Skip to content
cfdemo.link

The Architecture: The Internet is the Corporate Network

The core philosophy of this reference architecture is simple: users should not be on the network.

Instead of connecting a device to a LAN via VPN, we place the applications behind Cloudflare’s global edge—a network spanning 330+ cities in 120+ countries. Users connect to the applications over the public internet, but every single request is authenticated, authorised, and inspected by Cloudflare before it ever reaches the origin server.

There are no origin servers in this architecture. The frontend is hosted on Cloudflare Pages, the backend runs on Cloudflare Workers, and all state lives in D1, KV, and R2. There is nothing to tunnel to—the entire application stack runs natively at the edge.

The Topology

Section titled “The Topology”
flowchart TB
    subgraph Users
        sarah["🔒 Sarah (Staff)\nManaged Laptop\n(WARP)"]
        james["🌐 James (Contractor)\nUnmanaged BYOD\n(Browser Only)"]
        emma["🔍 Emma (Auditor)\niPad\n(Browser Isolation)"]
    end

    subgraph Cloudflare_Edge ["☁️ Cloudflare Edge"]
        access["Access (Auth & Identity)"]
        gateway["Gateway (DNS & HTTP)"]
        isolation["Browser Isolation (NVR)"]
        warp["WARP Connector"]
    end

    subgraph Vera_Apps ["🏢 Vera Application Origin"]
        portal["Internal Portal\n(Cloudflare Pages)"]
        api["API & Chatbot\n(Workers + Durable Objects)"]
    end

    subgraph AI_Platform ["🤖 AI Platform"]
        k{"LLM Judge (1B)"}
        ai["Llama 3.3 70B\n(Workers AI)"]
        rag["R2 Support Docs\n(AI Search)"]
    end

    sarah --> warp --> gateway --> access
    james --> access
    emma --> access --> isolation --> portal

    access --> portal
    access --> api

    api -- "1. Prompt" --> k
    k -- "2. Safe?" --> ai
    ai -- "3. Retrieve" --> rag
    ai -- "4. Response" --> api

The architecture is composed of four key layers:

  1. The Edge (Security & Identity): Cloudflare Access verifies identity (via OTP for this PoC, or OIDC/SAML in production) and device posture. Cloudflare Gateway inspects DNS and HTTP traffic for threats.
  2. The Frontend (Hosting): The internal dashboards are Single Page Applications (SPAs) built with React and hosted on Cloudflare Pages, served from the nearest edge location.
  3. The Backend (Compute): Cloudflare Workers provide the API logic. They are serverless, with the £4/month paid plan including 10 million requests.
  4. The Data (State): D1 (Serverless SQLite) stores audit logs and feedback. KV (Key-Value) stores session cache. R2 (Object Storage) holds the policy documents for RAG.

Infrastructure as Code

Section titled “Infrastructure as Code”

The entire infrastructure is defined as code. Here is the core of the wrangler.jsonc configuration that binds everything together:

{
  "name": "vera-financial-platform",
  "main": "./functions/api/chat.ts",
  "ai": {
    "binding": "AI",
    "gateway": "vera-ai-gateway", // All AI calls routed through AI Gateway
  },
  "durable_objects": {
    "bindings": [{ "name": "CHAT_WORKER", "class_name": "ChatWorker" }],
  },
  "d1_databases": [{ "binding": "DB", "database_name": "vera-db-prod" }],
  "vars": {
    "ACCESS_AUD": "88e0718f…", // Audience tag for JWT verification
  },
}