Product compatibility
The Data Localization Suite (DLS) has three features, each controlling a different aspect of where your data is handled:
- Geo Key Manager: Controls where your private TLS keys are stored.
- Regional Services: Controls which Cloudflare data centers can decrypt and process your HTTPS traffic.
- Customer Metadata Boundary (CMB): Controls which region stores your logs and analytics data.
The tables below show whether each Cloudflare product is compatible with each DLS feature. If you see 🚧, check the footnote number for specific restrictions.
✅ Fully compatible — no restrictions
🚧 Compatible with caveats — check the footnote for details
✘ Not compatible — this product cannot be used with this DLS feature
⚫️ Not applicable — this product does not interact with this DLS feature
| Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
|---|---|---|---|
| Caching/CDN | ✅ | ✅ | ✅ |
| Cache Reserve | ⚫️ | 🚧 | ✅ 1 |
| DNS | ⚫️ | 🚧 2 | ✅ |
| HTTP/3 (with QUIC) | ⚫️ | ✘ | ⚫️ |
| Image Resizing | ✅ | ✅ 3 | 🚧 4 |
| Load Balancing | ✅ | ✅ | 🚧 4 |
| Network Error Logging (NEL) | ⚫️ | ⚫️ | ✘ |
| Onion Routing | ✘ | ✘ | ✘ |
| O2O | ✘ | ✘ | ✘ |
| Stream Delivery | ✅ | ✅ | ✅ |
| Tiered Caching | ✅ | 🚧 5 | 🚧 6 |
| Trace | ✘ | ✘ | ✘ |
| Waiting Room | ⚫️ | ✅ | ✅ |
| Web Analytics / Real User Monitoring (RUM) | ⚫️ | ⚫️ | ✘ 7 |
| Zaraz | ✅ | ✅ | ✅ |
| Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
|---|---|---|---|
| Advanced Certificate Manager | ⚫️ | ⚫️ | ⚫️ |
| Advanced DDoS Protection | ✅ | ✅ | 🚧 8 |
| API Shield | ✅ | ✅ | 🚧 9 |
| Bot Management | ✅ | ✅ | ✅ |
| Client-side security (formerly Page Shield) | ✅ | ✅ | ✅ |
| DNS Firewall | ⚫️ | ⚫️ | ✅ |
| Rate Limiting | ✅ | ✅ | ✅ 10 |
| SSL | ✅ | ✅ | ✅ |
| Cloudflare for SaaS | ✘ | ✅ | ✅ |
| Turnstile | ⚫️ | ✘ | ✅ 11 |
| WAF/L7 Firewall | ✅ | ✅ | ✅ |
| DMARC Management | ⚫️ | ⚫️ | ✅ |
| Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
|---|---|---|---|
| Cloudflare Images | ⚫️ | ✅ 12 | 🚧 13 |
| AI Gateway | ✘ | ✘ | 🚧 14 |
| AI Search | ✘ 15 | ✘ 16 | 🚧 17 |
| AI Security for Apps | ✘ | ✘ | ✘ |
| Cloudflare Pages | ✅ 18 | ✅ 18 | 🚧 4 |
| Cloudflare D1 | ⚫️ | ⚫️ | 🚧 19 |
| Durable Objects | ⚫️ | ✅ 20 | 🚧 4 |
| Email Routing | ⚫️ | ⚫️ | ✅ |
| Remote MCP Server | ✅ 21 | ✅ 22 | 🚧 4 |
| R2 | ✅ 23 | ✅ 24 | ✅ 25 |
| Smart Placement | ⚫️ | ✘ | ✘ |
| Stream | ⚫️ | ✘ | 🚧 4 |
| Vectorize | ⚫️ | ✘ | ✘ |
| Workers (deployed on a Zone) | ✅ | ✅ | 🚧 26 |
| Workers AI | ⚫️ | ✘ | ✅ |
| Workers KV | ⚫️ | ✘ | ✅ 27 |
| Workers.dev | ✘ | ✘ | ✘ |
| Workers Analytics Engine (WAE) | ⚫️ | ⚫️ | 🚧 4 |
| Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
|---|---|---|---|
| Argo Smart Routing | ✅ | ✘ 28 | ✘ 29 |
| Static IP/BYOIP | ⚫️ | ✅ 30 | ⚫️ |
| Cloudflare Network Firewall | ⚫️ | ⚫️ | ✅ |
| Network Flow | ⚫️ | ⚫️ | 🚧 4 |
| Magic Transit | ⚫️ | ⚫️ | ✅ 8 |
| Cloudflare WAN | ⚫️ | ⚫️ | ✅ |
| Spectrum | ✅ | ✅ 31 | ✅ |
| Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
|---|---|---|---|
| Logpull | ⚫️ | ⚫️ | 🚧 32 |
| Logpush | ⚫️ | ✅ | 🚧 33 |
| Log Explorer | ⚫️ | ⚫️ | ✘ 34 |
| Product | Geo Key Manager | Regional Services | Customer Metadata Boundary |
|---|---|---|---|
| Access | 🚧 35 | 🚧 36 | ✅ 37 |
| Browser Isolation | ⚫️ | 🚧 38 | ✅ |
| CASB | ⚫️ | ⚫️ | ✘ |
| Cloudflare Tunnel | ⚫️ | 🚧 39 | ⚫️ |
| Digital Experience | ⚫️ | ⚫️ | 🚧 40 |
| DLP | ⚫️ 41 | ⚫️ 41 | 🚧 42 |
| Gateway | 🚧 43 | 🚧 44 | 🚧 45 |
| Cloudflare One Client | ⚫️ | ⚫️ | 🚧 4 |
-
You cannot yet specify region location for object storage itself. ↩
-
If you use outgoing zone transfers (where Cloudflare sends your DNS records to non-Cloudflare nameservers), those transfers will include global Cloudflare IP addresses rather than region-specific ones. This means Regional Services will not function correctly when end users receive DNS answers from non-Cloudflare nameservers. ↩
-
Only when using a Custom Domain set to a region, either through Workers or Transform Rules within the same zone. ↩
-
Logs / Analytics not available outside US region when using Customer Metadata Boundary. ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8 ↩9
-
Regular and Custom Tiered Cache (where you define the caching hierarchy) work with Regional Services. Smart Tiered Caching (where Cloudflare automatically selects intermediate cache data centers) is not available with Regional Services. ↩
-
Regular/Generic and Custom Tiered Cache work with Customer Metadata Boundary (CMB). Smart Tiered Caching (where Cloudflare automatically selects intermediate cache data centers) does not work with CMB.
With CMB set to EU, the Zone Dashboard Caching > Tiered Cache > Smart Tiered Caching option will not populate the Dashboard Analytics. ↩ -
Web Analytics collects the minimum amount of information. Alternatively, you can exclude EU Visitors from RUM. ↩
-
Adaptive DDoS Protection (which automatically adjusts DDoS rules based on your traffic patterns) is only supported when Customer Metadata Boundary is set to the US. All other DDoS protection features work with any CMB region. ↩ ↩2
-
The following API Shield sub-features do not work when CMB is set to EU: API Discovery (automatic detection of your API endpoints), Volumetric Abuse Detection (identifying unusually high API call volumes), and Sequence Analytics and Mitigation (tracking the order of API calls to detect misuse). All other API Shield features work with any CMB region. ↩
-
Legacy Zone Analytics & Logs section not available outside US region when using CMB. Use Security Analytics instead. ↩
-
Turnstile Analytics are available. However, there are no regionalization guarantees for the Siteverify API yet. ↩
-
Only when using a Custom Domain set to a region. ↩
-
Logs / Analytics not supported for CMB = EU. Jurisdictional Restrictions (storage) options are not supported today. All other features are available to all CMB regions. Note that beta or future features may not be in scope and could be subject to change. ↩
-
Jurisdictional Restrictions (storage) options for Logs are not supported today. All other features are available to all CMB regions. ↩
-
Only R2 Custom Domains and Custom Certificate are supported. ↩
-
Only R2 Custom Domains are supported. ↩
-
The following are exceptions and are supported: AI Gateway Analytics (GraphQL Analytics datasets) and Logs (Logpush), R2 Dashboard Metrics & Analytics, Workers AI GraphQL Analytics datasets like aiInferenceAdaptive. ↩
-
Only when using Custom Domain set to a region. ↩ ↩2
-
Jurisdictional Restrictions (data location / storage) options are not supported today. All other features are available to all CMB regions. Note that beta or future features may not be in scope and could be subject to change. ↩
-
Only when using Workers Routes & Domains and Custom Certificate. ↩
-
Only when using Workers Routes & Domains. ↩
-
Only when using a Custom Domain and a Custom Certificate or Keyless SSL. ↩
-
Only when using a Custom Domain set to a region and using jurisdictions with the S3 API. ↩
-
R2 Dashboard Metrics and Analytics are populated. Jurisdictional Restrictions guarantee objects in a bucket are stored within a specific jurisdiction. ↩
-
Logs / Analytics not available outside US region when using Customer Metadata Boundary. Use Logpush instead. ↩
-
Jurisdictional Restrictions (storage) for Workers KV pairs is not supported today. ↩
-
Argo cannot be used with Regional Services. ↩
-
Argo cannot be used with Customer Metadata Boundary. ↩
-
Static IP/BYOIP can be used with the legacy Spectrum setup. ↩
-
Only applies to HTTP/S Spectrum applications. ↩
-
Logpull available when using CMB = US only. Logpull is a legacy feature, consider using Logpush or Log Explorer instead. ↩
-
Logpush available with Customer Metadata Boundary for these datasets. Contact your account team if you need another dataset. ↩
-
Currently, customers do not have the ability to choose the location of the Cloudflare-managed R2 bucket for Log Explorer. ↩
-
Access App SSL keys can use Geo Key Manager. Access JWT is not yet localized. ↩
-
Can be localized to US FedRAMP Moderate Domestic region only. ↩
-
Customer Metadata Boundary can be used to limit data transfer outside region, but Access User Logs will not be available outside US region. EU customers must use Logpush to retain logs. ↩
-
Currently may only be used with US FedRAMP region. ↩
-
When Cloudflare Tunnel (a secure outbound connection from your network to Cloudflare) connects to Cloudflare, it can use either the Global Region (default, any data center worldwide) or the US FedRAMP Moderate Domestic region (data centers that meet the US government's FedRAMP security standard). For incoming web requests, Regional Services only applies when you have published applications (services exposed to users through the tunnel). In that case, the region associated with the DNS record will apply. ↩
-
Dashboard Analytics are empty when using CMB outside the US region. Use Logpush instead. ↩
-
DLP is part of Gateway HTTP, however, DLP detection entries are not available outside US region when using Customer Metadata Boundary. ↩
-
You can bring your own certificate ↗ to Gateway but these cannot yet be restricted to a specific region. ↩
-
Gateway HTTP (web traffic filtering) supports Regional Services. Gateway DNS (domain name filtering) does not yet support regionalization.
ICMP proxy (forwarding network diagnostic traffic like ping) and Mesh proxy are not available to Regional Services users. File Sandboxing (an add-on that quarantines and scans suspicious files in an isolated environment) is incompatible with DLS. ↩ -
Dashboard Analytics and Logs are empty when using CMB outside the US region. Use Logpush instead. ↩