Enforcement Engine
Overview
Welcome to Phase 2 of the Ops Automation workshop! In this phase, you'll build a sophisticated Enforcement Engine that works in conjunction with the Intelligence Collector from Phase 1 to automatically enforce security policies based on threat intelligence.
What You'll Build
The Enforcement Engine is a separate Cloudflare Worker that:
- Fetches threat data from your Intelligence Collector via API calls
- Applies graduated responses based on threat confidence scores
- Updates Cloudflare IP Lists for real-world enforcement
- Provides testing endpoints to verify effectiveness
- Maintains enforcement statistics for visibility
Key Learning Objectives
By the end of this phase, you will understand:
- Microservices Communication - How to design clean API contracts between services
- Graduated Security Response - Moving beyond binary block/allow decisions
- Third-Party API Integration - Real-world Cloudflare API usage patterns
- Production Error Handling - Building resilient service architectures
- Security Automation - Balancing automation with human oversight
- Testing Strategy - Building testable security systems from day one
Architecture Overview
Intelligence Collector → Enforcement Engine → Cloudflare API → Security Rules
│ │ │ │
Threat Data Score-based IP Lists Applied to Traffic
& Scores Decision Logic Management Real Protection
│ │ │ │
0-5 Scale Block/Challenge/ Live Rules Measurable Results
Rate Limit/Log
Response Level Strategy
The Enforcement Engine implements a graduated response system based on threat confidence scores:
| Score | Response Level | Action | Description |
|---|---|---|---|
| 4+ | BLOCK | Deny immediately | High confidence from multiple sources |
| 2-3 | CHALLENGE | Require CAPTCHA | Medium confidence, human verification |
| 1 | RATE_LIMIT | Throttle to 10 req/min | Low confidence, limit impact |
| 0 or Whitelisted | LOG_ONLY | Allow with logging | Clean IP or protected |
Workshop Structure
This phase is divided into 6 focused sections:
-
Setup & Configuration (5 min)
- Create new Worker project
- Configure KV storage and secrets
- Install Cloudflare TypeScript SDK
-
Graduated Response System (10 min)
- Implement response level logic
- Create threat score mapping
- Add whitelist override handling
-
Cloudflare API Integration (15 min)
- Build IP Lists management class
- Handle batch updates and API limits
- Implement error handling and retries
-
Inter-Service Communication (10 min)
- Fetch threat data from Intelligence Collector
- Handle HTTP communication and timeouts
- Process JSON responses with validation
-
Testing & Verification (5 min)
- Build simulation endpoints
- Create enforcement metrics
- Add manual testing capabilities
-
Deployment & Integration (5 min)
- Deploy the complete system
- Test end-to-end functionality
- Verify enforcement effectiveness
Key Design Principles
1. Separation of Concerns
- Enforcement Engine is completely separate from Intelligence Collector
- Each service has its own data store and responsibilities
- Clean API boundaries between services
2. Security-First Approach
- Whitelist always overrides threat intelligence (safety first)
- Only Enforcement Engine needs sensitive API tokens
- Comprehensive audit trail for all actions
3. Production-Ready Patterns
- Graceful degradation when dependencies fail
- Proper error handling with actionable messages
- API rate limit awareness and backoff strategies
4. Testing-Friendly Design
- Built-in simulation endpoints for demonstrations
- Real-time status checking capabilities
- Metrics collection for effectiveness measurement
Prerequisites
Before starting this phase, ensure you have completed:
- ✅ Phase 1: Intelligence Collector - Your Intelligence Collector Worker should be deployed and returning threat data
- ✅ Cloudflare API Token - With permissions for IP Lists management
- ✅ Account ID - Your Cloudflare account identifier
Time Allocation
- Total Duration: 45 minutes
- Hands-on Implementation: 35 minutes
- Testing & Verification: 10 minutes
Let's begin with setting up your Enforcement Engine project!