The Edge-First Frontend: Standardizing Web Architecture on Cloudflare
The source proposal behind this post was far more specific than the original article suggested. It was not just an argument for "edge is good." It asked for formal approval to standardize Cloudflare as the default hosting and execution environment for all future UI/UX and presentation-layer workloads after a proof of concept covering a static asset shell, SPA containers, and a headless CMS migration.
That distinction matters because the document is solving a concrete architecture problem. Frontend applications were running as Dockerized workloads on AKS, which meant Dockerfiles, Helm charts, cluster operations, region-bound latency, pre-provisioned compute, and maintenance overhead for systems that were primarily serving UI assets and presentation logic. The proposal argued that this was the wrong operating model for the workload.
1. The proposal starts with a detailed current-state versus future-state model
The current state in the document is a centralized Azure-region deployment. Frontend workloads are containerized, tied to AKS, and paid for as provisioned capacity. That means costs remain high even when the system is quiet, and user experience is shaped by physical distance to a single primary region. The document also calls out deeper developer friction: every frontend team effectively needs to understand container packaging and Kubernetes delivery just to ship presentation changes.
The future state is described as Cloudflare Edge: decentralized execution across Cloudflare's global network, event-driven scaling instead of provisioned nodes, GitHub-integrated deployment ergonomics, built-in OpenTelemetry export, and zero-downtime global updates. That is much more specific than the earlier blog wording. It is a direct architecture comparison across the following dimensions:
- Centralized AKS versus distributed edge execution.
- Provisioned scaling with lag versus elastic per-request scaling.
- Docker, Helm, and deep Kubernetes knowledge versus code-focused frontend delivery.
- Node-based observability agents versus native telemetry export.
- Maintenance windows and rolling restarts versus atomic, globally propagated updates.
That is the first concrete problem the document solves: frontend delivery was carrying the cost and operational shape of a backend platform.
2. The target architecture is layered and deliberately split across Cloudflare and Azure
The technical architecture section in the source doc is where the real effort shows. Traffic enters through the nearest Cloudflare PoP. Before it reaches application logic, it passes through Cloudflare security controls including WAF, DDoS mitigation, and bot management. That makes the edge the actual front door rather than just a CDN bolt-on.
At the edge, the proposal places presentation and content workloads on specific Cloudflare services:
- A headless CMS hosted on Cloudflare Workers using D1 for edge-side content data and R2 for media assets.
- Angular SPA assets served directly from R2 instead of from a containerized web server.
- Dynamic image delivery handled through Cloudflare Images and R2.
The secure connectivity section is just as important. Rather than exposing Azure services directly, the proposal uses Cloudflare Tunnel to create a private encrypted connection from the edge into Azure. Authenticated API requests are routed into Azure API Management, which then fans out to the backend mix that remains in Azure: AKS-hosted microservices where still needed, Function Apps for event-driven logic, Logic Apps for orchestration, Azure OpenAI for AI-backed capabilities, and region-bound data services like SQL, MongoDB, Search, or Cosmos DB.
That is the second concrete problem being solved: the frontend platform needed a clean separation between internet-scale delivery and transaction-heavy backend processing instead of forcing both into the same hosting model.
3. Security, data residency, and observability were first-class design constraints
The source proposal is explicit that this is not a blanket migration of all systems to Cloudflare. It separates data classes and trust boundaries:
- Public content and presentation-layer data can live at the edge in D1 and R2.
- Sensitive and transactional data stays in Azure-region data stores.
- Azure no longer exposes public ingress directly; traffic is forced through the Cloudflare edge and Cloudflare Tunnel path.
The observability piece is also stronger than the original post suggested. The document calls out native OpenTelemetry support at the edge and unified ingestion into Dynatrace for both Cloudflare Workers and Azure backend services. That means the proposal was not only about performance and cost. It was also about preserving end-to-end transaction visibility across a split architecture. The official OpenTelemetry documentation is relevant here because the proposal was clearly standardizing around portable telemetry rather than environment-specific instrumentation only.
That is the third concrete problem being solved: how to gain edge performance and security controls without compromising regional data control or operational visibility.
4. The architecture choice was justified by burst traffic, latency, and operating cost
The document makes two business-pressure arguments that are also technical arguments. First, it calls out burst traffic during peak moments, where provisioned capacity and traditional autoscaling create either idle cost or reaction lag. The proposal leans on Cloudflare Workers' isolate model and per-request scaling to argue for elastic handling of sudden spikes.
Second, it calls out global reach. Serving a geographically distributed user base from a single Azure region turns physical distance into a frontend performance problem. Cloudflare's Anycast network and large PoP footprint are presented as the way to localize UI latency without replicating frontend clusters region by region.
The cost section adds the harder-edged operational claim: decommissioning two of three AKS clusters, with an estimated 65 percent compute reduction and corresponding drops in monitoring and security-tool surface area. Even without repeating every internal dollar figure, the implementation effort is clear. This was not an aesthetic migration. It was a platform simplification program tied directly to cluster reduction, licensing impact, and less Kubernetes maintenance work.
5. The implementation plan is what makes the proposal credible
The source document avoids the usual architecture-slide failure by defining a three-phase roadmap:
- Phase 1: Foundation, enablement, and governance. Continue the in-flight CMS-to-Workers and Cloudflare Images work, publish a developer guide, run workshops, and define strict scope boundaries so the pattern applies only to UI/UX and presentation-layer concerns.
- Phase 2: Static asset migration. Move production SPA asset libraries to R2 and update GitHub Actions pipelines to publish artifacts directly to the edge.
- Phase 3: Cutover and decommissioning. Route primary traffic via Cloudflare, drain frontend nodes from existing AKS clusters, and execute the cluster decommissioning plan.
That roadmap matters because it shows the standardization effort was not just technical design. It included education, pipeline changes, scope governance, and staged decommissioning. That is the implementation weight the earlier post failed to show.
References
- Cloudflare Workers docs
- Cloudflare R2 docs
- Cloudflare D1 docs
- Cloudflare Tunnel docs
- Cloudflare WAF docs
- OpenTelemetry docs
Closing thought
The technical insight in the original proposal is not just that Cloudflare can host a frontend. It is that presentation workloads, asset delivery, and edge-side content belong on a different operating model than the backend systems they talk to. The document earned that conclusion with a concrete architecture, a staged migration path, and a security model that still keeps Azure as the system of record.