ADR-0002: Cloudflare for Hosting and Edge Compute¶
Status: Accepted Date: 2025-01-15 (Estimated) Deciders: GetCimple Team Tags:
infrastructure,hosting,deployment,cdn
Context¶
GetCimple needs hosting infrastructure for multiple properties: - Main SPA application (React) - Marketing website - Documentation sites (internal + customer via MkDocs) - Edge functions for serverless compute - File storage (compliance evidence, reports)
Requirements: - Global CDN for fast page loads (Australian users priority) - Simple deployment (CI/CD via GitHub Actions) - Static site hosting (MkDocs, marketing) - Serverless functions for API logic - SSL/TLS by default - DDoS protection - Startup-friendly pricing
Constraints: - 3-person team (minimal DevOps capacity) - Must integrate with Supabase backend - Fast deployment cycles for MVP iteration - Budget: <$100/month for MVP hosting
Options Considered¶
Option A: Cloudflare Pages + Workers¶
Description: Static site hosting on Cloudflare Pages with Cloudflare Workers for edge compute.
Pros: - β Pages: Unlimited static sites, automatic deployments from GitHub - β Workers: Serverless edge compute, 100ms response times globally - β Global CDN: 300+ edge locations, fast for Australian users - β Free tier: Generous limits (500 builds/month, 100k Worker requests/day) - β DDoS protection: Enterprise-grade, included free - β SSL/TLS: Automatic certificates - β R2 Storage: S3-compatible object storage, zero egress fees - β Simple deployment: GitHub integration, preview deployments - β Edge compute: Workers run close to users (low latency) - β Zero config: DNS, CDN, SSL all managed - β Excellent DX: Wrangler CLI, good documentation
Cons: - β Workers have execution limits (50ms CPU time per request on free tier) - β Cold starts for infrequently-used Workers - β Learning curve for Workers API (different from traditional Node.js) - β Vendor lock-in to Cloudflare platform
Estimated Effort: 1-2 days setup
Option B: Vercel¶
Description: Frontend hosting platform with serverless functions.
Pros: - β Excellent Next.js/React support - β Automatic deployments from GitHub - β Global CDN - β Serverless functions (Node.js) - β Great DX and documentation
Cons: - β More expensive at scale ($20/user/month for team features) - β Bandwidth limits on free tier (100GB/month) - β Function execution limits (10 second timeout, 50MB output) - β No Australian-specific edge locations (routing via Singapore) - β No object storage (need separate S3 or similar)
Estimated Effort: 1-2 days setup
Option C: AWS (S3 + CloudFront + Lambda)¶
Description: Self-managed hosting on AWS with CloudFront CDN and Lambda functions.
Pros: - β Full AWS ecosystem integration - β Sydney region available (ap-southeast-4) - β Extremely scalable - β Comprehensive services
Cons: - β Complex setup (S3 buckets, CloudFront distributions, Lambda functions, API Gateway) - β Significant DevOps overhead for 3-person team - β Steep learning curve - β More expensive for low traffic (no generous free tier) - β 1-2 weeks setup time - β Ongoing management burden
Estimated Effort: 1-2 weeks initial setup + ongoing management
Decision¶
We chose: Option A - Cloudflare Pages + Workers + R2
Rationale: 1. Simplicity: Zero-config deployment, automatic SSL, integrated CDNβperfect for 3-person team 2. Cost-effective: Free tier supports MVP, predictable pricing at scale 3. Australian performance: Global CDN with Australian PoPs provides fast access for target market 4. Complete platform: Pages (static), Workers (compute), R2 (storage) covers all needs 5. Fast deployment: GitHub integration with automatic preview deployments accelerates iteration 6. DDoS protection: Enterprise-grade security included, critical for compliance platform 7. Developer experience: Excellent tooling (Wrangler CLI) and documentation
Key Trade-offs Accepted: - We're accepting Workers execution limits (50ms CPU) by keeping compute lightweight - We're accepting platform lock-in for deployment velocity (can migrate static sites easily, Workers would need rewrite) - We're deferring Workers optimization to post-MVP (start simple, optimize if needed)
Consequences¶
Positive¶
- β Zero DevOps burden: No servers to manage, automatic scaling, built-in monitoring
- β Fast deployments: Push to GitHub β deployed globally in <2 minutes
- β Global performance: <100ms response times for Australian users
- β Multiple properties: Marketing, docs, app all on same platform (simplified management)
- β Preview deployments: Every PR gets preview URL for testing
- β Cost predictable: Free tier β $20-50/month for MVP β scales linearly
- β Security included: DDoS protection, WAF, SSL/TLS, bot management
Negative¶
- β οΈ Workers learning curve: Different from traditional Node.js (V8 isolates, no Node APIs)
- β οΈ Execution limits: 50ms CPU time requires efficient code
- β οΈ Platform lock-in: Workers code not portable to other platforms without rewrite
- β οΈ Cold starts: Infrequently-used Workers may have 10-50ms cold start
Risks¶
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Workers CPU limits hit for complex operations | MEDIUM | MEDIUM | Offload heavy compute to Supabase functions; optimize hot paths; upgrade to paid Workers if needed |
| Cloudflare outage affects all properties | LOW | HIGH | Monitor Cloudflare status; acceptable downtime for MVP; consider multi-CDN post-MVP |
| R2 costs grow unexpectedly | LOW | MEDIUM | Monitor storage usage; implement file lifecycle policies; compress evidence files |
Compliance Note¶
ACSC Essential 8 Impact: - Relevant Controls: Not directly applicable (hosting is infrastructure) - Data Residency: Cloudflare Workers can be restricted to specific regions; R2 storage configured for Australia
Australian Data Residency: - Static Assets: Served globally via CDN (acceptable - no sensitive data) - Edge Compute: Workers execute in nearest datacenter (can be restricted if needed) - Object Storage: R2 buckets configured for Sydney region for sensitive files - Guarantees: Cloudflare complies with Privacy Shield framework
Audit Trail: - Cloudflare logs all deployments via GitHub Actions - Worker logs track execution and errors
Implementation Notes¶
Prerequisites: - Cloudflare account created - Domains configured (getcimple.com, app.getcimple.com, docs.getcimple.com, internal.docs.getcimple.io) - GitHub Actions configured with Cloudflare API tokens
Integration Points: - GitHub: Automatic deployments on push - Supabase: Workers call Supabase APIs for data - Kinde: OAuth redirect URLs configured for Cloudflare domains - MkDocs: Build output deployed to Pages
Monitoring: - Cloudflare Analytics dashboard for traffic and performance - Worker logs for errors and exceptions - GitHub Actions for deployment status
Documentation Updates Needed: - β Deployment process in deployment-mvp.md - β Worker configuration in tech-stack-mvp.md - β Infrastructure overview in simplified-mvp-architecture.md
Revisit¶
Revisit By: 2026-01-01 or after 1000 active users Blast Radius: HIGH - Affects all hosting infrastructure (app, docs, marketing)
Conditions for Revisit: - Cloudflare bandwidth costs exceed $200/month - Workers CPU limits become blocking issue (>10 incidents/month) - Need for features Cloudflare doesn't provide (specific compliance, advanced compute) - Multi-region requirements (e.g., expanding beyond Australia)
Next Review: 2025-07-01
References¶
- Cloudflare Pages Docs
- Cloudflare Workers Docs
- Cloudflare R2 Docs
- Tech Stack MVP
- Deployment MVP
- ADR-0001: Supabase Backend - Complementary decision
Version History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2025-10-20 | Claude | Initial ADR capturing historical decision |