Data centers · full LAN exposed once authenticated
SaaS · Internet
M365 · Salesforce · web — still routed through your DC
The pattern
Round-trip from Singapore to a US-east app: ~490ms. Every problem — security, performance, cost — gets forced through the same box. You can't fix one without buying a bigger one.
Talk track · ~60 seconds
Anchor the story."Three groups of users on the left. Three categories of destinations on the right. Everything in the middle is the box you're paying to maintain."
Name the cost layers inside the box."This isn't just a VPN. It's a concentrator, plus firewall, plus cert store, plus MFA appliance. When capacity runs out, you're not replacing one box — you're replacing all of them."
The cloud-egress punchline. Point at the "Your Cloud" box on the right. "Your AWS workloads get hairpinned too. You're paying egress fees to route AWS traffic back through your data center."
Close."The architecture forces every problem through the same box. You can't fix one without making the others worse. Let me show you what changes when the middle changes."
FRAME 2 OF 2AFTER · With Cloudflare↑ same shape as Frame 1, only the middle changed
What Cloudflare delivers
After
Same users. Same destinations. The middle is now a globally distributed network — not a single box.
Users
Employee
WARP client · hits closest PoP, anywhere
Contractor
WARP or clientless browser · no install
Branch Office
IPsec / GRE / Magic WAN · same control plane
→
CLOUDFLARE GLOBAL NETWORK
Policy at the edge
Nearest PoP · 330+ cities · no backhaul
✓ WARP Check
✓ Identity Check
✓ Access Policy
✓ Gateway Security
✓ DLP Scan
✓ CASB Control
✓ Email Security
✓ Browser Isolation
→
Destinations
Your Cloud
AWS · Azure · GCP — direct via tunnel or CNI
On-Prem
Data centers · cloudflared agent, per-app policy
SaaS · Internet
M365 · Salesforce · web — direct, CASB-aware
The flip
Same round-trip from Singapore: ~212ms — a 57% reduction. The chokepoint is gone. Identity, policy, and inspection all happen at the nearest PoP — closer to the user than your old data center ever was.
Talk track · ~60 seconds
Anchor on what hasn't changed."Look at the left side — same three user types. Look at the right — same destinations. Customers don't migrate to escape their apps. They migrate to escape the middle."
The middle is now a network, not a box."Cloudflare runs in 330+ cities. Every user hits the closest one. Identity, policy, and inspection all happen there — not at headquarters."
Make the locality concrete."Your contractor in Singapore hits a Singapore PoP. Your engineer in Dublin hits a Dublin PoP. Same security policy, locally enforced. No backhaul."
Close."Same shape as the last diagram. Same users, same destinations. But the middle stopped fighting you. Want to see how a user actually experiences this?"
Do the math · Latency & bottlenecks
Why the architecture matters
Same scenario: contractor in Singapore reaching an app in AWS us-east-1. We trace every hop, both ways.
VPN path · ~490ms round-trip
Hop
What happens
ms
1
Laptop → VPN tunnel handshake
40
2
Singapore internet → US concentrator
180
3
Concentrator → firewall → DPI
20
4
Firewall → us-east-1 (AWS app)
5
5
Return path (reversed)
245
Round-trip total
490ms
Cloudflare path · ~212ms round-trip
Hop
What happens
ms
1
Laptop → Singapore Cloudflare PoP
8
2
Identity + policy + inspection (at PoP)
3
3
Singapore PoP → us-east-1 (CF backbone)
95
4
App response → PoP → laptop
106
No tunnel handshake. No concentrator hairpin. No backhaul.
Round-trip total
212ms
A note on physics
Singapore to Virginia is ~15,000 km. The speed of light in fiber caps the one-way latency at ~75ms — no vendor breaks that. About ~180ms of the 212ms total is just the cross-Pacific physical round-trip, and Cloudflare can't make it disappear. What Cloudflare eliminates is the avoidable hops: 180ms of backhaul to a central concentrator, 40ms of tunnel handshake, and 20ms of stateful inspection. That's the 278ms we save — every request, every user.
Net change per request
−278ms · −57%
For a typical user making 200 requests/minute, that's ~56 seconds of saved wait time every minute. Across an 8-hour shift: nearly 7.5 hours of compounded latency removed.
Talk track · ~60 seconds
Set the scenario."Contractor in Singapore. AWS app in us-east-1. Real geography, real numbers."
Walk the VPN table."40ms tunnel handshake. 180ms across the Pacific to your concentrator. 20ms through firewall and DPI. Five to AWS. Same return. Nearly half a second per round-trip."
The Cloudflare table."Eight ms to the nearest PoP. Three ms for identity, policy, and inspection — all local. 95ms across our private backbone to us-east-1. 212 total. Less than half."
Be honest about the physics."Singapore to Virginia is 15,000 kilometers. The speed of light caps that round-trip at about 180ms no matter who you use. What we eliminate is the avoidable stuff — backhauling through a central concentrator, tunnel handshakes, stateful inspection. That's where the 278ms savings comes from."
The business framing."Across 200 requests a minute, that's nearly a minute of saved wait time every minute. Compounded across an 8-hour shift, that's hours of latency removed from the user experience."