How to secure (access to) workers at scale?

For Workes & Pages, what is the name of the domain?

/

What is the issue or error you’re encountering

How to secure (access to) workers at scale?

What steps have you taken to resolve the issue?

I am scoping out a service setup and workers/Cloudflare is one of the options (Lambda/AWS is too)

There are a bunch of questions I am trying to resolve and the docs have decent info, but not all:

  • Is there a cheap/simple way to protect access to your worker, besides using Cloudflare access? or is that the only way?
    • I found the rate limiting docs, but what can be done before traffic hits the worker?
    • WAF rules could be an option, but not very scalable beyond a handful of workers
    • We could keep an IP allow list, but how would we link know what IP has access to what worker?
  • How do I secure a workers outgoing requests, beyond the workaround described here (Allow Restriction of Outbound Traffic from a Worker) that relies on logging ?

Thank you :slight_smile:

An additional security concern is logging :thinking:. Being able to store logs outside of the main account in a third party location would be essential.

From what I can understand the ability to easily push logs outside of the account is an enterprise only feature for most of Cloudflare products, which will be a hard sell when I present this for a security audit.

Workers does have Workers Trace Events Logpush support, albeit that the presentation is a bit confusing Logpush · Cloudflare Logs docs

Any other Cloudflare products I would use in conjunction with workers, eg WAF, R2, D1 would need enterprise to easily extract logs. Business plan access to this feature would make more sense I would think.

Also places an * on the ‘No data egress fees’ https://www.cloudflare.com/learning/cloud/what-are-data-egress-fees/

Cloudflare’s research has found that reducing or eliminating egress fees can save customers between 7.5% and 27% of their total monthly bill.*

*Except if they are logs