Cloudflare for Neo4j — Vendor Consolidation Executive Brief

Why this matters now

Context from neo4j.com, the Neo4j newsroom and public filings — June 2026.

Neo4j has repositioned the graph database as “the knowledge layer that makes AI accurate” — powering Agentic GraphRAG so LLMs and agents reason over connected enterprise data. That puts Neo4j squarely in the path of customer AI traffic, where governance, cost control and audit logging matter as much as latency.

Recent signals: Neo4j is acquiring GraphAware (intelligence-analysis software for government agencies) — raising the bar on security and access control; an IDC study validated $4M in annual value and a 7.8-month payback; and the platform now spans 80+ of the Fortune 100, 300k developers and 170+ partners (Merck, Uber, BNP Paribas, Intuit, Transport for London).

The opportunity: Neo4j already trusts Cloudflare for apex DNS and edge, but its public surface is split across AWS CloudFront + ALB, Auth0, Google Workspace, Atlassian, Salesforce and more. Consolidating onto Cloudflare cuts a second CDN bill, removes egress tax, and unifies security and AI governance under one control plane — without touching the graph engine itself.

From vendor sprawl to one network

Every vendor below was identified from public DNS, HTTP headers and the live neo4j.com page on 2026-06-16. The right is where it all can live.

8 vendors → 1 network

CloudflareDNS + edge · today

AWS CloudFrontwww / assets CDN

AWS ALBorigin load balancer

Auth0identity

Google Workspaceemail

Atlassian JSMhelp / support

Salesforceservice cloud

VWOA/B testing

Cloudflare one network · one bill · one control plane

Goal: collapse the second CDN + egress tax

Eight consolidation plays

Each maps to something Neo4j is running today — observed on neo4j.com, never assumed.

One CDN — collapse AWS CloudFront

↳ replaces AWS CloudFront

Neo4j already pays Cloudflare for the apex, but www, auth, assets and media still resolve to CloudFront. Point those hostnames at Cloudflare and run a single edge — one cache, one WAF, one bill.

Identified: www/auth/assets/media → *.cloudfront.net
via: CloudFront + x-amz-cf-pop on www responses
Apex already on Cloudflare (cf-ray present) — finish the job

R2 — egress-free asset & docs origin

↳ offloads AWS S3 / CloudFront egress

The marketing and docs assets on dist.neo4j.com are served from AWS through CloudFront. R2 charges $0 egress — an ideal origin for assets, docs, downloads and database backups feeding the web.

Identified: dist.neo4j.com assets delivered via CloudFront
S3-compatible API; zero egress fees; natural origin for the edge
Fits a platform that markets 100s TB graph scale

Shield the AWS origin

↳ augments AWS (keep your origin)

Responses set an AWSALB cookie — the public site fronts an AWS Application Load Balancer. Keep AWS, but hide it: Magic Transit / Aegis put Cloudflare’s L3-L7 DDoS and origin cloaking in front of it.

Identified: AWSALB / AWSALBCORS cookies on responses
Origin IP cloaking; only Cloudflare can reach the ALB
Unmetered DDoS mitigation at the network edge

API Shield for Aura & console

↳ Cloudflare API Shield

The most-loaded third-party origin on the homepage is console.neo4j.io — the AuraDB control plane. API Shield discovers every endpoint and enforces schema, auth and volumetric limits inline at the edge.

Identified: console.neo4j.io called 9× from the page
Automatic API discovery + schema validation
mTLS & JWT validation; block BOLA & abuse before origin

Bot Management + WAF for the dev funnel

↳ protect signup, docs & GraphAcademy

With 300k developers and open docs, GraphAcademy and a public signup, the funnel is a magnet for scrapers, credential stuffing and fake-account abuse. WAF + Bot Management filter it before it hits origin or Auth0.

Identified: login.neo4j.com signup (Auth0) + public docs
ML bot scoring stops scripted signups & content scraping
Managed WAF rulesets + rate limiting on hot paths

Zero Trust Access for internal SaaS

↳ gate Atlassian, Salesforce & SalesHood

Support and enablement run on external SaaS — help.neo4j.com (Atlassian), support.neo4j.com (Salesforce Service Cloud) and SalesHood. Cloudflare Access puts identity-aware, device-posture-checked gates in front of each.

Identified: help → saas.atlassian.com; support → siteforce.com
Identified: .saleshood.com in the site CSP
One policy engine; SSO + device posture; full access logs

AI Gateway — govern the GraphRAG calls

Cost control · audit · safe agents

Neo4j’s whole story is the knowledge layer for AI and Agentic GraphRAG. You own the graph — Cloudflare AI Gateway puts a governed front door on the LLM/agent calls around it: caching, rate-limits, spend caps and full request logging.

Observed: homepage centers on “knowledge layer for AI” + GraphRAG
One pane of glass + logs across any model provider
MCP servers fronted by Zero Trust — no open data paths
Complements the graph; never competes with it

Email Security on Google Workspace

↳ augments Google Workspace

Mail runs on Google Workspace with DMARC managed via EasyDMARC. Cloudflare Email Security layers in front to stop phishing, BEC and malicious links — critical as Neo4j moves into government-grade intelligence work.

Identified: MX ASPMX.L.GOOGLE.com (Google Workspace)
Identified: SPF include:…easydmarc.pro
Pre-delivery phishing/BEC detection; no MX cutover required

Consolidation roadmap

Sequenced for Neo4j’s actual stack — finish the edge, then secure the platform, then govern AI.

First 90 days

Finish the single edge

Move www / assets / media off CloudFront onto Cloudflare
Stand up R2 as the origin for dist.neo4j.com assets
WAF + Bot Management on signup, docs & GraphAcademy
Baseline analytics & cache tuning on one CDN

By 6 months

Secure the platform

API Shield discovery + schema on console.neo4j.io / Aura
Magic Transit / Aegis to cloak & protect the AWS ALB origin
Zero Trust Access in front of Atlassian, Salesforce, SalesHood
Email Security layered onto Google Workspace

By 12 months

Govern AI & consolidate

AI Gateway in front of GraphRAG / agent LLM calls; first MCP servers
Decommission AWS CloudFront entirely — single CDN
One control plane + unified logging for security & audit
Single Cloudflare commercial agreement

Consolidation snapshot

Current-state vendors are evidence-based; nothing here is assumed.

Function	Today	How it was identified	On Cloudflare
CDN / edge	Cloudflare + AWS CloudFront	cf-ray on apex; www/assets → cloudfront.net; x-amz-cf-pop	Consolidate on Cloudflare
Origin load balancer	AWS ALB	AWSALB / AWSALBCORS cookies	Magic Transit / Aegis (shield)
Asset / docs storage	AWS (dist.neo4j.com)	dist.neo4j.com served via CloudFront	R2 (egress-free)
Product APIs	console.neo4j.io / Aura	most-loaded origin on homepage (9×)	API Shield
Identity	Auth0	login.neo4j.com → edge.tenants.auth0.com	Access / Zero Trust (augment)
Email	Google Workspace	MX ASPMX.L.GOOGLE.com; SPF easydmarc.pro	Email Security (augment)
Support / help	Atlassian JSM + Salesforce	help → saas.atlassian.com; support → siteforce.com	Zero Trust Access
Sales enablement	SalesHood	.saleshood.com in CSP	Zero Trust Access
A/B testing	VWO	dev.visualwebsiteoptimizer.com on page	Workers (edge experiments)
AI / GraphRAG traffic	Ungoverned LLM calls	“knowledge layer for AI” positioning	AI Gateway (augment)

One network for Neo4j’s edge, storage, APIs & AI governance.