CDN + DNS vs Zero Trust — Same Network, Different Jobs

Two distinct architectures that share one global network. One sits in front of your public website; the other gates your internal apps.

Why this exists: Customers new to Cloudflare often ask "what's the difference between Cloudflare's CDN/DNS stuff and Zero Trust?" Short answer — same network, different jobs. CDN+DNS is the bouncer at the door of your public website. Zero Trust is for apps that don't have a public door at all. Toggle the views below to see both, then look at the side-by-side to see what's identical and what's different.
Speed
🌐

Public website — CDN + DNS

Anyone on the internet can show up. Cloudflare filters out the bad stuff before it reaches your origin.
Public · Internet-facing
Step 1 — DNS resolution
Where does www.acmecorp.com live?
1
User's browser asks DNS: "where is www.acmecorp.com?"
2
DNS routes to Cloudflare's authoritative DNS · 1.1.1.1
3
Cloudflare returns its own anycast IP · not the origin
4
Browser connects to the nearest Cloudflare PoP · 8ms away
The result: the user never connects directly to your origin. Cloudflare is always in front.
Step 2 — Traffic flow through Cloudflare
Every request runs the security stack at the edge
DDoS protection
Volumetric + protocol attacks absorbed
🛡
WAF
OWASP Top 10 · custom rules · managed rulesets
🤖
Bot Management
Scrapers · credential stuffing · automation
💾
CDN cache lookup
Static assets served from PoP · no origin hit
Origin
Your web server
Only the clean, cache-miss traffic reaches here
What this protects
  • Public-facing assets: marketing site, e-commerce, web apps, APIs that anyone on the internet needs to reach.
  • The "door is open" by design: the whole point is that visitors can find you. Cloudflare just makes sure attackers can't.
  • No identity required: visitors are anonymous. We protect by behavior, signature, reputation — not by who they are.
← Back to demo dashboard