Why I Moved Part of My Traffic Off a Cloud WAF In 2026

For years, I did what most developers do. I put everything behind a cloud WAF . It made sense: change DNS enable proxy turn on a few managed rules done In under 10 minutes you get: global CDN DDoS protection bot filtering a Web Application Firewall Platforms like Cloudflare make this incredibly easy. Their WAF runs on a massive global network and automatically blocks common attacks using managed rules and threat intelligence. For most projects, this setup is more than enough. But over time I realized something: Not all traffic fits well inside a cloud WAF model. This post isn’t about abandoning cloud WAFs. I still use them heavily. It’s about why I eventually moved part of my traffic off the edge network and back into infrastructure I control. The Default Architecture Most of Us Use If you're running a typical web service today, the architecture probably looks like this: Internet │ ▼ Cloud WAF / CDN │ ▼ Origin server │ ▼ Application The benefits are obvious: your origin IP is hidden la