Cloudflare for Overseas Teams — DNS / CDN / R2 / Pages / Workers / Tunnel (2026)

TL;DR: Free Cloudflare already covers ~90% of small-team needs (DNS / CDN / DDoS / SSL). What's actually worth paying for isn't Pro ($20/mo) — it's R2 (S3 alternative), Workers (edge functions), Tunnel (firewall punch-through), and Zero Trust (enterprise SSO). Pay-per-use, no forced subscription. This walks through them in the order overseas teams actually adopt them.

Why Cloudflare became the standard for overseas teams

Three reasons:

1. 320 PoPs globally — including 16 mainland-China nodes (mainland traffic only flows through them with ICP filing; without ICP it routes via HK / TPE / TYO)
2. Production-ready free tier — DNS / CDN / basic DDoS / SSL all free, no usage caps (covers 99% of SaaS at scale)
3. Excellent API — first-class Terraform / Pulumi providers; infra-as-code is trivial

Day one of any overseas SMB: switch your domain NS to Cloudflare. Everything else cascades from there.

Cloudflare suite — by usage frequency

Pro $20/mo is rarely worth buying for SMBs. Free tier covers 95% of cases; Pro mainly adds Image Optimization / WAF custom rules / Mobile Redirect — marginal value for small teams. Business / Enterprise plans run $200-$2000+/mo and only matter when you've been DDoSed seriously or have stringent compliance.

Day-one config — 5 steps

1. Switch domain NS to Cloudflare (15 min)

Whether your domain is at Namecheap / GoDaddy / 阿里云 / 腾讯云, you can switch:

1. Cloudflare free account → "Add a site" with your domain
2. Cloudflare auto-scans existing NS and imports DNS records
3. Copy the 2 NS Cloudflare gives you (like xxxx.ns.cloudflare.com)
4. Update NS at original registrar; propagation 1-24 hours

After switch, all DNS changes happen in Cloudflare's console, with sub-30-second global rollout.

2. SSL · auto-renewing Let's Encrypt

Default mode after NS switch is auto SSL. Choose Full (Strict):

• Flexible: HTTPS browser ↔ Cloudflare, HTTP Cloudflare ↔ origin — don't use, MITM risk
• Full: HTTPS both legs, no certificate verification — self-signed certs OK
• Full (Strict): HTTPS + cert validation — recommended

90-day auto-renewal, new cert signed 7 days before expiry. Hands-off.

3. CDN + DDoS · enabled by default

Set Proxy status to orange cloud = traffic flows through Cloudflare CDN. Free tier includes:

• Global CDN cache (images / CSS / JS auto-cached, HTML defaults to no-cache)
• DDoS protection (L3-L7, no usage cap)
• Basic Bot Management

Important: with Proxy on, client IP arrives in X-Forwarded-For. Your Nginx / app must read this header, otherwise all traffic looks like it's from Cloudflare IPs.

# /etc/nginx/conf.d/cloudflare.conf
real_ip_header X-Forwarded-For;
set_real_ip_from 173.245.48.0/20;  # Cloudflare ranges
set_real_ip_from 103.21.244.0/22;
# ... (Cloudflare's published IP list, refresh periodically)

4. Cache rules · one Page Rule saves 70% bandwidth

Free tier gets 3 Page Rules. Most important:

URL Pattern: yourdomain.com/static/*
Settings:
  - Cache Level: Cache Everything
  - Edge Cache TTL: 1 month

Static assets (images / CSS / JS) cached at edge, no origin hits. We've seen 70-90% origin traffic drop in production deployments.

5. Firewall Rules · 5 free rules

Three most common:

1. Block specific countries:
   (ip.geoip.country in {"RU" "KP" "IR"}) → Block

2. Block SQL-injection probes:
   (http.request.uri contains "union select" or http.request.uri contains "../etc/passwd") → Block

3. Rate-limit login:
   (http.request.uri.path eq "/api/login") → Challenge (CAPTCHA after 5 req/min)

5 rules max free, 50 with Pro $20. We only upgrade for high-compliance clients (medical / financial).

R2 · we replaced all S3 with this

R2 is Cloudflare's object storage. Key difference: zero egress fees.

Real savings: one client at 5TB/mo egress = ~$450/mo on S3, $0 on R2, $5,400/yr saved.

Migration cost: zero. Change the aws-sdk endpoint:

// old: AWS S3
const s3 = new S3Client({ region: 'us-east-1' });
 
// new: Cloudflare R2
const s3 = new S3Client({
  region: 'auto',
  endpoint: 'https://YOUR_ACCOUNT_ID.r2.cloudflarestorage.com',
  credentials: { accessKeyId: ..., secretAccessKey: ... },
});
// rest of your code unchanged

Workers · skip the EC2

Workers is Cloudflare's edge runtime — V8 JavaScript / TypeScript on 320 global PoPs. Free tier: 100,000 requests/day (enough to run small SaaS for free indefinitely).

Typical use cases:

1. Redirects / A/B testing

export default {
  async fetch(req: Request): Promise<Response> {
    const url = new URL(req.url);
    if (url.pathname === '/old-page') {
      return Response.redirect('https://yourdomain.com/new-page', 301);
    }
    return fetch(req);
  },
};

2. API gateway + auth

export default {
  async fetch(req: Request, env: any): Promise<Response> {
    const auth = req.headers.get('Authorization');
    const token = auth?.replace('Bearer ', '');
    const isValid = await env.KV.get(`token:${token}`);
    if (!isValid) return new Response('Unauthorized', { status: 401 });
    return fetch(req);
  },
};

3. Image transformation (replaces Cloudinary)

// /image-resize?url=...&width=400
// Cloudflare Image Resizing API at the edge
const target = `https://yourdomain.com/cdn-cgi/image/width=400,quality=80/${originalUrl}`;

Our clients run full SaaS backends on Workers + R2 + KV — $0 server cost at 10K MAU. Workers genuinely changes SaaS unit economics.

Tunnel · public access without an open port

Cloudflare Tunnel is reverse-proxy: your server initiates a connection to Cloudflare; Cloudflare routes external traffic to it. No public IP, no port opening required.

Use cases:

• Internal dev server demos to clients (https://demo.yourdomain.com → your localhost:3000)
• NAS / Raspberry Pi exposed (residential ISPs don't allow direct exposure)
• Replace expensive VPNs (limit a specific team's access to internal admin)

5-minute config:

# 1. Install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
chmod +x cloudflared && sudo mv cloudflared /usr/local/bin/
 
# 2. Login + create Tunnel
cloudflared tunnel login
cloudflared tunnel create my-tunnel
 
# 3. Configure + run
cloudflared tunnel route dns my-tunnel demo.yourdomain.com
cloudflared tunnel run --url http://localhost:3000 my-tunnel

Done. https://demo.yourdomain.com is reachable, SSL auto-configured, no firewall holes.

Pages · we left Vercel for this

Cloudflare Pages = static site hosting on the same Workers Runtime. Comparison:

Pages's only weakness is SSR / RSC support lags Vercel slightly (Vercel sponsors Next.js), but Next.js 14 / 15 work fine via @cloudflare/next-on-pages. Our clients have moved from Vercel to Pages with zero issues — saving $200/mo of subscription on average.

When to actually upgrade to Pro ($20/mo)

Only in these cases:

1. Active DDoS on real business (free DDoS handles 99% but Pro adds Advanced DDoS for extreme cases)
2. Need more than 5 WAF custom rules (Pro: 20-100 rules)
3. Image optimization (Polish + WebP) is cost-effective (>100GB/mo image traffic)
4. Mobile Redirect / Image Insights type advanced features

Otherwise, free.

FAQ

Q: Is Cloudflare slow in mainland China? A: Depends on ICP filing. With ICP: Cloudflare China Network routes through 16 mainland nodes (China Unicom partnership), comparable to AliCloud CDN. Without ICP: traffic goes via HK / TPE / TYO PoPs, mainland users see 100-200ms latency — workable but not as fast as local CDN. For mainland-business focus without ICP, layer Cloudflare (international) + a domestic CDN.

Q: Is free Cloudflare really free? Hidden costs? A: Truly free, no hidden cost. Caveats: ① Workers above 100K req/day → $0.50/M; ② R2 charges for storage + ops (egress free); ③ Pro upgrade unlocks custom SSL certs. Most small SaaS run $0-$50/yr realistically.

Q: Is Cloudflare more secure than AWS / AliCloud / Tencent Cloud? A: Different layers. Cloudflare excels at edge security (DDoS / WAF / Bot); AWS / AliCloud excel at host security (VPC / Security Group / IAM). Best combo: Cloudflare in front + any cloud behind.

Q: What if Cloudflare goes down? A: Cloudflare SLA is 99.99% (Enterprise). Practically rare. But there have been a few global routing incidents (2022). For critical business: ① keep a backup CDN (Bunny / KeyCDN); ② run NS redundancy across multiple registrars; ③ use third-party uptime monitoring (StatusCake / UptimeRobot), not Cloudflare's own.

Q: Is Cloudflare data-compliant? A: GDPR / CCPA fully compliant. China data export regulations need separate evaluation — don't use Cloudflare to store mainland-business data (use AliCloud OSS / Tencent Cloud COS for that). Overseas business: no concerns.

Cloudflare config not your thing? ClouBay digital asset custody runs DNS / SSL / CDN config + monthly health audits. From ¥480/month.