Companies embedding AI features — real-time personalization, content moderation, recommendation engines — into their products face latency and cost pressure when inference routes to centralized GPU regions. Workers AI runs serverless GPU inference across 337+ cities, executing at the location nearest the user. No cold starts. No idle billing. No capacity planning. You call a model via API; Cloudflare handles everything else.
Supported models include Llama 3, Mistral, Whisper (speech-to-text), Stable Diffusion XL, and embedding models. Full catalog linked below.
AI Gateway is a forward proxy between your application and any LLM provider — OpenAI, Anthropic, Google AI Studio, AWS Bedrock, Hugging Face, Workers AI, and others. Change one line (the API base URL) and every model call passes through Cloudflare. All capabilities apply automatically.
| Capability | What It Does |
|---|---|
| Spend Limits | Dollar-based budgets tracking actual cost, not request count. Scope by model, provider, user ID, or team. When the limit hits, AI Gateway returns a 429 and stops requests until the window resets. |
| Caching | Identical prompts return cached responses immediately — no model call, no token spend. Typically reduces token spend 20–40% on enterprise Q&A workloads. |
| Rate Limiting | Cap request volume independently from dollar spend. Prevents traffic spikes from triggering unexpected costs. |
| Fallback Routing | If OpenAI is unavailable or rate-limited, automatically route to Anthropic or another configured provider. No code change required. |
| Observability | Every request logs: model, provider, token count, latency, cost, errors. Cost analytics by model, provider, team, or custom tag. |
| Unified Billing | OpenAI, Anthropic, Google, and other providers on one Cloudflare bill. No separate provider API key management. |
| Coding Agents | Claude Code, GitHub Copilot CLI, OpenAI Codex routed through AI Gateway — every call observable, cacheable, rate-limited, and DLP-scanned with no change to developer workflow. |
Building retrieval-augmented generation from scratch means connecting ingestion → chunking → embedding → vector storage → retrieval → prompt construction. That's weeks of engineering before a single query runs.
AutoRAG is a fully managed RAG pipeline. Point it at an R2 bucket containing your documents. It handles chunking, embedding generation via Workers AI, indexing into Vectorize, retrieval, and response generation. The result is a query API — ask a question, get a grounded answer with source citations.
Vectorize is the vector database underneath, running natively within Cloudflare's network inside a Worker — no external database host, no egress fees, no third-party round-trip.
Fits: Developer documentation Q&A, internal knowledge bases, customer support grounding, enterprise search, contract retrieval.
Most AI agent frameworks assume stateless execution. Real agents need memory across sessions, the ability to run tasks in the background, and the ability to wake up and act at a future time without polling infrastructure.
Agents SDK is Cloudflare's framework for building agents with persistent state. Each agent session has a durable identity, local SQL storage, live WebSocket connections, and scheduled execution. Agents connect to chat, email, voice, Slack, and webhooks out of the box.
Durable Objects is the execution layer underneath — a persistent, single-threaded context with its own SQLite database per agent. State doesn't need to be externalized or reconstructed between requests.
Hibernation means agents sleep when idle with no compute charge. When a message arrives, the agent wakes automatically. No polling required. Available on all plans including free.
Tools available to agents: Browser, Sandbox, AI Search, MCP client, Payments, and any MCP server you connect.
Model Context Protocol (MCP) is the open standard for how AI agents connect to external tools — internal APIs, databases, SaaS products, code repositories. Without access controls, an agent handed a set of MCP tools has unconstrained access to everything those tools expose.
MCP Server Portals (part of Cloudflare Access / Zero Trust) puts identity-based access controls in front of every tool call an agent makes:
Cloudflare also runs managed MCP servers covering 2,500+ Cloudflare API endpoints — accessible via two tools, consuming ~1,000 tokens regardless of API surface size (vs. 1.17M tokens for a naive implementation). Available in open beta, all plans.
Shadow AI adoption is accelerating. BCG found a 3x increase in shadow AI tool usage among financial services employees year-over-year. Ungoverned AI tool access cascades into real data exposure.
Cloudflare's Zero Trust Gateway policies give security teams precise control without blanket bans. A working policy set deployable in about 10 minutes:
Gateway natively recognizes Google Gemini, ChatGPT, Claude, and Perplexity as distinct AI applications — applying topic classification to prompts and enforcing policy per application, not per category.
Prompt injection, jailbreak attempts, and PII extraction attacks targeting AI applications are different from traditional web attacks. The payload is natural language. Standard WAF rules don't catch it.
AI Security for Apps (Firewall for AI) runs on Cloudflare's WAF in front of AI-powered applications, scoring every inbound request for LLM-specific threats before it reaches the application server.
| Field | What It Detects |
|---|---|
cf.llm.prompt.injection_score | Prompt injection likelihood. Score 1–99; lower = higher likelihood of attack. Score of 100 = not scored by Cloudflare. |
FirewallForAIPIICategories | Categories of PII detected in the request |
FirewallForAIUnsafeTopicCategories | Unsafe or out-of-policy content categories |
FirewallForAITokenCount | Token count of the request |
These fields are available in Firewall Events, HTTP Requests Logpush, and Security Analytics. You write rules that act on scores — block, challenge, log, or rate-limit. You set the threshold. Requires Enterprise plan.
AI Gateway bi-directional DLP scans both sides of the model conversation:
No separate TLS decryption or HTTP filtering pipeline required. Attach DLP profiles to your AI Gateway — applies automatically to all traffic through that gateway.
| Product | Documentation |
|---|---|
| Workers AI | developers.cloudflare.com/workers-ai |
| Workers AI Model Catalog | developers.cloudflare.com/workers-ai/models |
| AI Gateway | developers.cloudflare.com/ai-gateway |
| AI Gateway Spend Limits | developers.cloudflare.com/ai-gateway/features/spend-limits |
| AI Gateway DLP | developers.cloudflare.com/ai-gateway/features/dlp |
| Vectorize | developers.cloudflare.com/vectorize |
| AutoRAG / AI Search | developers.cloudflare.com/ai-search |
| Agents SDK | developers.cloudflare.com/agents |
| Durable Objects | developers.cloudflare.com/durable-objects |
| MCP Server Portals | developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals |
| Cloudflare-Managed MCP Servers | developers.cloudflare.com/agents/model-context-protocol/cloudflare/servers-for-cloudflare |
| AI Security for Apps | developers.cloudflare.com/waf/detections/ai-security-for-apps |
| DLP for AI | developers.cloudflare.com/cloudflare-one/data-loss-prevention |
| Cloudflare for AI (overview) | cloudflare.com/ai |