Application Performance Release Notes

New request fields in Ruleset engine

Cloudflare now provides two new request fields in the Ruleset engine that let you make decisions based on whether a request used TCP and the measured TCP round-trip time between the client and Cloudflare. These fields help you understand protocol usage across your traffic and build policies that respond to network performance. For example, you can distinguish TCP from QUIC traffic or route high latency requests to alternative origins when needed.

Example filter expression

cf.edge.client_tcp && cf.timings.client_tcp_rtt_msec < 100

More information can be found in the Rules language fields reference.

Cloudflare Load Balancing Monitor Groups

Cloudflare Load Balancing now supports Monitor Groups, a powerful new way to combine multiple health monitors into a single, logical group. This allows you to create sophisticated health checks that more accurately reflect the true availability of your applications by assessing multiple services at once.

With Monitor Groups, you can ensure that all critical components of an application are healthy before sending traffic to an origin pool, enabling smarter failover decisions and greater resilience. This feature is now available via the API for customers with an Enterprise Load Balancing subscription.

What you can do

• Combine Multiple Monitors: Group different health monitors (for example, HTTP, TCP) that check various application components, like a primary API gateway and a specific /login service.
• Isolate Monitors for Observation: Mark a monitor as "monitoring only" to receive alerts and data without it affecting a pool's health status or traffic steering. This is perfect for testing new checks or observing non-critical dependencies.
• Improve Steering Intelligence: Latency for Dynamic Steering is automatically averaged across all active monitors in a group, providing a more holistic view of an origin's performance.

This enhancement is ideal for complex, multi-service applications where the health of one component depends on another. By aggregating health signals, Monitor Groups provide a more accurate and comprehensive assessment of your application's true status.

For detailed information and API configuration guides, please visit our developer documentation for Monitor Groups.

Access GraphQL-powered DNS Firewall analytics directly in the Cloudflare dashboard.

Explore Four Interactive Panels

• Query summary: Describes trends over time, segmented by dimensions.
• Query statistics: Describes totals, cached/uncached queries, and processing/response times.
• DNS queries by data center: Describes global view and the top 10 data centers.
• Top query statistics: Shows a breakdown by key dimensions, with search and expand options (up to top 100 items).

Additional features:

• Apply filters and time ranges once. Changes reflect across all panels.
• Filter by dimensions like query name, query type, cluster, data center, protocol (UDP/TCP), IP version, response code/reason, and more.
• Access up to 62 days of historical data with flexible intervals.

Availability

Available to all DNS Firewall customers as part of their existing subscription.

Where to Find It

• In the Cloudflare dashboard, go to the DNS Firewall page.
• Go to DNS Firewall
• Refer to the DNS Firewall Analytics to learn more.

Cloudflare Secrets Store integration with AI Gateway

Cloudflare Secrets Store is now integrated with AI Gateway, allowing you to store, manage, and deploy your AI provider keys in a secure and seamless configuration through Bring Your Own Key. Instead of passing your AI provider keys directly in every request header, you can centrally manage each key with Secrets Store and deploy in your gateway configuration using only a reference, rather than passing the value in plain text.

You can now create a secret directly from your AI Gateway in the dashboard by navigating into your gateway -> Provider Keys -> Add .

You can also create your secret with the newly available ai_gateway scope via wrangler, the Secrets Store dashboard, or the API .

Then, pass the key in the request header using its Secrets Store reference:
curl -X POST https://gateway.ai.cloudflare.com/v1//my-gateway/anthropic/v1/messages
--header 'cf-aig-authorization: ANTHROPIC_KEY_1
--header 'anthropic-version: 2023-06-01'
--header 'Content-Type: application/json'
--data '{"model": "claude-3-opus-20240229", "messages": [{"role": "user", "content": "What is Cloudflare?"}]}'

Or, using Javascript:
import Anthropic from '@anthropic-ai/sdk';

const anthropic = new Anthropic({
apiKey: "ANTHROPIC_KEY_1",
baseURL: "https://gateway.ai.cloudflare.com/v1//my-gateway/anthropic",
});

const message = await anthropic.messages.create({
model: 'claude-3-opus-20240229',
messages: [{role: "user", content: "What is Cloudflare?"}],
max_tokens: 1024
});

For more information, check out the blog !

You can now create more granular, network-aware Custom Rules in Cloudflare Load Balancing using the Autonomous System Number (ASN) of an incoming request.

This allows you to steer traffic with greater precision based on the network source of a request. For example, you can route traffic from specific Internet Service Providers (ISPs) or enterprise customers to dedicated infrastructure, optimize performance, or enforce compliance by directing certain networks to preferred data centers.

To get started, create a Custom Rule in your Load Balancer and select AS Num from the Field dropdown.

Cloudflare Load Balancing Monitors

Cloudflare Load Balancing Monitors support loading and applying settings for a specific zone to monitoring requests to origin endpoints. This feature has been migrated to new infrastructure to improve reliability, performance, and accuracy.

All zone monitors have been tested against the new infrastructure. There should be no change to health monitoring results of currently healthy and active pools. Newly created or re-enabled pools may need validation of their monitor zone settings before being introduced to service, especially regarding correct application of mTLS.

What you can expect:

• More reliable application of zone settings to monitoring requests, including
  • Authenticated Origin Pulls
  • Aegis Egress IP Pools
  • Argo Smart Routing
  • HTTP/2 to Origin
  • Improved support and bug fixes for retries, redirects, and proxied origin resolution
  • Improved performance and reliability of monitoring requests withing the Cloudflare network
  • Unrelated CDN or WAF configuration changes should have no risk of impact to pool health

Participating beta testers can now fully configure Internal DNS directly in the Cloudflare dashboard.

Internal DNS enables customers to:

• Map internal hostnames to private IPs for services, devices, and applications not exposed to the public Internet
• Resolve internal DNS queries securely through Cloudflare Gateway
• Use split-horizon DNS to return different responses based on network context
• Consolidate internal and public DNS zones within a single management platform

What’s new in this release:

• Beta participants can now create and manage internal zones and views in the Cloudflare dashboard

Note

The Internal DNS beta is currently only available to Enterprise customers.

To learn more and get started, refer to the Internal DNS documentation.

What's new

• cf.worker.upstream_zone is now supported in Transform Rules expressions.
• Skip or apply logic conditionally when handling Workers subrequests.

For example, to add a header when the subrequest comes from another zone:
Text in Expression Editor (replace myappexample.com with your domain):
(cf.worker.upstream_zone != "" and cf.worker.upstream_zone != "myappexample.com")
Selected operation under Modify request header : Set static
Header name : X-External-Workers-Subrequest
Value : 1

This gives you more granular control in how you handle incoming requests for your zone.

Learn more in the Transform Rules documentation and Rules language fields reference.