I’ve been working to migrate one of my systems over to CloudFlare which on it’s face appears to be a pretty good service. I created an account, entered my payment information and began evaluating their services. I was not impressed with help pages that had images fail to load (due to 404s). Pressing buttons that generated some vague error message (request failed #1053) and froze up pages were also a bit of a turn off. Then the real pain started.
The first thing that CloudFlare is forcing me to do is flip over to using their NS. It’s handy that they’ve crawled my existing DNS and imported a bunch of the necessary records. That is a good thing. However, I don’t want to migrate NS until I’m sure this is the right path. Switching NS takes about 24 hours, so if there is an issue I’ll have to wait another 24 hours to roll-back the changes. I’m not willing to risk my site availability for 48 hours.
Blocked on SSL
Even without switching the NS records we can see what IPs CloudFlare would resolve my host to (using
dig $hostname @ns.cloudflare.com). I then tweaked my
/etc/hosts file to reflect that and attempted some connections. CloudFlare assures me that SSL will work. However, CloudFlare SSL doesn’t work until the NS has been switched. And I cannot switch the NS until I’ve verified that SSL works – and I don’t like to wait 24-48 hours to determine if I just broke a web-application that generates revenue.
I asked for clarity on the situation from their support team and explained my risk-averse position. They basically told me just to flip the NS. I don’t think the understood the request.
I contact their sales team. I’ve signed up for a paid product; the marketing materials said that things would be possible – things that are not working. The sales guy reported that with CloudFlare the SSL and NS are tightly integrated – only after NS is switched and verified can the SSL be issued. It was not a joke. First switch NS and hope it works; after NS has been moved (and traffic is routed via CloudFlare) can the SSL be issued. This whole thing runs on SSL. So switching means that I’m exposed to risk that my NS/DNS stuff gets messed up and that while that is happening the SSL will be broken too.
CloudFlare is a reasonably good product and the protections they offer are good and priced well (at $200/mo). This onboarding process sucks however. It’s not even possible to evaluate the outcome of the work you will be attempting – to ensure that things will go smoothly. If there was a mistake it would cost me more than I pay CloudFlare in a year.
To actually evaluate this process I’ve had to start off with a new, throw away, domain; get it configured similar to my primary, purchase (and wait) for it’s SSL certificates then flip to the CloudFlare NS, wait to see what happens – all while monitoring for breakages on this test domain.
The lesson for other technology firms is: Don’t make the risk of switching cost more than the services provided; Allow customers to get a full evaluation rather than forcing them to take high-risk first steps – just on on-board with your product.