Cloudflare In Front Of ApiGateway / AWS Lambda -- Lower those costs!

Posted on September 22, 2019

Cloudflare In Front Of AWS Lambda & API Gateway

When you get started in Serverless, it’s really fun to see how fast you can move.

You start creating a ton of Lambda’s that do things like resolve Graphql queries & mutations, optimize images on the fly with something like Sharp, or extract data from a PDF.

And, largely, these api endpoints can be invoked by anyone and you’d have to pay for it.

This creates a potentionally expensive proposition in several ways. First off, these requests are not cached with any type of edge caching. That means that every request triggers a lambda response. Secondly, there is no WAF or Firewall between the outside world and your application.

This means someone could unintentially (or intentionally) cost you a lot of money.

Traditionally, one would seek to put Cloudfront and maybe AWS WAF in front of your API Gateway.

However, that costs money. And if you’ve served up any data from AWS, you know those bandwidth charges are no joke.


Cloudflare gives you protection from everything above. If you’re serving up images from your Lambda, you can enable their edge caching and they’ll reduce your bandwidth expenses dramatically.

Additionally, if you get DDOS or there is a bad actor requesting your api, they’ll block them on your behalf with zero charges.

However, setting up Cloudflare in front of API Gateway is kind of a challenge because AWS does not recognize Cloudflares ssl signature.

Setting up Cloudflare in front of API Gateway

Step 1) Login into AWS on the CLI or console, and add a new domain to AWS Certificate Manager. Even if your domain is not purchased through Route53/AWS, you’ll need to do this step.

You should list * and as the domains this certificate is covering.

Step 2) Next, take the DNS record they give you to verify your domain ownership and enter them into Cloudflare where your domain is setup. There will be a CNAME record listed under both the wildcard (* and normal domain. But, they are the same record. You only need to enter it once.

Step 3) Refresh the Certificate manager page until you see the new certificate is valid.

Step 4) Head over to API Gateway and setup a custom domain either via the console, cli, or Cloudformation.

You’ll enter either a subdomain or the root domain from step 2 as the domain. You’ll then enter a base path mapping for / and select which destination Lambda & stage the domain should resolve too.

Step 5) After completing step 4, you’ll need to wait about 40 minutes for the custom domain to be live.

Step 6) Enter the new Target Domain Name (example: into cloudflare as a cname record target for your subdomain. Example will have a target of

You are now live.

Managing your charges

While you’re at it, you should also setup a usage plan on your lambda. If you’re using Serverless, you can simply add a few lines to your serverless.yml file.

This useage plan allows you to establish a rateLimit and burstLimit throttle. It also allows you to define maximum invocation numbers per week or month.


      limit: 5000
      offset: 2
      period: MONTH
      burstLimit: 200
      rateLimit: 100