I have a Next.js site, that is hosted on Vercel: trekhunt.com
Currently all images are optimised by Vercel, but I intend change that and serve images via Cloudflare Images. I’ve just uploaded all 14k images today into Cloudflare Images.
I’d like to deliver these from a subdomain though, specifically: images.trekhunt.com
Currently my nameservers for the trekhunt.com zone are on AWS, and the apex domain is a CNAME to Vercel
How to set up the DNS records to achieve all the above?
Particularly:
I could change my nameservers to be the Cloudflare ones, but I don’t intend to proxy the apex (trekhunt.com) domain, because of Vercel’s recommendations here: https://vercel.com/guides/using-cloudflare-with-vercel
Considering this, how to set the DNS record for the images.trekhunt.com subdomain so that it points to Cloudflare Images? I couldn’t find any CNAME target or IP targets in the doc.
Custom domains for Images need to be in your Cloudflare account. If you don’t want to use the imagedelivery.net URLs you could change your nameservers to Cloudflare and just not proxy the apex domain.
Your subdomain for image delivery doesn’t need to actually point to anything. You can create images.trekhunt.com in your Cloudflare DNS and just give it an AAAA record to the dummy IP address 100::, including the trailing colons. This name will then work just fine for Cloudflare Images URLs.
It seems that @i40west covered the key points while I was drafting my missive, so please pardon any redundancy.
My reading of the relevant documentation suggests that the custom domain needs to be in the same account as the Cloudflare Images subscription.
If you opt for the full setup and move your domain DNS to Cloudflare, it is simple to bypass the Cloudflare proxy for individual hostnames, including your apex name. Simply set the record to DNS Only. Thanks to CNAME flattening, you can even use a CNAME at your apex.
I didn’t see anything in the Vercel documentation that recommended against proxying the Vercel hostname. I do question why they are advising to use Full instead of Full (strict) encryption mode.
If you only plan on using images.trekhunt.com to deliver your Cloudflare Images, you can probably make due with one AAAA record set to 100:: and Proxied. This is considered an originless setup as it will not direct any traffic to an origin server. You might consider a specially crafted Redirect Rule to send any requests for the naked domain to you main site.
You can also use a Partial (CNAME) setup on a Business Plan or higher. That would allow you to leave the parent zone DNS at AWS. Unless you have a need for that, it is likely easier and more cost effective to move your DNS to Cloudflare.
DNS Only. Thanks to 
Proxied. This is considered an originless setup as it will not direct any traffic to an origin server. You might consider a specially crafted Redirect Rule to send any requests for the naked domain to you main site.