Cloudflare CDN migration checklist
Use this checklist to prepare a Cloudflare CDN migration before moving production traffic. It covers current-state inventory, cache behavior, DNS, certificates, origins, redirects, headers, edge logic, WAF and bot controls, logs, validation, cutover, rollback, and post-launch optimization.
Use this checklist to prepare a Cloudflare CDN migration before moving production traffic. It covers current-state inventory, cache behavior, DNS, certificates, origins, redirects, headers, edge logic, WAF and bot controls, logs, validation, cutover, rollback, and post-launch optimization.
Topics: cloudflare, resource, cloudflare, migration, checklist
Machine-readable context: /ai-index.json
Step by step
Step-by-step checklist
- 1
Inventory the current CDN config per hostname: edge hostnames, origins, cache key composition, TTLs and cache-control behavior, query-string and cookie handling, bypass rules, redirects, and any edge logic in scripts or workers.
- 2
Capture a delivery baseline — cache hit ratio, origin request volume, response headers, redirect chains, and status codes on the highest-traffic paths — so cache parity can be measured after cutover.
- 3
Model cache behavior in Cloudflare with Cache Rules: define cache eligibility, cache key (query string, cookie, header inclusion/exclusion), Edge and Browser TTLs, and bypass conditions per path rather than relying on defaults.
- 4
Recreate origin routing with Origin Rules and, where multiple origins or failover exist, Load Balancing with origin pools and health checks; confirm Host header, SNI, and the SSL/TLS mode each origin expects.
- 5
Translate edge logic deliberately — move header rewrites and URL changes to Transform Rules and redirects to Redirect Rules, and reserve Cloudflare Workers only for logic that genuinely needs code.
- 6
Decide on performance features for this estate: Tiered Cache (and topology), Argo Smart Routing, and Cache Reserve for long-tail assets, enabling them where the traffic pattern justifies them.
- 7
Validate on test hostnames or low-TTL records: compare cache status (HIT/MISS/EXPIRED), TTLs, headers, redirects, and origin load against the baseline while the existing CDN still serves production.
- 8
Cut over with lowered TTLs and live monitoring, then tune cache keys, TTLs, and tiered cache to push the hit ratio back to or above baseline before decommissioning the old CDN.
Risk register
Risks to control
Cloudflare's default caching differs from the old CDN's cache key, so hit ratio drops and origin load spikes after cutover.
Define the cache key explicitly in Cache Rules (query string, cookie, and header handling) to match intended behavior, and watch origin request volume on test traffic before promoting.
Dynamic or authenticated responses get cached because a path that was bypassed on the old CDN is now cache-eligible.
Recreate every bypass condition as an explicit Cache Rule and verify personalized and authenticated paths return MISS/BYPASS before cutover.
Edge scripts are ported one-for-one into Workers, carrying cost and complexity that declarative rules would handle.
Classify each piece of edge logic; move headers, redirects, and cache decisions to Transform/Redirect/Cache Rules and keep Workers for true application logic.
Multi-origin or failover behavior is lost because only a single origin was configured.
Reproduce failover with Load Balancing origin pools and health checks, and test failover behavior before traffic moves.
Performance features are enabled blindly and either add cost or mask a caching problem.
Enable Tiered Cache, Argo, and Cache Reserve based on the actual traffic pattern, and measure their effect against the baseline rather than turning them all on by default.
Cache parity is never measured, so a regression in delivery goes unnoticed.
Build a parity matrix comparing cache status, TTLs, headers, and origin load on critical paths and require it to pass before decommissioning the old CDN.
Output
Useful deliverables
- Current CDN inventory per hostname covering origins, cache keys, TTLs, query/cookie handling, bypass rules, redirects, and edge logic.
- Delivery baseline of cache hit ratio, origin volume, headers, and status codes on critical paths.
- Cloudflare cache design expressed as Cache Rules with explicit cache key, eligibility, TTLs, and bypass conditions.
- Origin and routing configuration using Origin Rules and, where needed, Load Balancing pools with health checks.
- Edge-logic decision register mapping each item to Transform Rules, Redirect Rules, Cache Rules, or Workers.
- Performance feature plan for Tiered Cache, Argo Smart Routing, and Cache Reserve with the rationale per feature.
- Cache parity matrix and cutover/rollback runbook with lowered TTLs, monitoring thresholds, and owners.
Keep reading
Related resources
FAQ
Frequently asked questions
Common questions teams ask when putting this resource into practice.
Why does my cache hit ratio drop right after moving to Cloudflare?
Almost always a cache key difference. The old CDN may have ignored certain query strings or cookies that Cloudflare includes by default (or vice versa), so requests that used to share a cache entry now fragment. Defining the cache key explicitly in Cache Rules and comparing against the baseline fixes it.
Do I need Cloudflare Workers to replace my old edge scripts?
Often not. Header rewrites, URL changes, redirects, and cache decisions map to Transform Rules, Redirect Rules, and Cache Rules without code. Reserve Workers for logic that needs branching, external calls, or state, which keeps the edge simpler and cheaper to operate.
How do I keep dynamic and authenticated content from being cached?
Recreate every cache bypass from the old CDN as an explicit Cache Rule that marks those paths ineligible to cache, then verify they return MISS or BYPASS on test traffic. Relying on Cloudflare defaults instead of explicit rules is what usually causes accidental caching of personalized responses.
When should I enable Tiered Cache, Argo, or Cache Reserve?
Tiered Cache helps reduce origin requests for popular content, Argo Smart Routing helps latency on dynamic paths, and Cache Reserve helps retain long-tail assets. Enable each where the traffic pattern justifies it and measure the effect against your baseline rather than turning them all on at once.
Nanosek
Plan a CDN migration
Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.