Proxy status
You can load balance your traffic at different levels of the networking stack, including:
- Layer 7 (HTTP/HTTPS) (most common)
- DNS-only
- Layer 4 (TCP)
Layer 7 load balancing
Section titled “Layer 7 load balancing”Layer 7 load balancers direct traffic to specific endpoints based on information present in each HTTP/HTTPS request (HTTP headers, URI, cookies, type of data, etc.).
When a client visits your application, Cloudflare directs their request to a healthy endpoint (determined by your traffic steering policy and endpoint weights).
Cloudflare performs layer 7 load balancing when traffic to your hostname is proxied through Cloudflare. In the Load Balancing dashboard, these load balancers are marked with an orange cloud.
Benefits
Section titled “Benefits”In comparison to DNS-only load balancing, layer 7 load balancing:
- Protects endpoints from DDoS attacks by hiding their IP addresses.
- Offers faster failover and more accurate routing, which can otherwise be affected by DNS caching.
- Integrates with other Cloudflare features such as caching, Workers, and the WAF.
- Reduces authoritative queries against Cloudflare, which can potentially save money for customers with usage-based billing.
- Supports customized session affinity and endpoint drain.
- More accurately geo-locates traffic, using the data center associated with the user making the request instead of the data center associated with a user's recursive resolver.
DNS-only load balancing
Section titled “DNS-only load balancing”DNS-only load balancers route traffic by returning specific IP addresses in response to a client's DNS query.
When a client visits your application, Cloudflare provides the address for a healthy endpoint (determined by your traffic steering policy and endpoint-level steering policy). However, Cloudflare relies on DNS resolvers respecting the short TTL to re-query Cloudflare's DNS for an updated list of healthy addresses. If a client has a cached DNS response, they will go to their previous destination, potentially ignoring your load balancer.
Cloudflare performs DNS-only load balancing when traffic to your hostname is not proxied through Cloudflare. In the Load Balancing dashboard, these load balancers are marked with a gray cloud.
Benefits
Section titled “Benefits”If your load balancer is attached to a hostname used for an MX or SRV record — and not an A, AAAA, or CNAME record — its proxy mode should be DNS-only.
Limitations
Section titled “Limitations”In comparison to proxied, layer 7 load balancing, DNS-only load balancing:
- Does not hide the IP addresses of your endpoints, leaving them vulnerable to DDoS attacks.
- Performs slower failover and less accurate routing, because it has to rely on DNS resolvers and cache settings.
- Cannot integrate with other Cloudflare features such as caching, Workers, and the WAF.
- Increases authoritative queries against Cloudflare, which can potentially cost more for customers with usage-based billing.
- Does not support session affinity.
- Geo-locates traffic based on the data center associated with the ECS source address, if available. If not available, geo-locates based on a user's recursive resolver, which can sometimes cause issues with latency-based steering.
Layer 4 load balancing
Section titled “Layer 4 load balancing”Layer 4 load balancers route traffic by forwarding traffic to certain ports or IP addresses.
Cloudflare currently only supports layer 4 load balancing as part of Cloudflare Spectrum.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark