Cloudflare Workers vs AWS Lambda@Edge vs CloudFront Functions (2026)
Running logic at the edge — auth, redirects, A/B testing, geo-routing. Cloudflare Workers, Lambda@Edge, and CloudFront Functions all do this differently. Here's which one to choose and why.
Edge computing puts your code closer to users — reducing latency for auth checks, redirects, personalization, and request manipulation. Three major options exist in 2026: Cloudflare Workers, AWS Lambda@Edge, and CloudFront Functions. They look similar but have very different tradeoffs.
Quick Comparison
| Cloudflare Workers | Lambda@Edge | CloudFront Functions | |
|---|---|---|---|
| Runtime | V8 isolates (JS/Wasm/Python) | Node.js / Python | JS (ES5.1) |
| Cold starts | ~0ms (isolates, not containers) | 100ms–1s | ~1ms |
| Max execution time | 50ms CPU / 30s total | 5s (viewer) / 30s (origin) | 1ms CPU |
| Max memory | 128MB | 128MB–10GB | 2MB |
| Global PoPs | 300+ | ~450 CloudFront PoPs | ~450 CloudFront PoPs |
| Pricing | $0.30/million (free tier: 100k/day) | $0.60/million + Lambda charges | $0.10/million |
| KV storage | Workers KV (built-in) | DynamoDB (separate) | None |
| Subrequest support | Yes (fetch) | Yes (but adds latency) | No |
| Durable Objects | Yes | No | No |
| Node.js compatibility | Partial (Node compat mode) | Full | No |
Cloudflare Workers
Workers run at Cloudflare's edge network in 300+ cities. They use V8 isolates — not containers — which means true zero cold starts. A new isolate starts in microseconds.
Best For
- Auth/JWT validation at the edge
- Request/response transformation
- Geo-based routing
- A/B testing
- API proxying with caching
- Full edge apps (Workers + KV + D1 database + R2 storage)
Code Example
export default {
async fetch(request, env, ctx) {
const url = new URL(request.url)
// Geo-based routing
const country = request.cf?.country
if (country === 'IN') {
url.hostname = 'india.api.example.com'
return fetch(url.toString(), request)
}
// JWT validation
const token = request.headers.get('Authorization')?.replace('Bearer ', '')
if (!token || !isValidJWT(token, env.JWT_SECRET)) {
return new Response('Unauthorized', { status: 401 })
}
return fetch(request)
}
}Pricing
- Free tier: 100,000 requests/day, 10ms CPU time per request
- Paid: $5/month includes 10M requests, then $0.30/million
Strengths
- True zero cold starts
- Workers KV for edge caching (globally replicated key-value store)
- Durable Objects for stateful edge compute (real-time, coordination)
- Runs independent of your origin cloud provider
- R2 storage + D1 SQL database — full edge stack
Weaknesses
- Limited Node.js API compatibility (improving with compat mode)
- Workers KV is eventually consistent (not strongly consistent)
- Not ideal for CPU-heavy workloads (50ms CPU limit)
AWS Lambda@Edge
Lambda@Edge runs your Lambda functions at CloudFront edge locations. Unlike CloudFront Functions, it supports full Lambda runtime capabilities — Node.js or Python, larger packages, longer execution.
Best For
- Complex request manipulation requiring external calls
- Authentication that needs to call external identity providers
- Dynamic content assembly at the edge
- Image resizing/transformation (using Sharp or similar)
CloudFront Trigger Points
Viewer Request → runs on every request before CloudFront cache
Origin Request → runs only on cache miss, before going to origin
Origin Response → runs after origin responds, before caching
Viewer Response → runs on every response before sending to user
Code Example
// Viewer request — add auth header
exports.handler = async (event) => {
const request = event.Records[0].cf.request
const headers = request.headers
// Add internal auth header
headers['x-internal-auth'] = [{
key: 'X-Internal-Auth',
value: process.env.INTERNAL_TOKEN
}]
// Redirect www to non-www
const host = headers.host[0].value
if (host.startsWith('www.')) {
return {
status: '301',
headers: {
location: [{
key: 'Location',
value: `https://${host.slice(4)}${request.uri}`
}]
}
}
}
return request
}Pricing
- $0.60 per million requests + Lambda duration charges
- More expensive than CloudFront Functions for simple use cases
Strengths
- Full Lambda capabilities — install npm packages, use Python
- Longer execution time (5s for viewer events, 30s for origin)
- Larger package size (50MB zipped)
- Can make external network calls
Weaknesses
- Cold starts (100ms–1s for Node.js, worse for Python)
- Must be deployed to us-east-1, replicates globally (slow deployment)
- Tied to CloudFront — doesn't work without it
- More expensive than CloudFront Functions
CloudFront Functions
CloudFront Functions is AWS's answer to the "Lambda@Edge is too slow and expensive for simple redirects" problem. It runs in CloudFront's edge locations with sub-millisecond latency.
Best For
- URL rewrites and redirects
- Simple header manipulation
- Cache key normalization
- Basic request validation
Code Example
// URL normalization — remove trailing slash
function handler(event) {
var request = event.request
var uri = request.uri
// Remove trailing slash
if (uri.endsWith('/') && uri.length > 1) {
return {
statusCode: 301,
headers: {
location: { value: uri.slice(0, -1) }
}
}
}
// Add index.html for SPA routing
if (!uri.includes('.')) {
request.uri = '/index.html'
}
return request
}Pricing
- $0.10 per million invocations (cheapest of the three)
- Free tier: 2M invocations/month
Strengths
- Cheapest option
- Lowest latency (~1ms)
- Simple deployment alongside CloudFront
Weaknesses
- Very limited: no network calls, no external packages, no async
- JavaScript ES5.1 only (no modern JS features)
- 1ms CPU time limit (seriously limited)
- 2MB package size limit
Performance Comparison
| Scenario | Cloudflare Workers | Lambda@Edge | CF Functions |
|---|---|---|---|
| Simple redirect | ~0ms | 100-500ms | ~1ms |
| JWT validation (no external call) | ~1-2ms | 150-600ms | N/A (too complex) |
| Auth with external IdP call | 10-50ms | 200-1000ms | N/A |
| Image transform | Possible (WASM) | Best option | N/A |
Cold starts are the killer for Lambda@Edge on low-traffic routes. Cloudflare Workers' isolate model eliminates this entirely.
Which One to Choose
Choose Cloudflare Workers if:
- You want the best performance (zero cold starts)
- You're not locked into AWS
- You want a full edge stack (KV, D1, R2, Durable Objects)
- You need to run on non-AWS infrastructure
- Cost predictability matters (flat pricing)
Choose Lambda@Edge if:
- You're fully on AWS and want deep integration
- You need Node.js packages (Sharp for images, etc.)
- You need longer execution time
- Your use case requires more than 1ms CPU but less than 5s
Choose CloudFront Functions if:
- You only need simple URL rewrites/redirects
- You're already on CloudFront and want the cheapest option
- Latency is critical and logic is minimal
Multi-cloud teams: Cloudflare Workers is the most portable — not tied to any cloud provider.
Related: AWS Lambda vs Google Cloud Run vs Azure Functions | AWS VPC Networking Guide | Cloudflare vs AWS CloudFront CDN
Affiliate note: Cloudflare Workers free tier covers 100K requests/day — enough for testing and small production workloads. AWS CloudFront free tier includes 1TB data transfer and 10M CloudFront Functions invocations/month.
Today I Fixed
Short real fixes from production — posted daily
Stay ahead of the curve
Get the latest DevOps, Kubernetes, AWS, and AI/ML guides delivered straight to your inbox. No spam — just practical engineering content.
Related Articles
AWS CloudWatch: The Complete Monitoring Guide for DevOps Engineers (2026)
AWS CloudWatch is the central monitoring service for everything running on AWS. This guide covers metrics, logs, alarms, dashboards, Container Insights, and production best practices.
AWS DevOps Tools — CodePipeline to EKS Complete Overview
A complete guide to AWS DevOps services — CI/CD pipelines, container orchestration, infrastructure as code, monitoring, and security best practices.
AWS EKS vs Google GKE vs Azure AKS — Which Managed Kubernetes to Use in 2026?
Honest comparison of EKS, GKE, and AKS in 2026: pricing, developer experience, networking, autoscaling, and which one to pick for your use case.