This four-day instructor-led bootcamp teaches Cloudflare Application Services — DNS, SSL/TLS, CDN, performance, WAF, Bot Management, Rate Limiting, and API Shield — through a combination of lecture, live demonstration, and hands-on lab exercises. Students take a fictional customer (AcmeCorp) from an exposed, vulnerable origin to a fully protected, performance-tuned application delivered through Cloudflare's global edge.
The course is anchored around a single recurring scenario: a frontend web server and an API backend that students progressively onboard, encrypt, accelerate, load-balance, and harden against modern application-layer threats. Day 3 transitions into a group solution-design exercise; Day 4 closes with team presentations and a certification assessment.
curl, and developer toolsAfter completing this bootcamp, students will be able to:
| Day | Focus | Modules | Labs |
|---|---|---|---|
| Day 1 | Foundation: Platform, DNS, and SSL/TLS | Modules 0–3 | Lab 1: DNS Architecture & Configuration / Lab 2: SSL/TLS & Encryption Standards |
| Day 2 | Performance and Security: CDN, Caching, Traffic, WAF, Bots, APIs | Modules 4–8 | Labs 3–7: Caching, Traffic Management, Load Balancing, WAF Managed and Custom Rules |
| Day 3 | Advanced Security and Group Solution Design | Module 8 (deep dive) + Migration Methodology | Labs 8–11: Bot Management, Rate Limiting, API Shield, Managed Lists. Group customer-scenario assignment. |
| Day 4 | Group Presentations and Certification | — | Morning: group solution presentations, peer Q&A, instructor feedback. Afternoon: Application Services certification exam and graduation. |
Bootcamp goals, intended audience, learning objectives, daily structure, lab environment overview, and the AcmeCorp customer scenario that anchors every lab. Includes a guided tour of Cloudflare University and the self-paced learning resources that complement the live class.
The Cloudflare connectivity-cloud model, the anycast network, and the single-control-plane architecture that puts every service on every server in every data center. How proxied vs. DNS-only traffic flows, why proxying is the gateway to security and performance, and where Argo Smart Routing, Tiered Caching, and load balancing fit into the “every service everywhere” story. Compares the Cloudflare model to legacy CDN architectures (Akamai, CloudFront).
How DNS onboarding works in Cloudflare: full authoritative setup vs. partial (CNAME) setup, including the apex-protection tradeoffs of partial mode. Proxy status (orange vs. grey cloud) and what it actually changes in the request path. Standard-port limitations, when Cloudflare Spectrum is the right answer, and how to handle non-HTTP protocols (FTP, SMTP, custom TCP) that need to coexist with a proxied zone.
The four SSL modes (Off, Flexible, Full, Full Strict) and why Full Strict is the production target. Universal SSL, Advanced Certificate Manager, and Origin CA certificates: when each is needed, how they coexist, and why you should never delete the Universal cert when uploading a custom one. Edge-vs-origin certificate roles, certificate troubleshooting, and modern TLS configuration (minimum version, cipher suites, HSTS).
Cloudflare as a pull CDN, default cacheability by file extension, and why HTML is not cached by default. Browser Cache TTL vs. Edge Cache TTL, the cf-cache-status and age response headers, and how to read them when troubleshooting. Cache Rules vs. Page Rules vs. origin headers, and the “last match wins” ordering that distinguishes caching rules from firewall rules.
Tiered Caching and Smart Tiered Caching to shield origins, Cache Everything for static HTML survivability during traffic spikes, and Bypass Cache on Cookie to protect logged-in sessions. Custom cache keys for marketing-tag normalization, cache purge strategies (single-file, tag, prefix, everything), and the operational tradeoffs of aggressive caching.
The Cloudflare security stack: always-on Layer 3/4 and Layer 7 DDoS protection (and why you should not touch the sensitivity sliders without support guidance), the Cloudflare Managed Ruleset (the default high-accuracy WAF), and the OWASP Core Ruleset with its paranoia-level tradeoffs. Custom Rules for surgical enforcement: geo-blocking, IP-list-based access, partner-API skips, and the difference between Managed Challenge, Interactive Challenge, JS Challenge, and Block. Top-down rule evaluation and the “log first, block second” rollout pattern.
The Bot Management philosophy: distinguishing automated traffic from human traffic, not good from bad. Bot scores 1–99, the three-step deployment pattern (baseline log, analyze, enforce), and how to add exceptions for legitimate automation (mobile apps, internal scrapers, partner APIs). Why APIs naturally score as bots and must be excluded before any Bot Management enforcement is enabled. Turnstile as the clientless “Are you human?” primitive.
Rate Limiting for brute-force protection and abuse mitigation, including IP-with-NAT-support counting and origin-response-code conditional counters that punish only attackers generating 4xx/5xx noise. API Shield end-to-end: session identifiers for discovery, the Discovery and Endpoint Management workflows, schema validation as a positive-security model, and Sequence Analytics and Sequence Mitigation for enforcing business-logic flow (e.g., /auth before /transfer). Closes with Managed Lists (open proxies, Tor exits) and mTLS / JWT validation for partner APIs.
The “move and improve” philosophy: why blindly porting legacy configurations from Akamai or CloudFront leads to bloated, fragile deployments. How to map common Akamai constructs (property variables, behaviors, edge logic) and CloudFront constructs (cache behaviors, Lambda@Edge, response policies) into Cloudflare primitives (Cache Rules, Transform Rules, Workers, Configuration Rules). When to use Terraform and the Cloudflare API instead of the dashboard for 100+ zone migrations.
Each student receives a dedicated Cloudflare Enterprise lab environment with:
exemplary-questor.sxplab.com) on the Enterprise plandig, curl, and simulated attacksps.<student-domain>public-api.<student-domain>Onboard AcmeCorp to Cloudflare end-to-end: add the domain on the Enterprise plan, run a DNS quick scan, proxy the web and API records, and cut nameservers over from the legacy provider. Then exercise a partial (CNAME) setup for a legacy vendor portal, complete with TXT verification, and create a grey-clouded FTP record that proves Cloudflare's standard proxy is HTTP/HTTPS only.
Move AcmeCorp from broken HTTPS to compliant end-to-end encryption. Apply Universal SSL with Flexible mode for immediate browser-warning relief, generate and install a Cloudflare Origin CA certificate on the backend, and promote the zone to Full (Strict). Finish by ordering an Advanced Certificate for a deep subdomain (e.g., payments.platform.<student-domain>) and proving that it lives exclusively at the Cloudflare edge.
Diagnose cache misses, build Cache Rules for promotional images, and switch the zone to “Respect Existing Headers” so developers can drive TTL from Cache-Control directives. Troubleshoot a stale-pricing incident with a custom purge, then implement Cache Everything with Bypass Cache on Cookie to safely cache HTML for anonymous traffic while protecting logged-in sessions. Closes with custom cache keys (ignoring marketing query strings) and enabling Tiered Caching to shield the origin.
Manipulate requests before they reach origin: build geo-redirects for Portugal localization, configure bulk campaign redirects, use Transform Rules to strip identifying response headers and inject custom telemetry headers, and apply a Host Header Override so a legacy API gateway accepts traffic from a modern hostname.
Build a Cloudflare Load Balancer with multiple origin pools, configure health checks (including expected codes for 301/302 redirects), validate active failover from a primary to a backup pool, troubleshoot health-check false negatives, and configure geo-steering with origin weights to keep regional traffic in-region.
Enable the Cloudflare Managed Ruleset and the OWASP Core Ruleset on the AcmeCorp zone, generate sample attack traffic (curl-based SQLi and XSS payloads), and investigate WAF Analytics. Walk through a false-positive remediation: identify the offending rule from a Security Event, scope an exception by hostname or path, and confirm that legitimate traffic flows without disabling the rule globally.
Build custom rules for surgical enforcement: a Managed Challenge geo-block, an IP-list-based block for known bad actors, and a “skip security” rule for a partner API endpoint that needs to bypass WAF, Bot Management, and Rate Limiting. Confirm each rule with curl from inside and outside the matching condition.
Walk the three-step Bot Management deployment: review Bot Analytics to establish a baseline, create a Bot Score < 30 rule in Log mode, then refine the rule to exclude legitimate automation — the AcmeCorp mobile app's API endpoint and a known internal scraper identified by user agent — before flipping the action from Log to Managed Challenge.
Protect the AcmeCorp login page from credential stuffing with a Managed Challenge after five attempts per minute, then implement a more advanced rule on /api/v1/search that increments the counter only when the origin returns a 404, blocking API fuzzing without penalizing legitimate users.
Configure session identifiers, drive API discovery traffic, and promote discovered endpoints into Endpoint Management. Upload an OpenAPI schema and enforce strict validation with a Block action, then use Sequence Analytics to visualize legitimate vs. out-of-order API flows and build a custom rule that blocks /api/v1/register when it is not preceded by /api/v1/auth.
Add Cloudflare-curated threat intelligence to the AcmeCorp perimeter: block source IPs matching the Open Proxies and Tor Exit Nodes managed lists with a Custom Rule, providing zero-maintenance reduction of background scanning traffic.
On Day 3 afternoon, students are split into teams of four and each team is assigned one of the AcmeCorp customer scenarios to design end-to-end. Teams present their solution on Day 4 morning to the class and the instructor.
| Product | Course Coverage |
|---|---|
| Cloudflare DNS | Full authoritative onboarding, partial (CNAME) setup, proxy status, port limitations, registrar cutover |
| SSL/TLS | Universal SSL, Advanced Certificate Manager, Origin CA, SSL modes (Off / Flexible / Full / Full Strict), edge-vs-origin certificates |
| Cloudflare CDN & Caching | Default cacheability, Cache Rules, Tiered Caching, Smart Tiered Caching, Cache Everything, Bypass Cache on Cookie, custom cache keys, purge strategies |
| Rules Engines | Redirect Rules, Transform Rules (request and response header modification), Configuration Rules, Origin Rules (Host Header Override) |
| Load Balancing | Origin pools, active and passive health checks, geo-steering, dynamic steering, origin weights, failover |
| DDoS Protection | L3/L4 and L7 always-on mitigation, sensitivity guidance |
| WAF | Managed Ruleset, OWASP Core Ruleset (paranoia levels), Custom Rules, Managed Challenge, Log-first rollout, Security Analytics |
| Bot Management | Bot scores, three-step deployment, mobile-app and partner exceptions, Bot Analytics, Turnstile |
| Rate Limiting | IP-with-NAT-support counting, response-code-conditional counters, login and API protection patterns |
| API Shield | Session identifiers, Discovery, Endpoint Management, schema validation, Sequence Analytics and Mitigation, mTLS, JWT validation |
| Managed Lists | Cloudflare-managed Open Proxies and Tor Exit Nodes lists for zero-maintenance threat-intel blocking |
| Argo Smart Routing | Dynamic traffic acceleration overview and use cases (lecture) |
| Cloudflare Spectrum | When non-HTTP protocols need a proxy (lecture) |
| Terraform & API | Automation patterns for multi-zone customer migrations (lecture) |