Migrating Adobe Edge Delivery Services to Cloudflare - A Practical Guide

Why Migrate?

The decision was straightforward: cost and simplicity. I was maintaining a custom Fastly VCL configuration just to point my domain at Adobe EDS. Cloudflare's free tier provides the same functionality using Workers, with no subscription required.

What I was paying for:

• Custom Fastly service
• VCL configuration management

What Cloudflare Free provides:

• Global CDN with unlimited bandwidth
• Universal SSL certificates
• DDoS protection
• Workers for custom routing
• Automatic cache invalidation

The functionality is equivalent, the cost is zero, and the management is much simpler.

Understanding the Architecture

Adobe Edge Delivery Services runs on Fastly infrastructure. This is important to understand: you can't avoid Fastly because it's Adobe's backend. What you're doing with Cloudflare is adding a CDN layer in front of Adobe's Fastly.

Visitor → Cloudflare → Adobe's Fastly → Adobe EDS

This "double CDN" architecture is standard and officially supported by Adobe. The Cloudflare Worker handles routing between the two CDNs by rewriting the Host header.

The Technical Setup

DNS Configuration

The DNS setup is straightforward:

Type: CNAME

Name: @ (or www)

Target: main--allaboutv2--ddttom.aem.live

Proxy: Enabled (orange cloud)

Point your domain to your Adobe EDS hostname using a CNAME record, and ensure Cloudflare's proxy is enabled. The target format is [branch]--[repo]--[owner].aem.live.

SSL/TLS Settings

Set SSL/TLS mode to Full (not Full strict). Adobe EDS uses Fastly's certificates, which don't specifically cover your domain. Full (strict) mode causes HTTP 526 certificate validation errors. Full mode still encrypts traffic end-to-end; it just doesn't strictly validate the certificate hostname.

Cloudflare Worker

The Worker is the critical piece. Cloudflare's free tier doesn't allow Host header modification via Transform Rules or Origin Rules, so the Worker handles this:

1. Get the official Adobe worker code from: https://github.com/adobe/aem-cloudflare-prod-worker
2. Create a new Worker in Cloudflare
3. Replace the template code with Adobe's code
4. Set environment variable: ORIGIN_HOSTNAME = your Adobe EDS hostname
5. Add routes for your domain(s)

The Worker intercepts requests, rewrites the Host header from your domain to the Adobe EDS hostname, and forwards them accordingly.

Cache Configuration

Set up basic cache rules:

• Caching Level: Standard
• Browser Cache TTL: Respect Existing Headers
• Cache Rule: Hostname matches your domain → Eligible for cache

This instructs Cloudflare to cache based on Adobe EDS's cache headers.

Push Invalidation

One of the most valuable features is automatic cache clearing when you publish content. Without this, visitors see stale content until the cache naturally expires.

Configuration steps:

1. Get your Cloudflare Zone ID and create an API token with Cache Purge permissions.
2. Add configuration to your Adobe EDS project config file:

cdn.prod.type: cloudflare

cdn.prod.host: your-domain.com

cloudflare.apiToken: [your token]

cloudflare.zoneId: [your zone ID]

1. Add environment variable to Worker: PUSH_INVALIDATION = enabled
2. Publish the config using Adobe Sidekick

When you publish content in Adobe EDS, it automatically triggers a cache purge in Cloudflare.

Important note: Cloudflare's free tier purges the entire site cache, not just changed URLs. This causes a brief performance dip whilst the cache rebuilds, but for typical publishing workflows, this is acceptable. Surgical cache purging requires the Enterprise plan.

The Migration Process

1. Configured everything in Cloudflare first before changing nameservers
2. Changed nameservers at my registrar to Cloudflare's nameservers
3. Waited for DNS propagation (completed within 4 hours)
4. Verified the site loaded correctly with proper SSL
5. Tested push invalidation by publishing a content change
6. Monitored for 48 hours before considering it complete

The key principle: have everything configured and tested before switching nameservers. This minimises downtime risk.

What Went Wrong

Initial 526 Errors

My first attempt used Full (strict) SSL mode, which caused certificate validation errors. Adobe EDS uses Fastly's certificates, which don't specifically list my domain. The fix was simple: change to Full mode (not strict).

421 Mismatch Errors

Initially, I saw HTTP 421 errors because I'd misspelt the CNAME target in Cloudflare DNS. A simple typo, but it took a few minutes to spot. Always double-check hostname spelling.

Confusion About "Double CDN"

When I first saw both Cloudflare and Fastly headers in responses, I thought something was wrong. It's not—this is expected and correct. Adobe EDS uses Fastly as its backend, so you'll always see Fastly headers alongside Cloudflare headers.

curl -I https://allabout.network

server: cloudflare

cf-ray: 9ab37e2518bcde99-EWR

x-served-by: cache-lga21965  # This is Adobe's Fastly

Both appearing together confirms the setup is working correctly.

Results

Cost savings: ~$50/month
Performance: Equivalent to the previous setup
Cache hit ratio: 70-80% after 48 hours
Complexity: Reduced (no VCL to maintain)
Functionality: Identical, with automatic cache invalidation

The migration was successful. The site loads properly, publishing works correctly, and the cache automatically clears on publish. No functionality was lost, and management is simpler.

Key Lessons

1. Adobe EDS Always Uses Fastly

You can't avoid Fastly because it's Adobe's infrastructure. Any CDN you put in front of Adobe EDS will ultimately connect to Fastly as the origin. Understanding this "double CDN" architecture avoids confusion when troubleshooting.

2. The Worker is Essential

On Cloudflare's free tier, the Worker is the only way to rewrite the Host header. Transform Rules and Origin Rules either don't support Host header modification or require paid plans. The Worker is simple, works reliably, and uses minimal CPU time (~0.8ms per request).

3. Full (not Full strict) SSL Mode

This trips up many people. Adobe EDS requires Full mode, not Full strict. The documentation mentions this, but it's easy to miss. If you see 526 errors, check your SSL/TLS mode.

4. Free Tier is Genuinely Useful

Cloudflare's free tier isn't a trial or limited demo—it's a genuinely functional offering. For a personal or small business site like mine, it provides everything needed:

• Unlimited bandwidth
• Global CDN
• SSL certificates
• DDoS protection
• Workers (100,000 requests/day)
• Basic analytics

The main limitations (no WAF rules, no surgical cache purging) don't materially affect typical use cases.

5. Push Invalidation Saves Manual Work

Before configuring push invalidation, I had to purge Cloudflare's cache manually after publishing. Now it happens automatically. The 10-30 second cache rebuild period after publishing is acceptable for typical workflows.

6. Documentation Exists, But You Need to Find It

Adobe documents the Cloudflare setup officially: https://www.aem.live/docs/byo-cdn-cloudflare-worker-setup

The documentation is accurate and detailed. The challenge is finding it in the first place, as it's not prominently featured in Adobe's primary docs.

Would I Recommend This Setup?

Yes, with caveats.

Recommend if:

• You're running Adobe EDS
• You want a custom domain without paying for CDN
• You're comfortable with basic DevOps tasks
• You don't need surgical cache purging
• Free tier features meet your needs

Don't recommend if:

• You need WAF rules (requires Pro plan: $20/month)
• You publish very frequently and need instant cache updates (requires Enterprise)
• You're not comfortable managing Workers and DNS
• You need phone support (free tier is email only)

For my use case—a personal/professional site with occasional content updates—it's an excellent fit.

The Setup in Summary

Time required: 1-2 hours of active work
Downtime: Zero (if you configure before switching nameservers)
Cost: $0/month
Complexity: Medium (requires understanding DNS, Workers, SSL)
Maintenance: Minimal (worker auto-updates available)

Configuration steps:

1. Add a domain to Cloudflare
2. Configure DNS (CNAME to Adobe EDS hostname)
3. Set SSL/TLS to Full mode
4. Create a Worker with Adobe's code
5. Set ORIGIN_HOSTNAME environment variable
6. Add Worker routes
7. Configure push invalidation (optional but recommended)
8. Change nameservers at registrar
9. Wait for DNS propagation
10. Verify and monitor

Useful Commands

Check DNS resolution:

dig allabout.network +short

# Should return Cloudflare IPs: 104.21.41.41, 172.67.159.249

Check cache status:

curl -I https://allabout.network | grep cf-cache-status

# Shows HIT (cached) or MISS (not cached)

Verify origin resolution:

dig main--allaboutv2--ddttom.aem.live +short

# Shows Adobe's Fastly: n.sni.global.fastly.net

Resources

Adobe Documentation:

• Cloudflare setup: https://www.aem.live/docs/byo-cdn-cloudflare-worker-setup
• Push invalidation: https://www.aem.live/docs/setup-byo-cdn-push-invalidation
• CDN validator: https://www.aem.live/tools/cdn-validator

Cloudflare:

• Workers documentation: https://developers.cloudflare.com/workers/
• Official worker code: https://github.com/adobe/aem-cloudflare-prod-worker

Community:

• Adobe EDS Discord: https://discord.gg/aem-live
• Cloudflare Community: https://community.cloudflare.com/

Final Thoughts

Migrating from Fastly to Cloudflare for Adobe Edge Delivery Services is straightforward once you understand the architecture. The "double CDN" setup (Cloudflare → Adobe's Fastly) is standard and works reliably. The cost savings are significant, the functionality is equivalent, and the management is simpler.

If you're running Adobe EDS and looking to add a custom domain, Cloudflare's free tier provides everything you need. The Worker handles routing, triggers invalidations, automates cache clearing, and the global CDN ensures consistent performance worldwide.

The migration took me an afternoon to complete and another day to monitor. Now it runs quietly in the background, costing nothing and requiring minimal maintenance. That's precisely what infrastructure should do.

Related Articles