World

Cloudflare outage disrupts apps and sites

Scheduled maintenance at Portland data center cited, internet decentralization looks contractual

Images

Cloudflare, a widely-used web infrastructure and security service, experienced issues on February 20, 2026 that caused some users to report service disruptions on apps and websites (Copyright 2022 The Associated Press. All rights reserved) Cloudflare, a widely-used web infrastructure and security service, experienced issues on February 20, 2026 that caused some users to report service disruptions on apps and websites (Copyright 2022 The Associated Press. All rights reserved) independent.co.uk

A brief Cloudflare disruption on Friday again demonstrated how much of the modern internet is, in practice, a handful of outsourced chokepoints.

According to The Independent, users began reporting errors and timeouts across Cloudflare’s network and services on February 20, with knock-on complaints involving UberEats, Bet365, and Valve’s Steam platform. Cloudflare acknowledged “issues with our services and/or network” and said it was working to restore service, while noting it had scheduled maintenance underway at a Portland, Oregon data center—though it did not confirm a direct causal link.

The incident was smaller than Cloudflare’s more dramatic outages in November and early December, The Independent notes, with DownDetector reports peaking below 500 this time versus roughly 11,000 in November. But the scale is almost beside the point: even a modest impairment at a single infrastructure vendor can present as “the internet is down” for end users.

Cloudflare is not a single product; it is a stack. Many customers route DNS through Cloudflare, terminate TLS and apply DDoS mitigation and bot filtering via its reverse-proxy/WAF, and increasingly run application logic on Cloudflare Workers. Others use Cloudflare Zero Trust as an identity-aware gateway for internal apps. When any of these layers degrade—DNS resolution, edge proxying, WAF rule evaluation, or edge compute—the failure can cascade outward into unrelated brands that share one dependency.

And the incentives are obvious. Outsourcing to a global CDN/WAF reduces latency, simplifies security posture, and shifts operational burden to a specialist with massive peering and anycast reach. The tradeoff is that “resilience” becomes a line item purchased from the same few intermediaries everyone else buys from. The market has converged on economies of scale, and the result is a de facto single point of failure—sometimes two, if a company is wealthy enough to multi-home.

This is where the irony lands: the centralization isn’t imposed by a regulator; it’s voluntarily adopted by firms that prefer predictable costs and outsourced risk. Yet once half the web sits behind one gatekeeper, that gatekeeper acquires quasi-regulatory power anyway—through default security settings, traffic classification, abuse policies, and the simple fact that an outage in Portland can briefly feel like a policy decision everywhere.

Friday’s disruption will be written up as an operational incident. The more durable story is structural: the internet’s “decentralized” mythology increasingly runs on centralized service contracts.