Co-founder of Viet-AWS — AWS User Group Vietnam (52,000+ members, 200+ events) and AWS Study Group Vietnam. AWS APJ Community Leader 2024 (Deliver Results). Community contributor at VMUG. Writes here about Zero Trust, cloud security, and detection engineering from production work.
Playbook for migrating a production app from AWS (Lambda, DynamoDB, RDS, S3, SQS, ElastiCache) to Cloudflare: per-primitive mapping, 3 strategies, cutover, rollback, 10 pitfalls....
KhaVan Per-primitive Cloudflare pricing (Workers, D1, KV, R2, Queues, DOs, Vectorize, Workers AI), tier breakpoints, AWS comparison, and 3 scale scenarios from blog to 100M req/month....
KhaVan Defense-in-depth for Cloudflare Workers: WAF + Bot Management, Turnstile, Access JWT, secret management, CSP/HSTS, 4 auth patterns, Zod validation, and anti-patterns to avoid....
KhaVan Cloudflare's 4 observability layers: Workers Logs (3-day retention), Tail Workers (realtime), Logpush (batch to R2/SIEM), Analytics Engine. Structured logging, alerts, debugging....
KhaVan Cloudflare's 3 media products: Stream (video, HLS/DASH), Images (upload-transform-deliver), and Image Resizing / cf.image. Pipelines, pricing, and when to pick which....
KhaVan Durable Objects are Cloudflare's single-writer primitive: 1 roomId = 1 instance, WebSocket Hibernation, persistent storage. 6 patterns, the API, and when DOs are overkill....
KhaVan Vectorize is Cloudflare's native vector DB, paired with Workers AI bge-m3 for full-edge RAG. Ingest + query pipelines, chunking, metadata, hybrid search with D1, reranking....
KhaVan Workers AI on edge GPUs, AI Gateway proxying OpenAI/Anthropic/Bedrock/Google with cache + rate limit + observability. Catalog, pricing, when to use which, retry/fallback....
KhaVan A 4-step pipeline: test → build → deploy → smoke. Scoped API token, 19-assertion smoke test, concurrent lock, preview envs, 10-second rollback. Full workflow file from this blog....
KhaVan Three full-stack frameworks on Workers differ in rendering, default JS, adapter, bindings. Real setup for each, SSG vs SSR vs hybrid, and why this blog picked Astro....
KhaVan Three choices: raw SQL (0KB), Drizzle (10KB, TS-first), Prisma (500KB WASM). Workflow, complex queries, migrations, type safety, and when an ORM costs more than it helps....
KhaVan Three options: vanilla fetch (0 bundle), Itty Router (3KB), Hono (13KB). Syntax, middleware, Zod validation, when to pick which, and why this blog uses vanilla at 40+ routes....
KhaVan Two of the hardest Worker primitives. Queues for fire-and-forget jobs with retry and DLQ. Durable Objects for single-writer coordination. When to pick which, with real patterns....
KhaVan R2 is Cloudflare's S3-compatible object storage with no egress fees. R2 vs S3 in real costs, 4 access patterns, S3 migration, and gotchas around consistency, metadata, lifecycle....
KhaVan D1 is SQLite at the edge with a primary region and read replicas: architecture, the 5 query methods, Sessions API, prepared-statement cache, and 7 production gotchas....
KhaVan Cloudflare KV is an eventually-consistent KV store with per-PoP caching. The real consistency model, limits that matter, 5 good patterns, 3 anti-patterns, and real gotchas....
KhaVan The practical dev loop for Workers: wrangler init, local wrangler dev with Miniflare, vitest, D1 migrations, secrets, deploying to 300+ PoPs in 30 seconds. Plus CI/CD and gotchas....
KhaVan A common frame for every Worker: Request is the entry point, Identity is who's calling, Storage is where you read and write. Applied to the Worker running this blog....
KhaVan The fetch handler, ExecutionContext, waitUntil, subrequest limits, CPU vs wall time, real cold starts. Six misconceptions from Node/Lambda. Code samples from this blog's Worker....
KhaVan Cloudflare is no longer just a CDN. Workers, D1, R2, KV, Queues, DOs, Workers AI, and Vectorize form an edge-native platform. The mental model, contrasted with Lambda....
KhaVan Practical walk-through of AWS Security Maturity Model v2: 74 controls across four phases (Quick Wins, Foundational, Efficient, Optimized), real ordering, traps, and Org mapping....
KhaVan Field notes from the AWS Security Maturity Model Assessment Tool across four phases (Quick Wins, Foundational, Efficient, Optimized): architecture, workflow, JSON/Excel export....
KhaVan Email Security deep-dive for Cloudflare One: MX inline vs API journaling, the DMARC forwarder/subdomain trap, homoglyph FP calibration, user-report → retract under 1h....
KhaVan DLP deep-dive for Cloudflare One: tuning from 55% to 3% false positives, regex vs Luhn vs context vs EDM, custom CCCD profile, Gateway HTTP inline vs CASB API....
KhaVan CASB deep-dive for Cloudflare One from 3 rollouts: the 4 Gartner pillars, inline vs API, 8,000-finding first-scan shock, shadow IT, tenant-lock, when not to use CASB....
KhaVan Browser Isolation deep dive for Cloudflare One: remote browser architecture (NVR), isolation triggers, data controls (copy/paste/print/download/keyboard), compliance, cost model....
KhaVan Device posture deep dive for Zero Trust: WARP checks (OS, disk encryption, firewall), EDR integration, continuous verification in Access policy, and response to posture loss....
KhaVan DEX deep dive for Cloudflare One: when control plane says UP but users say SLOW, latency-leg diagnosis (DNS/TCP/TLS/TTFB), SLO framework, and 5 failure modes DEX misses....
KhaVan Logs deep dive for Cloudflare One: datasets, Logpush destinations (R2/S3/Splunk/Sentinel), cross-layer correlation, tiered retention, cost control, sample SIEM detection rules....
KhaVan Network policy deep dive: blocking non-HTTP (SSH, RDP, SMTP), preventing DoH bypass, app rules for SaaS, WARP keeping user traffic on Gateway, prod checklist, hardening playbook....
KhaVan HTTP inspection deep dive: installing the root CA (MDM, GPO), cert pinning gotchas, DLP patterns, CASB tenant control, legal/privacy guardrails, staged rollout, prod checklist....
KhaVan Gateway DNS deep dive: resolver architecture, policy order, DoH per-device vs DNS location per-site, threat categories, custom lists, OS bypasses, SIEM pipeline, prod checklist....
KhaVan Magic WAN deep dive: a network-layer replacement for SD-WAN/MPLS. Four tunnel options (IPsec, GRE, Anycast IP, CNI), BGP peering, multi-cloud, realistic migration playbook....
KhaVan How KMS key-policy evaluation works: cross-account access, condition keys, grants, key rotation, production patterns. With JSON policy examples and a production checklist....
KhaVan An auto-remediation pipeline for GuardDuty using EventBridge and Lambda: isolate instances, snapshot for forensics, revoke credentials, and scale it across an Organization....
KhaVan WARP architecture, enrollment flow, device posture checkers (built-in vs CrowdStrike/Intune), split tunnel modes, Local Domain Fallback, DNS, MDM deployment, troubleshooting....
KhaVan cloudflared daemon, ingress rules, HA replicas, non-HTTP (SSH/RDP/SMB), VPN migration, and troubleshooting six common cases. Tunnel is the connectivity foundation for Zero Trust....
KhaVan SCIM closes the stale window: the IdP pushes updates in near-real time instead of Cloudflare pulling claims at login. Okta/Entra/Google setup, lifecycle phases, conflicts....
KhaVan When the client is not a user. Service tokens vs mTLS, setup for both, a zero-downtime rotation strategy, audit logs, and common anti-patterns....
KhaVan A matrix of the four most common IdPs with Cloudflare Access: OIDC vs SAML, per-IdP group claim pitfalls, claim mapping, group sync timing, multi-IdP patterns, prod checklist....
KhaVan Replacing VPN for internal apps with Cloudflare Access: anatomy, login flow, 5-step setup (application, IdP, policy, Tunnel, test), policy evaluation order, and troubleshooting....
KhaVan A framework for reasoning about every Cloudflare One feature: every request traverses four layers producing signals, and policy yields one of five outcomes. Rollout and debugging....
KhaVan Four terms routinely conflated in RFPs, design docs, and vendor marketing. Their scope, when Gartner/Forrester defined them, how to use each correctly, and a decision tree....
KhaVan A practical overview of Cloudflare One: SASE, SSE, Zero Trust, the six main product groups, how it compares to Zscaler and Netskope, and the mental model to have before deployment....
KhaVan An AWS-native solution for rotating, disabling, and deleting IAM access keys on policy — the multi-account architecture, trade-offs, and what operating it actually takes....
KhaVan Useful ideas, lessons, and discoveries worth sharing — the English edition....
KhaVan Workload Identity Federation deep dive: why Service Account Keys are anti-pattern, AWS STS → Google STS exchange, attribute mapping, impersonation, threat model, Terraform....
KhaVan Two themes, one build, no flash — the one config snippet you need for Shiki with a light/dark Astro blog....
KhaVan How I built an in-house CSPM engine scanning many AWS Landing Zones in parallel with Prowler, storing findings in D1 and artifacts in R2, into one Security Operations dashboard....
KhaVan Why the switch made sense, the practical trade-offs, and a handful of small configuration details that would have saved debugging time up front....
KhaVan What actually worked, what didn't live up to expectation, and the operational lessons from rolling out Cloudflare Zero Trust across an organisation of thousands....
KhaVan Composite primary keys, when FTS is still worth it, why intuition is a bad guide for indexing, and why row counts at the edge matter more than they look....
KhaVan AI answers grounded in ~75 published posts with citations. Ask about Cloudflare, AWS, Zero Trust, cloud security.
