Back to sources

Infrastructure

Cloudflare change intelligence

Infrastructure, API, billing, product, Workers, DNS, Pages, and security changes that can affect production systems.

Monitor cadence

Daily

Primary audience

Platform teams, DevOps, security-minded builders

Official changelog

Watched topics

WorkersDNSBillingSecurityAPI fields

Latest reviewed changes

Read from the official changelog and annotated with impact and deadlines. Last checked 2026-07-16.

Watch this source
HighDeprecation

Zero Trust CIDR route endpoints and tunnel connections field retire October 5, 2026

Cloudflare is removing the CIDR-encoded Zero Trust route endpoints (POST/PATCH/DELETE .../teamnet/routes/network/{ip}) in favor of route_id-based endpoints, and removing the connections array from Cloudflare Tunnel list/get responses. Both retirements take effect October 5, 2026.

Deadline: 2026-10-05

Action note

Before October 5, 2026, migrate scripts to route_id-based endpoints, update cloudflared and the Terraform provider, and query the dedicated connections endpoint instead of the connections field.

View original source
HighPricing

Workflows adds per-step and storage billing, starting no earlier than August 10, 2026

Cloudflare Workflows adds two billing dimensions: steps (Free: 3,000/day included; Paid: 500,000/month, then $0.80 per 100,000) and stored state (1 GB-month included, then $0.20 per additional GB-month). Billing starts no earlier than August 10, 2026; request and CPU-time billing are unchanged.

Deadline: 2026-08-10

Action note

Review Workflows step and storage usage in the Cloudflare dashboard before August 10, 2026, and reduce steps per Workflow or shrink persisted state to control costs.

View original source
LowAuth

Browser Isolation adds support for Gateway authorization proxy endpoints

Browser Isolation now works with Gateway authorization proxy endpoints (previously only source-IP endpoints), enabling identity-based HTTP Isolate policies on PAC-file-proxied traffic without installing the Cloudflare One Client.

Action note

To use identity-based isolation without the client, create an authorization proxy endpoint in Gateway and build an HTTP Isolate policy against it.

View original source