When configuring your DNS settings in Cloudflare, you’ll notice two small cloud icons next to each DNS record: an orange cloud and a grey cloud. At first glance, these may seem like minor visual indicators, but they carry significant meaning for how your traffic is routed, how your site is protected, and how performance optimizations are applied.
Understanding the difference between Cloudflare’s orange and grey clouds is essential for managing DNS effectively, optimizing site performance, enabling security features, and avoiding unintended service disruptions.
What Do the Orange and Grey Cloud Icons Mean?
In the Cloudflare DNS dashboard, each DNS record (typically A, CNAME, AAAA) has a toggle in the form of a cloud icon. This toggle controls whether or not Cloudflare acts as a reverse proxy for that record.
Orange Cloud (Proxied)
When the cloud icon is orange, it means the DNS record is proxied through Cloudflare. In this mode, Cloudflare acts as an intermediary between visitors and your origin server.
Key features enabled:
- Full use of Cloudflare’s CDN and caching
- DDoS protection and Web Application Firewall (WAF)
- SSL/TLS encryption termination (HTTPS handled by Cloudflare)
- IP masking (hides your origin server’s IP address)
- Performance features like Brotli compression, Rocket Loader, and image optimization
- Page rules, redirects, firewall rules, and security features
This is the most commonly used mode for public-facing websites because it adds both performance and protection layers.
Grey Cloud (DNS Only)
When the cloud icon is grey, the DNS record is not proxied by Cloudflare. Cloudflare simply serves DNS resolution, pointing clients directly to the origin IP address.
Key characteristics:
- No caching or acceleration by Cloudflare
- No DDoS or security protection
- Real IP address is exposed
- DNS management is still handled via Cloudflare
- Useful for services that don’t work with reverse proxies (e.g., mail servers, FTP, some APIs)
Grey-clouded records are appropriate for backend services or tools that require direct access and should not be masked or filtered.
When to Use Orange Cloud vs Grey Cloud
Choosing between orange and grey depends on the service behind the DNS record, the need for protection, and compatibility with Cloudflare’s proxy layer.
Use Orange Cloud for:
- Public websites (www, root domain)
- WordPress, Joomla, Shopify, or any CMS-based site
- E-commerce portals
- Membership or eLearning platforms
- Any page where you want caching, HTTPS, DDoS protection, or performance gains
Use Grey Cloud for:
- Email-related records (MX, mail.example.com)
- FTP, SSH, and SFTP connections
- Subdomains used for APIs or direct IP calls that might break with a proxy
- Services requiring real client IP detection without Cloudflare headers
- Custom ports not supported by Cloudflare’s proxy
Cloudflare does not proxy all ports—only certain ones (e.g., 80, 443, 8443, etc.). Services running on unsupported ports will break if proxied.
Practical Examples
Let’s say your DNS setup includes the following:
| Subdomain | Purpose | Cloud Icon Recommendation |
www.example.com |
Public-facing website | Orange cloud |
api.example.com |
Backend REST API | Grey cloud (if incompatible) |
mail.example.com |
Email server access | Grey cloud |
secure.example.com |
Client login page | Orange cloud |
ftp.example.com |
File transfer service | Grey cloud |
This kind of segmentation ensures that performance and protection are applied where needed while preserving functionality where proxying might cause issues.
How to Toggle Between Orange and Grey Clouds
- Log in to your Cloudflare dashboard
- Select your domain
- Navigate to the DNS tab
- Click the cloud icon next to the desired record:
- Clicking grey → orange enables proxying
- Clicking orange → grey disables proxying
- Changes propagate within minutes
Make sure you understand the downstream effects before enabling proxying, especially for email, APIs, or services that rely on specific headers or ports.
How This Impacts Security and Performance
With Orange Cloud:
- Visitors see Cloudflare’s IP addresses, not your origin
- Cloudflare filters malicious traffic, applies rate-limiting, and handles SSL/TLS
- Faster content delivery via global CDN
- Protection from common attacks like SQL injection, XSS, and DDoS
With Grey Cloud:
- Users connect directly to your server IP
- No caching, no WAF, no TLS offloading from Cloudflare
- Origin server is exposed to public internet
While grey-clouded records are not inherently unsafe, they lack the protections that make Cloudflare valuable. Only use them when absolutely necessary.
Misconfigurations to Avoid
- Proxying email ports (SMTP, POP, IMAP) via orange cloud—this will break mail delivery.
- Grey-clouding your main site while expecting Cloudflare’s WAF or performance enhancements.
- Incorrect proxy settings for APIs that may or may not work behind a reverse proxy—always test.
Ensure your DNS and server configuration work harmoniously with Cloudflare’s proxy settings to avoid broken services or insecure exposure.
Real-World Use Case for WordPress Sites
For WordPress users using Cloudflare for SSL, caching, and speed, orange clouding the root domain and www subdomain is best. If you use tools like Jetpack or external APIs that check real visitor IPs, be sure to configure your server to parse CF-Connecting-IP headers correctly when Cloudflare is enabled.
For admin panels (wp-admin) and login pages, use Cloudflare’s firewall rules to limit access rather than disabling the proxy.
Build Intelligent DNS Strategies with Expert Help
Managing your site’s traffic flow through Cloudflare is not just about toggling icons—it’s about understanding how proxying affects performance, security, and application behavior. Whether you’re running a basic WordPress blog, a complex membership system, or a custom SaaS platform, making the right decision between the orange cloud and grey cloud matters.
If you’re unsure which settings best suit your site or need help integrating Cloudflare with your WordPress platform, Wbcom Designs offers full DNS, performance, and security consulting. From initial setup to ongoing optimization, we ensure your Cloudflare configuration is tailored to your technical needs and business goals.
Interesting Reads:
Custom WordPress Solutions Tailored to Your Needs
