Proxy status
You can load balance your traffic at different levels of the networking stack, including:
- Layer 7 (HTTP/HTTPS) (most common)
- DNS-only
- Layer 4 (TCP)
Layer 7 load balancers direct traffic to specific endpoints based on information present in each HTTP/HTTPS request (HTTP headers, URI, cookies, type of data, etc.).
When a client visits your application, Cloudflare directs their request to a healthy endpoint (determined by your traffic steering policy and endpoint weights).
Cloudflare performs layer 7 load balancing when traffic to your hostname is proxied through Cloudflare. In the Load Balancing dashboard, these load balancers are marked with an orange cloud.

In comparison to DNS-only load balancing, layer 7 load balancing:
- Protects endpoints from DDoS attacks by hiding their IP addresses.
- Offers faster failover and more accurate routing, which can otherwise be affected by DNS caching.
- Integrates with other Cloudflare features such as caching, Workers, and the WAF.
- Reduces authoritative queries against Cloudflare, which can potentially save money for customers with usage-based billing.
- Supports customized session affinity and endpoint drain.
- More accurately geo-locates traffic, using the data center associated with the user making the request instead of the data center associated with a user's recursive resolver.
- Supports private IP addresses with Private Network Load Balancing.
DNS-only load balancers route traffic by returning specific IP addresses in response to a client's DNS query.
When a client visits your application, Cloudflare provides the address for a healthy endpoint (determined by your traffic steering policy and endpoint-level steering policy). However, Cloudflare relies on DNS resolvers respecting the short TTL to re-query Cloudflare's DNS for an updated list of healthy addresses. If a client has a cached DNS response, they will go to their previous destination, potentially ignoring your load balancer.
Cloudflare performs DNS-only load balancing when traffic to your hostname is not proxied through Cloudflare. In the Load Balancing dashboard, these load balancers are marked with a gray cloud.

If your load balancer is attached to a hostname used for an MX or SRV record — and not an A, AAAA, or CNAME record — its proxy mode should be DNS-only.
In comparison to proxied, layer 7 load balancing, DNS-only load balancing:
- Does not hide the IP addresses of your endpoints, leaving them vulnerable to DDoS attacks.
- Performs slower failover and less accurate routing, because it has to rely on DNS resolvers and cache settings.
- Cannot integrate with other Cloudflare features such as caching, Workers, and the WAF.
- Increases authoritative queries against Cloudflare, which can potentially cost more for customers with usage-based billing.
- Does not support session affinity.
- Geo-locates traffic based on the data center associated with the ECS source address, if available. If not available, geo-locates based on a user's recursive resolver, which can sometimes cause issues with latency-based steering.
- Does not support Private Network Load Balancing.
Layer 4 load balancers route traffic by forwarding traffic to certain ports or IP addresses.
Cloudflare currently only supports layer 4 load balancing as part of Cloudflare Spectrum.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark