■ Cloudflare Edge Engineering · Full Surface

Most teams treat Cloudflare as a CDN. We use it as a deployment target.

Ritesh Agarwal, lead architect at Appycodes

■ Talk to the lead architect

S3 egress bill climbing, WAF rules misfiring, or a migration that needs edge routing? Bring it directly to Ritesh — no SDR, no qualification call.

Ritesh Agarwal · Lead Architect, Appycodes · LinkedIn

Start a project discussion Or call +91 92429 45793

■ What you get

Six surfaces we actually ship on.

Not an exhaustive list of Cloudflare products. Only the ones we use in production today and can recommend with a war story attached.

R2 storage migrations

Off S3, DO Spaces, or origin disk. Cost-modelled before the move. Standalone PHP / Node migration scripts that don't load the host CMS so they survive plugin / package conflicts.

Workers for edge logic

A/B testing, personalisation, header rewrites, geo-aware redirects, signed-URL gates, simple auth. Code that runs in 270+ POPs without thinking about it.

Redirect Rules architecture

Single Redirect Rules on Business+, Bulk Redirects from exported sitemaps (up to 100K), wildcard fallbacks via wildcard_replace. Layered for ambiguous shapes.

WAF rule design

Country allowlists. ASN blocking. Bot management with Managed Challenge tuning. Rate limiting that bites attackers, not Googlebot. We test under Managed Challenge before flipping to Block.

Cache strategy

What to cache at the edge, what to bypass, how to invalidate. Tuned for WordPress, WooCommerce, and Laravel apps where pages and APIs cache very differently.

Pages deployments

Static and Next.js sites where the build pipeline fits. Custom builds with Workers in front. Branch previews, custom domains, the boring deployment plumbing.

▼ The Egress Cost Curve

Why media-heavy WordPress sites move to R2.

Monthly cost ($) for 100 GB stored across S3 (eu-west-2), DigitalOcean Spaces (lon1), and Cloudflare R2 — plotted against outbound egress (TB / month). R2's zero-egress pricing produces the sharp divergence at the right.

R2 stays flat because egress is zero. The other two scale linearly with outbound traffic.

■ Evidence

Three engagements. Different Cloudflare primitives in each.

R2 + Forge migration

All White Laser

Migrated media from a Forge-hosted WordPress site to Cloudflare R2 (S3-compatible, endpoint https://<account-id>.r2.cloudflarestorage.com).

Interesting part wasn't the migration — it was sidestepping plugin Guzzle conflicts. AutomateWoo and others bundle their own Guzzle; the bundled versions disagree. Solution: don't load WordPress in the migration script. Standalone PHP, AWS SDK via Composer in a separate vendor tree, credentials in a dedicated r2-config.php with chmod 600, off-VCS.

Recurring monthly cron sync uses the same WP-free script pattern so it survives plugin updates.

# r2-config.php (chmod 600, off-VCS)
$config = [
  'endpoint' => 'https://<id>.r2.cloudflarestorage.com',
  'region' => 'auto',
  'credentials' => [ ... ],
];

Redirect rules at the edge

UK action-sports retailer (anonymised)

Magento → Shopify migration with ambiguous URL shapes the platform couldn't resolve. Wildcards via wildcard_replace on Free/Pro plans (no regex), regex Single Redirect Rules on Business+, layered with explicit per-URL overrides.

Long-term: Cloudflare Bulk Redirects driven by an exported sitemap CSV. Wildcard rules retained as fallback. Client name changed due to confidentiality — whitelabel engagement.

# regex Single Redirect Rule
when (http.request.uri.path matches "^/[^/]+\.htmlquot;)
then concat("/products", regex_replace(
  http.request.uri.path, "\.html
quot;, ""))

WAF · geo · bot defence

PlusHeat

nginx upstream timeouts caused by Hetzner Cloud bots hammering specific paths. Built the Cloudflare WAF rule using an allowlist approach (not ip.src.country in {GB IE FR DE NL ...}) rather than enumerating every country to block.

Carved out India, Pakistan, and the US — necessary for our own developers and search engine crawlers. Added cf.client.bot to ensure verified Googlebot bypasses geo restrictions. Deployed first under Managed Challenge to monitor Firewall Events for false positives, switched to Block once clean.

# Cloudflare WAF expression
(not ip.src.country in {"GB" "IE" "FR" "DE" "NL" "IN" "PK" "US"})
and not cf.client.bot

Paired engagements: Shopify migration (the rules above), WordPress security (the WAF tuning), maintenance & support for the ongoing edge tuning.

■ Good fit if

WordPress / WooCommerce sites paying for S3 egress on media-heavy stores
Teams migrating platforms (Magento, WordPress, custom → Shopify) with messy URL shapes
Sites under attack — DDoS, credential stuffing, content scraping — that need WAF rules tuned by someone who has tuned them before
Operators using Cloudflare as the orange cloud and nothing else, leaving 80% of the value on the table

■ Probably not a fit

Sites where Cloudflare isn't deployed at all — start with a free tier and basic DNS
Apps with hard requirements for Fastly, Akamai, or AWS CloudFront edge specifically
Teams looking for a Cloudflare reseller — we engineer, we don't bill for the plan

■ Surface we operate on

Workers, R2, WAF, Rules, Pages. The rest on demand.

Edge compute

Workers · Durable Objects · KV · D1 (where workload fits)

Storage

R2 · S3-compatible · zero egress fees · monthly cron syncs

Routing

Single Redirect Rules · Bulk Redirects · wildcard fallbacks

Security

WAF · Rate Limiting · Managed Challenge → Block escalation · ASN + geo

Hosting

Cloudflare Pages · static + Next.js builds with Workers in front

■ If Cloudflare is on but only as DNS

Bring the bill, the URL shapes, or the bot pattern. We'll show what the edge can absorb.

Talk to an edge engineer

■ Other services

We build a lot more than this.

Explore the rest of what we build.

SaaS Web App Development

MVP to production builds, multi-tenant, billing, AI features.

Most teams treat Cloudflare as a CDN. We use it as a deployment target.

S3 egress bill climbing, WAF rules misfiring, or a migration that needs edge routing? Bring it directly to Ritesh — no SDR, no qualification call.

Six surfaces we actually ship on.

R2 storage migrations

Workers for edge logic

Redirect Rules architecture

WAF rule design

Cache strategy

Pages deployments

Why media-heavy WordPress sites move to R2.

Three engagements. Different Cloudflare primitives in each.

All White Laser

UK action-sports retailer (anonymised)

PlusHeat

Workers, R2, WAF, Rules, Pages. The rest on demand.

Bring the bill, the URL shapes, or the bot pattern. We'll show what the edge can absorb.

We build a lot more than this.

SaaS Web App Development

React Native App Development

Web App to Native Mobile App

Technical SEO for SaaS

Custom WordPress Development

Shopify Development Services

Custom WooCommerce Development

Maintenance & Support

AI App Completion

AI Prototype to Native App

App Store Launch

Tech Stack Migration

White Label Development

Startup Launch Support

API & Integration

AI SaaS Product Development

B2B Marketplace Development

Custom LMS Development

Membership & WooCommerce Subscriptions

Shopify Migration

WordPress Security & Malware Removal

Laravel Development & Modernisation

Stripe Billing Engineering

Internal Tools & Admin Dashboards

Supabase Development

Headless WordPress & WooCommerce

Sanity CMS Development

Vue.js & Nuxt Development

WordPress Performance Optimisation

Custom WordPress Plugin Development

Knowledge Base & Community Platforms

Event Ticketing Platforms

AI Chatbot, RAG & Agent

Workflow Automation

Programmatic SEO Engineering