Jeff Bruchado
Back to blog

Cloudflare Rewrites Its Core System in Rust and Achieves Massive Performance Gains

Hello HaWkers, Cloudflare has just completed one of the most ambitious migrations in web history: the complete replacement of its NGINX-based proxy system with a solution written from scratch in Rust.

The result? Sites 25% faster, half the CPU usage, and significantly more secure infrastructure. Let's understand how this was possible and what this change means for the future of systems development.

The Transformation: From FL1 to FL2

Cloudflare operates one of the world's largest CDN networks, serving over 20% of all internet traffic. Until recently, its core infrastructure (called FL1) was based on:

FL1 - Old Architecture:

  • Core in NGINX (written in C)
  • Modules in LuaJIT
  • Critical components in Rust
  • Constant data conversion between languages
  • High memory and CPU usage

FL2 - New Rust Architecture:

  • Unified 100% Rust codebase
  • Modular framework called Oxy
  • Zero overhead from language conversions
  • Compilation optimized with focus on performance

The Impressive Numbers

The complete migration to Rust brought measurable and documented results:

Performance

Response time:

  • 10ms reduction in average response time (median)
  • 25% improvement in overall latency
  • Confirmed by independent benchmarks (CDNPerf)

Resource usage:

  • Less than 50% CPU usage compared to FL1
  • Dramatic reduction in memory consumption
  • Greater energy efficiency in datacenters

Security

System stability:

  • Massive reduction in crashes
  • Most crashes now are hardware failures, not software
  • Zero entire classes of memory bugs (use-after-free, buffer overflow, etc.)

🔥 Context: Cloudflare is gradually migrating all traffic to FL2 throughout 2025, with complete FL1 deactivation scheduled for early 2026.

Why Was Rust the Right Choice?

Rust isn't just a modern language - it's a language specifically designed to solve the problems critical systems face.

1. Memory Safety Without Garbage Collector

Rust offers something unique: memory safety guaranteed at compile time, without garbage collection runtime.

// Rust prevents memory bugs at compile time
fn process_data() {
    let data = String::from("important");

    let reference = &data;

    // ❌ COMPILATION ERROR - won't compile!
    // drop(data); // Trying to free memory
    // println!("{}", reference); // But there's still an active reference

    // Rust prevents this bug before it becomes executable code
}

// In C/C++, this type of error causes crashes in production
// In languages with GC, there's performance overhead
// Rust: safety + performance

2. Concurrency Without Data Races

Rust guarantees that concurrent code is safe:

use std::sync::{Arc, Mutex};
use std::thread;

fn process_parallel_requests() {
    // Arc = Atomic Reference Counter (thread-safe)
    // Mutex = Mutual Exclusion (exclusive access)
    let counter = Arc::new(Mutex::new(0));

    let mut handles = vec![];

    for _ in 0..10 {
        let counter_clone = Arc::clone(&counter);

        let handle = thread::spawn(move || {
            let mut num = counter_clone.lock().unwrap();
            *num += 1;
        });

        handles.push(handle);
    }

    for handle in handles {
        handle.join().unwrap();
    }

    println!("Result: {}", *counter.lock().unwrap());
    // Always 10 - no race conditions!
}

// Rust guarantees at compilation that there are no data races
// Threads cannot access shared data unsafely

3. Low-Level Language Performance

Rust competes directly with C/C++ in performance:

// Zero-cost abstractions in Rust
fn sum_vector_rust(numbers: &[i32]) -> i32 {
    numbers.iter().sum()
}

// Compiles to assembly as efficient as:
// for (int i = 0; i < len; i++) sum += arr[i];

// But with safety guarantees that C doesn't offer

The Oxy Architecture: Cloudflare's New Proxy

Cloudflare didn't just rewrite the code - it reimagined the entire architecture.

Modular Design

Oxy Framework:

  • Plugin architecture
  • Independent and testable modules
  • Facilitates development of new features
  • Allows isolated component testing

Example of Oxy Pipeline

// Simplified structure of Oxy pipeline
use async_trait::async_trait;

#[async_trait]
trait ProxyModule {
    async fn handle(&self, request: Request) -> Result<Response, Error>;
}

struct RateLimiter {
    max_requests: u32,
}

#[async_trait]
impl ProxyModule for RateLimiter {
    async fn handle(&self, request: Request) -> Result<Response, Error> {
        if self.check_rate_limit(&request).await {
            Ok(request)
        } else {
            Err(Error::RateLimitExceeded)
        }
    }
}

struct WAF {
    rules: Vec<SecurityRule>,
}

#[async_trait]
impl ProxyModule for WAF {
    async fn handle(&self, request: Request) -> Result<Response, Error> {
        for rule in &self.rules {
            if rule.matches(&request) {
                return Err(Error::SecurityViolation);
            }
        }
        Ok(request)
    }
}

// Pipeline chains modules efficiently
async fn process_request(request: Request) -> Response {
    let pipeline = vec![
        Box::new(RateLimiter { max_requests: 1000 }),
        Box::new(WAF { rules: load_rules() }),
        // More modules...
    ];

    for module in pipeline {
        request = module.handle(request).await?;
    }

    proxy_to_origin(request).await
}

Lessons For Developers

Cloudflare's migration offers valuable insights for any developer:

1. Real vs Perceived Performance

10ms reduction may seem small, but:

  • For 20% of the internet, this means billions of faster requests
  • At scale, milliseconds translate to operational costs
  • Users perceive differences above 100ms - incremental improvements add up

2. Security As Feature, Not Afterthought

Cloudflare prioritized security from design:

Rust offers:

  • Impossibility of null pointer dereferences
  • Impossibility of use-after-free
  • Impossibility of data races
  • Buffer overflow detection at compilation

These aren't features you add later - they're language guarantees.

3. Gradual Migration is Viable

Cloudflare's strategy:

  • Developed FL2 parallel to FL1
  • Extensive testing before routing real traffic
  • Gradual migration from 0% to 100% throughout 2025
  • Rollback possible at any time

💡 Tip: Large migrations don't need to be "big bang". Systems can coexist during transition.

Is Rust Ready For Production?

The answer is a resounding yes - and Cloudflare isn't alone.

Companies Using Rust in Production

Tech giants:

  • Discord: Rewrote critical services in Rust, improved latency
  • Dropbox: Storage engine in Rust
  • Amazon: Firecracker (virtualization) and Bottlerocket (OS) in Rust
  • Microsoft: Windows and Azure components in Rust
  • Meta: Internal tools and infrastructure
  • Google: Parts of Android and Chromium in Rust

Mature Ecosystem

Tools and libraries:

  • Tokio: High-performance async runtime
  • Axum/Actix: Fast web frameworks
  • Serde: Zero-copy serialization
  • Diesel: Type-safe ORM
  • Cargo: Exceptional package manager

When to Consider Rust?

Rust shines in specific scenarios:

✅ Use Rust when:

  • Performance is critical (low-latency systems)
  • Security is mandatory (infrastructure, fintech)
  • Intensive concurrency (servers, parallel processing)
  • Embedded systems or resource-limited
  • CLI tools that need to be fast

❌ Avoid Rust when:

  • Rapid prototyping is priority
  • Team has no experience and needs to deliver fast
  • Project is simple CRUD without special requirements
  • Specific ecosystem doesn't exist in Rust

Getting Started with Rust

If Cloudflare's story inspired you, here's where to start:

// 1. Install Rust via rustup
// curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

// 2. Create new project
// cargo new my_server

// 3. Simple HTTP server with Axum
use axum::{
    routing::get,
    Router,
};

#[tokio::main]
async fn main() {
    // Build application
    let app = Router::new()
        .route("/", get(handler));

    // Bind server
    let listener = tokio::net::TcpListener::bind("0.0.0.0:3000")
        .await
        .unwrap();

    println!("Server running at http://localhost:3000");

    axum::serve(listener, app).await.unwrap();
}

async fn handler() -> &'static str {
    "Hello, Rust!"
}

// 4. Run
// cargo run

Learning resources:

  • The Rust Book (official and free)
  • Rustlings (interactive exercises)
  • Exercism Rust Track
  • Rust by Example

The Future of the Web is Safe and Fast

Cloudflare's decision to completely rewrite its infrastructure in Rust wasn't taken lightly. Over 100 engineers worked on this project, and the result validated the bet.

Rust is proving we don't need to choose between safety and performance - we can have both. As more companies adopt Rust for critical systems, the language establishes itself as one of the smartest choices for modern infrastructure.

If you work with high-performance systems, critical backends, or simply want to expand your knowledge beyond traditional languages, Rust deserves your attention.

If you want to understand more about how performance optimization works in different contexts, I recommend checking out this article: PWAs with JavaScript: The Web App Revolution where you'll discover performance and caching techniques that transform web applications.

Let's go! 🦅

🎯 Join Developers Who Are Evolving

Thousands of developers already use our material to accelerate their studies and achieve better positions in the market.

Why invest in structured knowledge?

Learning in an organized way with practical examples makes all the difference in your journey as a developer.

Start now:

  • $4.90 (single payment)

🚀 Access Complete Guide

"Excellent material for those who want to go deeper!" - John, Developer

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments