• Layer 7 (HTTP/HTTPS) (most common)
• DNS-only
• Layer 4 (TCP)

Layer 7 load balancers direct traffic to specific endpoints based on information present in each HTTP/HTTPS request (HTTP headers, URI, cookies, type of data, etc.).

When a client visits your application, Cloudflare directs their request to a healthy endpoint (determined by yourtraffic steering policy andendpoint weights).

Cloudflare performs layer 7 load balancing when traffic to your hostname isproxied through Cloudflare. In theLoad Balancing dashboard, these load balancers are marked with an orange cloud.

In comparison to DNS-only load balancing, layer 7 load balancing:

• Protects endpoints from DDoS attacks by hiding their IP addresses.
• Offers faster failover and more accurate routing, which can otherwise be affected by DNS caching.
• Integrates with other Cloudflare features such as caching, Workers, and the WAF.
• Reduces authoritative queries against Cloudflare, which can potentially save money for customers with usage-based billing.
• Supports customizedsession affinity andendpoint drain.
• More accurately geo-locates traffic, using the data center associated with the user making the request instead of the data center associated with a user's recursive resolver.
• Supports private IP addresses withPrivate Network Load Balancing.

DNS-only load balancers route traffic by returning specific IP addresses in response to a client's DNS query.

When a client visits your application, Cloudflare provides the address for a healthy endpoint (determined by yourtraffic steering policy andendpoint-level steering policy). However, Cloudflare relies on DNS resolvers respecting the short TTL to re-query Cloudflare's DNS for an updated list of healthy addresses. If a client has a cached DNS response, they will go to their previous destination, potentially ignoring your load balancer.

Cloudflare performs DNS-only load balancing when traffic to your hostname isnot proxied through Cloudflare. In theLoad Balancing dashboard, these load balancers are marked with a gray cloud.

If your load balancer is attached to a hostname used for anMX orSRV record — and not anA,AAAA, orCNAME record — its proxy mode should beDNS-only.

In comparison to proxied, layer 7 load balancing, DNS-only load balancing:

• Does not hide the IP addresses of your endpoints, leaving them vulnerable to DDoS attacks.
• Performs slower failover and less accurate routing, because it has to rely on DNS resolvers and cache settings.
• Cannot integrate with other Cloudflare features such as caching, Workers, and the WAF.
• Increases authoritative queries against Cloudflare, which can potentially cost more for customers with usage-based billing.
• Does not supportsession affinity.
• Geo-locates traffic based on the data center associated with the ECS source address, if available. If not available, geo-locates based on a user's recursive resolver, which can sometimes cause issues withlatency-based steering.
• Does not supportPrivate Network Load Balancing.

Layer 4 load balancers route traffic by forwarding traffic to certain ports or IP addresses.

Cloudflare currently only supports layer 4 load balancing as part ofCloudflare Spectrum.