The intersection of global edge computing and centralized observability represents the pinnacle of modern infrastructure management. As digital services migrate toward highly distributed architectures, the ability to maintain a single pane of and visibility across a global footprint becomes a mission-critical requirement. Cloudflare, operating one of the world's most extensive authoritative DNS networks, provides the foundational edge layer for over 25 million internet properties, managing hundreds of billions of DNS queries daily across more than 250 data centers in over 100 countries. However, the sheer scale of this data presents a significant challenge for DevOps engineers: how to ingest, transform, and visualize massive streams of edge telemetry within a centralized monitoring stack.
Grafana Cloud serves as the critical orchestration layer in this equation, providing the mechanisms to bridge the gap between Cloudflare's distributed edge and the engineer's dashboard. Whether through the ingestion of OpenTelemetry (OTLP) traces from Cloudflare Workers, the scraping of metrics via Grafana Alloy, or the implementation of OIDC-based secure access through Cloudflare One, the integration of these two platforms allows for a deep, granular understanding of network performance, security posture, and application health. This integration is not merely about viewing charts; it is about building a proactive defense and optimization engine that leverages Cloudflare's massive global footprint and Grafana's advanced analytical capabilities.
The Cloudflare Data Source Plugin and Public Preview Status
The architectural foundation for querying Cloudflare-specific data within the Grafana ecosystem is the Cloudflare data source plugin. This plugin is specifically engineered to allow users to execute queries and visualize data directly from the Cloudflare edge within their Grafana environments. It acts as a translator, taking the complex, high-volume telemetry produced by Cloudflare's infrastructure and making it accessible via the Grafana query editor.
It is imperative for engineers to recognize the current developmental lifecycle of this component. The Cloudflare data source plugin is presently in public preview. This designation carries significant weight for production environments, as the plugin is subject to the Grafana Labs release life cycle documentation. In a public preview state, the plugin may undergo changes in API stability, feature availability, or configuration requirements. Users must monitor official release notes to ensure their observability pipelines remain resilient against updates.
The utility of this plugin extends to several key areas of the Cloudflare ecosystem:
- Data Querying: Direct access to Cloudflare's internal metrics and logs.
- Visualization: The ability to map edge-based data onto time-series graphs and heatmaps.
- Unified Observability: Merging Cloudflare edge data with other internal infrastructure metrics.
Legacy Architectures: The Deprecated Cloudflare DNS Grafana App
In the history of Grafana integrations, the Cloudflare DNS Grafana App served as an early attempt to provide visibility into DNS traffic. This app was designed to provide users with a specialized view of their DNS traffic originating from Cloudflare's edge, allowing for the monitoring of geography, latency, response codes, query types, and specific hostnames. It supported both regular DNS zones and DNS Firewall clusters, offering instant visibility into queries per second and latency metrics.
However, this specific application is now officially deprecated. For organizations still maintaining legacy Grafana environments, it is critical to understand the compatibility constraints that applied to this app:
- Version Compatibility: The app was strictly limited to Grafana versions 3.0 through 9.x.
- Incompatibility: Grafana 10 or later versions do not support this specific app, making it unusable for modern, upgraded Grafana instances.
- Dependency Profile: While it required a Cloudflare account, it had no other external dependencies or complex configurations, making it easy to install from grafana.com.
The deprecation of this app signals a shift toward more robust, integrated solutions like the Cloudflare data source plugin and the Grafana Cloud-native integrations, which offer broader feature sets and better support for modern observability standards like OpenTelemetry.
Advanced Telemetry: OpenTelemetry Integration for Cloudflare Workers
Cloudflare Workers represents a paradigm shift in serverless computing, allowing developers to deploy functions, frontends, containers, and databases to a global network spanning over 330 cities. As these serverless applications scale, the complexity of debugging increases exponentially. The integration of OpenTelemetry (OTLP) allows for a seamless, push-based pipeline where traces and logs are forwarded directly from the Workers runtime to Grafana Cloud.
This integration utilizes Cloudflare’s built-in "Destinations" feature, which is part of the Workers Observability suite. By adopting the OTLP transport layer, developers can achieve a high degree of observability without the overhead of managing complex ingestion agents.
The technical advantages of this integration include:
- Trace and Log Correlation: The ability to follow a single request through its entire lifecycle across the global network.
- Attribute-Based Drilling: Engineers can drill down into specific traces and logs based on metadata such as request location and duration.
- Pre-built Dashboards: Grafana Cloud provides out-of-the-box dashboards specifically designed for Workers telemetry, reducing the "time-to-value" for new deployments.
- Push-Based Architecture: Eliminates the need for polling-based architectures, reducing latency in the observability pipeline.
Cloudflare Integration for Grafana Cloud: Metrics and Analytics
For organizations utilizing Grafana Cloud, the integration with Cloudflare provides a comprehensive monitoring solution for account-level and zone-level analytics. This integration is designed to collect and analyze a wide array of metrics that are essential for understanding both the performance and the security of web applications.
The scope of the metrics available through this integration includes:
- Requests: Total volume of incoming traffic to your protected domains.
- Bandwidth: Monitoring the throughput and data transfer levels at the edge.
- CPU Utilization: Tracking the computational load on the edge nodes.
- HTTP Response Codes: Analyzing the distribution of 2xx, 3xx, 4xx, and 5xx errors to identify application or configuration issues.
- Pool Health: Monitoring the status of origin servers or backends.
- Colocation Information: Understanding how traffic is being distributed across different geographic regions.
The installation process within Grafana Cloud is streamlined to ensure rapid deployment:
- Access the Connections menu in the Grafana Cloud left-hand sidebar.
- Locate the Cloudflare tile within the integration library.
- Review the prerequisite documentation in the Configuration Details tab.
- Set up Grafana Alloy to facilitate the transmission of metrics.
- Execute the installation to automatically deploy pre-built dashboards and alerting rules.
Metrics and Configuration Specifications
| Metric Category | Description | Primary Use Case |
|---|---|---|
| Network Traffic | Requests, Bandwidth, HTTP Response Codes | DDoS detection and traffic pattern analysis |
| Compute/Edge | CPU Utilization, Workers Execution | Performance optimization and cost management |
| - DNS/Security | DNS Query Rates, DNS Latency, Firewall Hits | DNS security and availability monitoring |
| Infrastructure | Pool Health, Colocation Data | Origin server monitoring and regional latency analysis |
Engineering the Ingestion Pipeline: Grafana Alloy and Prometheus Scrapers
A critical component of the Cloudflare-Grafana integration is the configuration of the ingestion agent, specifically Grafana Alloy. For advanced users, this involves configuring a scrape job that targets a Cloudflare Prometheus endpoint. This process often requires the use of discovery.relabel components to correctly identify and label Cloudflare endpoints, followed by a prometheus.scrape component to pull the data.
In advanced configuration modes, engineers must manually append snippets to the Alloy configuration file. A typical configuration for scraping metrics from a Cloudflare exporter might look like the following:
prometheus
prometheus.scrape "metrics_integrations_integrations_cloudflare" {
targets = [{
__address__ = "<exporter_hostname>:<exporter_port>",
instance = constants.hostname,
}]
forward_to = [prometheus.remote_write.metrics_service.receiver]
job_name = "integrations/cloudflare"
}
When deploying a custom exporter, such as the cloudflare_exporter, engineers must be aware of port conflicts. The default listening port is 8080, which can conflict with existing processes. The exporter can be customized using the following command structure:
bash
./cloudflare_exporter -listen=:<port_number> -cf_api_token=<cloudflare-api-token>
This configuration allows for a highly customized, scalable monitoring architecture where metrics are scraped, relabeled, and forwarded to a central Grafana Cloud instance for long-term storage and analysis.
Secure Access Control: Configuring Grafana with Cloudflare One (OIDC)
Beyond monitoring, the integration of these two platforms extends into the realm of Identity and Access Management (IAM). Cloudflare One allows administrators to treat Grafana as a SaaS application, securing it via OpenID Connect (OIDC) authentication. This ensures that only authorized users can access sensitive observability dashboards.
The configuration process involves setting up Grafana as an OIDC application within the Cloudflare Zero Trust dashboard. This requires administrative access to both the Grafana account and the Cloudflare dashboard.
The step-by-step configuration workflow is as follows:
- Navigate to the Cloudflare dashboard: Go to Zero Trust > Access controls > Applications.
- Initialize Application Creation: Select Create new application and choose the SaaS application option.
- Define Application Type: For the Application selection, choose Grafana.
- Set Protocol: Select OIDC as the authentication protocol.
- Configure Scopes: Select the specific user attributes that should be included in the ID token for authorization.
- Set Redirect URLs: You must enter the specific OAuth redirect endpoint:
https://<your-grafana-domain>/login/generic_oauth - Implement Security Enhancements: Enable Proof of Key Exchange (PKCE) if your Identity Provider (IdP) supports it, as this will be applied to all login attempts.
- Capture Credentials: Copy the Client secret, Client ID, Token endpoint, and Authorization endpoint for use in Grafana.
- Configure Access Policies: Define which user groups or email domains are permitted to access the Grafana application.
- Configure App Launcher (Optional): Enable the App Launcher and set the App Launcher URL to:
https://<your-grafana-domain>/login - Finalize in Grafana: In the Grafana interface, navigate to Administration > Authentication > Generic OAuth and enter the retrieved details. You can also define a custom Display name, such as
Cloudflare Access, to provide a seamless Single Sign-On (SSO) experience for end-users.
Analytical Conclusion
The integration of Cloudflare and Grafana represents more than a mere connection between two software products; it is the construction of a unified, high-fidelity observability fabric. By bridging the gap between the global edge and the centralized monitoring stack, organizations can move from reactive troubleshooting to proactive infrastructure management. The evolution from the deprecated DNS-specific apps to the modern, OpenTelemetry-driven, and Alloy-orchestrated pipelines demonstrates a clear industry trajectory toward standardized, scalable, and secure telemetry.
For the modern engineer, the capability to correlate Cloudflare Workers' execution traces with global network latency, or to monitor DNS firewall hits alongside HTTP response codes, provides the necessary context to resolve complex, distributed system failures. As Cloudflare continues to expand its edge presence and Grafana continues to refine its ingestion capabilities, the potential for deep, actionable insights into the global internet landscape will only continue to grow. The successful implementation of these integrations requires a rigorous approach to configuration, particularly regarding OIDC security, exporter port management, and the precise application of Prometheus scraping logic.