guide turns Akamai-to-Cloudflare migration into a practical mapping model. It covers how Akamai properties, behaviors, cache keys, origins, WAF policy, bot controls, EdgeWorkers, certificates, DataStream logging, redirects, and operational ownership translate into Cloudflare rulesets, cache rules, origin rules, WAF, Bot Management, Workers, Logpush, and managed operations.
Migration scope
Akamai
Cloudflare
Nanosek authorized MSP & ASDP partner
This guide turns Akamai-to-Cloudflare migration into a practical mapping model. It covers how Akamai properties, behaviors, cache keys, origins, WAF policy, bot controls, EdgeWorkers, certificates, DataStream logging, redirects, and operational ownership translate into Cloudflare rulesets, cache rules, origin rules, WAF, Bot Management, Workers, Logpush, and managed operations.
Migration model
Translate behavior first, then configure Cloudflare
Export Akamai estate
Classify behaviors
Map Cloudflare primitives
Build target config
Validate parity
Cut over and tune
Core principle
Akamai properties often encode years of application behavior. A clean migration does not copy that tree blindly — it maps each behavior to a Cloudflare primitive, validates equivalent outcomes, and retires legacy complexity where Cloudflare can express the intent more simply.
Mapping reference
Akamai to Cloudflare — feature mapping
Starting model for your migration workbook. Grouped by workstream.
CDN & Delivery
5 itemsAkamai
Property Manager properties and rules
Cloudflare
Rulesets, Cache Rules, Origin Rules, Transform Rules, Redirect Rules
Split large property logic into targeted Cloudflare rule families instead of recreating one monolithic tree.
Akamai
Edge hostnames and CP codes
Cloudflare
Cloudflare zones, hostnames, DNS records, analytics dimensions, Logpush fields
Map ownership and reporting needs before traffic moves so analytics and chargeback do not disappear.
Akamai
Origin Server behavior and origin groups
Cloudflare
Origin Rules, Load Balancing pools, health checks, Host header override, SNI settings
Validate origin reachability, virtual hosting, TLS mode, Host header, and failover behavior per hostname.
Akamai
Caching behaviors, cache keys, SureRoute, tiering
Cloudflare
Cache Rules, Custom Cache Key, Tiered Cache, Cache Reserve, Argo Smart Routing
Treat cache behavior as a performance and origin-load migration, not just a feature mapping exercise.
Akamai
Edge Redirector and redirect behaviors
Cloudflare
Redirect Rules, Bulk Redirects, Transform Rules, Workers where needed
Use declarative redirects first; reserve Workers for conditional, stateful, or external-lookup logic.
Security
2 itemsAkamai
Kona Site Defender / App & API Protector
Cloudflare
Cloudflare WAF Managed Rules, Custom Rules, API Shield, DDoS protection
Translate policy intent and exception scope, then promote enforcement after false-positive review.
Akamai
Bot Manager
Cloudflare
Cloudflare Bot Management, Super Bot Fight Mode where appropriate, rate limiting, Turnstile
Separate verified bots, partner automation, abusive bots, scraping, login abuse, and API automation.
Edge Logic
1 itemAkamai
EdgeWorkers
Cloudflare
Cloudflare Workers, Rules, Cache API, KV, Durable Objects, service bindings
Decide rules vs Workers per function. Do not move simple config into code by default.
Observability & Operations
2 itemsAkamai
DataStream and security logs
Cloudflare
Logpush, GraphQL Analytics, Security Events, SIEM parsers, R2/S3/BigQuery destinations
Validate field mapping and alert coverage before shutting down Akamai logging.
Akamai
Activation workflow and operational process
Cloudflare
Cloudflare API, Terraform, dashboard changes, audit logs, managed operations runbooks
Replace activation gates with change control, review, rollback, and IaC where possible.
Decision diagram
Rules before Workers, except when code is justified
Declarative rule
Redirects, header edits, cache decisions, URL normalization, simple origin routing.
Cloudflare Worker
Complex branching, external lookups, signed logic, stateful behavior, API middleware, custom authentication.
Retire or simplify
Legacy exceptions, duplicate behaviors, unused device logic, stale redirects, expired campaign paths.
The goal is not to rebuild Akamai in Cloudflare. The goal is to express the same security and delivery intent using Cloudflare-native primitives — and retire what no longer needs to exist.
Parity checks
What must match before cutover
Cache
Cache key, TTL, bypass, vary headers, query strings, cookies, stale behavior, cache status, origin hit rate.
Security
WAF action, rule ID, bot outcome, challenge behavior, API policy, rate limits, false positives, allowlists.
Origin
Host header, SNI, TLS mode, origin certificate, health checks, failover, status codes, latency, connection errors.
Edge logic
Redirects, rewrites, header transforms, device logic, geo logic, auth handoff, Workers output versus EdgeWorkers output.
Observability
Log delivery, SIEM fields, dashboards, alert parity, request identifiers, security event coverage, retention.
Cutover gates
Do not move production traffic until all signals are green
Configuration mapped
Every Akamai behavior has a Cloudflare target, decision owner, test case, and status.
Critical paths validated
Top URLs, login, checkout, APIs, redirects, static assets, and admin flows pass Cloudflare testing.
Security staged
WAF and bot policies are in monitor or controlled enforcement with false-positive review complete.
Logs live
Logpush reaches the destination, SIEM parsers work, and alert owners can investigate Cloudflare events.
Rollback ready
DNS, Akamai property fallback, certificate state, origin firewall rules, and owners are documented.
Step by step
Migration checklist
- 1
Export or inventory Akamai properties, hostnames, edge hostnames, CP codes, origins, behaviors, includes, certificates, WAF policies, Bot Manager controls, EdgeWorkers, redirects, and DataStream jobs.
- 2
Group Akamai behavior by workstream: DNS and onboarding, caching, origin routing, headers and transforms, redirects, WAF, bot controls, API protection, edge code, logging, and operations.
- 3
Identify which Akamai rules can become Cloudflare declarative rules and which need Cloudflare Workers, API Shield, Load Balancing, Transform Rules, Cache Rules, or custom WAF logic.
- 4
Build a mapping workbook with each Akamai behavior, matching Cloudflare primitive, migration decision, owner, test case, risk level, and rollback note.
- 5
Design Cloudflare target architecture across zones, hostnames, SSL/TLS mode, certificates, origin pools, Host header/SNI behavior, cache topology, WAF policy, and Logpush destinations.
- 6
Create a validation matrix comparing Akamai and Cloudflare behavior for cache status, TTL, headers, redirects, origin routing, status codes, WAF actions, bot outcomes, and logs.
- 7
Run staged testing through test hostnames, partial traffic, internal DNS overrides, or low-risk hostnames while Akamai continues serving production traffic.
- 8
Prepare cutover and rollback: TTL changes, nameserver or CNAME moves, certificate readiness, origin firewall updates, monitoring thresholds, owner approvals, and Akamai fallback instructions.
- 9
After cutover, compare Akamai baseline metrics with Cloudflare analytics for cache hit ratio, origin traffic, WAF events, bot activity, latency, error rates, and alert coverage.
- 10
Decommission Akamai only after Cloudflare behavior, logs, dashboards, alerts, runbooks, and managed operations are accepted by application, security, and infrastructure owners.
Risk register
Risks to control
Property Manager behavior is replicated without simplification.
Classify each behavior as keep, replace, simplify, retire, or move to Workers. Avoid rebuilding years of accidental complexity.
Cache behavior changes increase origin load.
Map cache keys, TTLs, bypass rules, query-string handling, cookies, tiered cache, and origin shield behavior before cutover.
Host header or SNI behavior differs at the origin.
Test virtual hosting, certificate validation, origin override, SNI, and Host header rules per origin before traffic moves.
Kona Site Defender rules are translated too broadly.
Inventory WAF policies, exceptions, rule groups, bot interactions, and API paths. Promote Cloudflare controls gradually with false-positive review.
EdgeWorkers are converted to Workers unnecessarily.
Replace simple redirects, header edits, and cache decisions with declarative rules where possible. Use Workers only for logic that needs code.
DataStream is turned off before Logpush is validated.
Configure Logpush, field mapping, SIEM parsing, dashboards, and alert rules before Akamai logging is decommissioned.
Rollback depends on manual memory during cutover.
Document DNS rollback, Akamai property fallback, certificate state, origin firewall rules, owners, and timing constraints before the window.
Output
Useful deliverables
- Akamai current-state inventory covering properties, hostnames, origins, certificates, rules, security controls, edge code, and logs.
- Akamai-to-Cloudflare mapping workbook with target primitive, decision, owner, status, and test case per behavior.
- Cloudflare target architecture for zones, DNS, SSL/TLS, origins, caching, WAF, bot, Workers, Logpush, and operations.
- Cache and origin behavior parity matrix comparing Akamai and Cloudflare results on critical paths.
- WAF and Bot Management policy translation plan with false-positive review workflow.
- EdgeWorkers-to-Rules-or-Workers decision register.
- Cutover and rollback runbook with TTLs, ownership, monitoring, go/no-go criteria, and fallback instructions.
- Post-cutover tuning backlog for cache, WAF, bot controls, logs, alerting, and managed operations.
Keep reading
Related resources
Nanosek
Map your Akamai estate
Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.