Cloudflare for Saudi Arabia: DDoS, WAF, and Data Sovereignty

Cloudflare runs three in-country data centers in Saudi Arabia (Riyadh, Jeddah, Dammam) and 17 points of presence across MENA, supports Regional Services for keeping inspection of customer data inside Saudi jurisdiction, and blocked an average of 9.5 billion threats per day across the region in late 2023. For a Saudi business running a public booking, payment, or e-commerce platform, that combination delivers the lowest-latency edge available, meaningful Layer 7 DDoS protection in the most-attacked country in MENA, and a path to data residency that aligns with NCA and PDPL expectations. The deployment that matters: proxied DNS, WAF with managed and custom rules, Layer 7 DDoS sensitivity tuned per hostname, and Rate Limiting on login, OTP, and payment endpoints.

Saudi Arabia recorded the highest DDoS attack volume in the MENA region in H1 2025 with over 270,000 attacks, and regional application-layer attacks surged 236% year-on-year. For Saudi businesses, the question is no longer whether you need edge protection. It is which provider, and what exactly to deploy. This is the guide for that decision.

Does Cloudflare have data centers in Saudi Arabia?

Yes. Three of them: Riyadh, Jeddah, and Dammam. Cloudflare’s network spans 17 locations across the Middle East including Dubai, Doha, Kuwait City, Muscat, Manama, Amman, Beirut, Baghdad, and Erbil. The Riyadh data center launched as Cloudflare’s data center number 126 and was the first in-country Saudi presence. Jeddah and Dammam followed.

The Jeddah opening was measured publicly: it improved median TCP RTT latency from 81 milliseconds to 60 milliseconds for Saudi users, a 26 percent improvement, and now serves close to 10 million requests per day in that single location. For comparison, AWS CloudFront’s nearest historical edge locations were in Bahrain and the UAE, which adds a noticeable hop for Saudi users.

A practical implication: for a Saudi business with mostly Saudi users, Cloudflare typically delivers lower TLS handshake and TTFB times than CDN alternatives, because the edge is physically closer.

What is the Saudi threat landscape Cloudflare protects against?

Three numbers worth banking:

1. 270,000+ DDoS attacks observed against Saudi targets in H1 2025, the highest in the MENA region according to industry threat reports.
2. MENA application-layer (Layer 7) DDoS attacks up 236% year-on-year in Q2 2025, the highest on record.
3. 94% of web DDoS attacks now run under 100,000 requests per second, which means smaller, more persistent attacks designed to evade legacy detection thresholds.

The shift from terabit-per-second floods to smaller, persistent L7 attacks is the most important threat trend for Saudi businesses. Legacy DDoS protection optimised for headline-grabbing volumetric attacks misses these. Cloudflare’s Layer 7 DDoS protection is automated, anomaly-driven, and tuned to the smaller-and-more-frequent profile that now dominates.

Beyond DDoS, Saudi businesses face the same WAF threats as anywhere else (OWASP Top 10), plus a regional concentration of credential stuffing against high-value consumer platforms, and aggressive scraping of pricing data on mobility, e-commerce, and travel sites. The combined defence is WAF + bot management + rate limiting, not any single product.

Is Cloudflare PDPL compliant and what about NCA requirements?

Cloudflare offers Regional Services, a configuration option that restricts inspection of HTTPS traffic to data centers within a specified jurisdictional boundary. Saudi Arabia is one of the supported regions. With Regional Services enabled for KSA, customer traffic is decrypted and inspected only inside Saudi data centers, which is the technical foundation for PDPL data residency claims.

Compliance is not just a vendor checkbox. PDPL (Saudi Arabia’s Personal Data Protection Law) and NCA (National Cybersecurity Authority) controls require organisations to be able to demonstrate where personal data is processed and stored, and to have controls on cross-border transfers. Regional Services gives you a defensible answer for the edge layer. The full compliance picture includes your origin storage, your logging destinations, and your data processing agreement with Cloudflare, which is a conversation with their compliance team.

What this does not do automatically: it does not move your DNS records out of Cloudflare’s global anycast (the DNS layer is global by design), and it does not change where Cloudflare logs are stored unless you also configure Logpush to a Saudi destination. The official Cloudflare Regional Services documentation covers the boundaries.

What should a Saudi business deploy first?

The high-impact, low-risk first deployment for a Saudi consumer or B2B platform:

1. DNS migration to Cloudflare with proxy (orange cloud) on all customer-facing hostnames
2. Cloudflare Managed Ruleset + OWASP Core Rule Set on the WAF, log mode for two weeks, then block
3. Custom WAF rules for the specific business logic: geo-restrict corporate B2B portals to allowed GCC countries, IP-allow-list admin paths to office IPs, block scraper user agents on pricing endpoints
4. Super Bot Fight Mode in challenge mode initially, tuned per endpoint after two weeks
5. Rate Limiting on login (per IP and per username), OTP request (per phone and per IP, protects your SMS bill), password reset, booking creation, payment API, and coupon apply
6. Layer 7 DDoS sensitivity set to high on customer-facing hostnames, lower on internal hostnames
7. Lock the origin firewall to Cloudflare’s published IP ranges so attackers cannot bypass the edge by hitting the origin IP directly
8. CDN with Brotli and HTTP/3 enabled for cacheable booking and listing pages
9. Regional Services enabled if PDPL data residency matters to your customers
10. Logpush to your SIEM for incident investigation and retention

For the detailed deployment order and what each control catches, see our Cloudflare WAF setup guide for booking and payment platforms. For bot management specifically, our Super Bot Fight Mode tuning guide covers endpoint-specific rules.

What does this look like in production for a Saudi business?

We documented a six-week deployment for a Saudi mobility platform behind Cloudflare: 12 million malicious requests blocked per month, scraper traffic to origin dropped from 38% of total requests to under 3%, six Layer 7 DDoS attempts auto-mitigated in the first 90 days (largest at 84,000 requests per second), origin bandwidth cut 62% through CDN offload, median TTFB improved from 380 milliseconds to 95 milliseconds, and 100% uptime through the December 2025 launch and the Riyadh Season demand spike.

The same controls translate directly to other Saudi verticals: e-commerce (Black Friday and Ramadan demand), fintech and payment platforms, government-facing portals, healthcare appointment systems, and SaaS platforms serving the GCC.

How does Cloudflare compare to AWS for a Saudi deployment?

AWS has had a Saudi region since 2024 (AWS Region in Riyadh) and offers AWS Shield, AWS WAF, and CloudFront for edge and security. For Saudi businesses already deeply on AWS, AWS WAF with Shield Advanced is a credible alternative. For multi-cloud or non-AWS-hosted platforms, or for businesses that want bundled bot management and DDoS in one product, Cloudflare is usually the cleaner choice.

The pricing and architectural trade-offs are covered in our Cloudflare WAF vs AWS WAF 2026 comparison. The short version: AWS WAF wins when you are fully AWS-native and your compliance requires AWS-native controls. Cloudflare wins for multi-cloud, hybrid origins, and when bot management is a first-class need.

Common mistakes Saudi businesses make with Cloudflare

Putting Cloudflare in front of the platform but leaving the origin IP reachable from the public internet. Without locking the origin firewall to Cloudflare’s IP ranges, an attacker who finds the origin IP (historical DNS records, mail server SPF, leaked configuration) can bypass the entire edge. Always restrict origin ingress to Cloudflare’s published IPs after the proxy is enabled.

Enabling Regional Services without verifying logs and DNS destinations. Regional Services scopes traffic inspection. It does not automatically move your log destinations or change the DNS anycast layer. PDPL data residency requires the whole chain.

Treating Cloudflare as a CDN and ignoring the security layer. Cloudflare’s CDN is excellent for performance, but the WAF, bot management, rate limiting, and Layer 7 DDoS are where the value sits for Saudi businesses facing the regional threat profile. Enable all of them, not just the CDN.

Setting the bot management to “block everything automated” globally. It catches your monitoring, payment provider webhooks, and search crawlers. Tune by endpoint, allow-list verified bots.

Forgetting to plan for incidents. Cloudflare auto-mitigates most Layer 7 attacks, but the runbook for what happens when something does get through, who watches the dashboards, and how the team responds to a customer-reported block needs to exist before the first incident.

Related work

For broader cloud-migration strategy when moving a Saudi workload to a Cloudflare-fronted architecture, see our cloud migration services. For the full edge plus origin security posture, our cybersecurity services cover both layers. For Saudi businesses specifically operating Kubernetes workloads, our Kubernetes security services cover the cluster layer that sits behind Cloudflare.

---

Need a Cloudflare Deployment Built for Saudi Arabia?

The Cloudflare product set covers the technical requirements of a Saudi-facing edge well. The work is in the deployment: the custom rules that match Saudi business logic, the bot management tuned to your traffic, the rate limits that protect your local SMS gateway from OTP abuse, the Regional Services configuration that supports your PDPL position, and the runbook your team operates after we leave.

Tasrie IT Services provides comprehensive Cloudflare managed services for Saudi and UAE businesses to help you:

• Deploy Cloudflare correctly for the Saudi threat landscape, with WAF, bot management, Layer 7 DDoS, and Rate Limiting tuned to your real traffic before blocking is enabled
• Configure Regional Services so customer data inspection stays inside Saudi jurisdiction, with a documented data flow that supports PDPL and NCA conversations
• Hand over runbooks and dashboards so your security and platform teams operate the edge independently after go-live

We have delivered the same playbook for mobility, booking, e-commerce, and B2B platforms across KSA, including the engagement documented in our Saudi mobility platform case study.

Talk to our team about your Cloudflare deployment in Saudi Arabia