Comparing AWS S3 with Cloudflare R2: Price, Performance and User Experience

Original Article ↗ Hacker News Discussion ↗

Overall reception

  • Many readers found the comparison article high quality and useful.
  • Some noted bias against AWS and toward Cloudflare, especially given the author’s book promotion.

Features & S3-API compatibility

  • R2 lacks several S3 features: object versioning, replication, regions/AZs, advanced lifecycle policies, MFA delete, intelligent tiering, fine‑grained IAM, and full customer-managed encryption.
  • Versioning can be emulated via Workers; some have working scripts, but it pushes complexity to users.
  • Checksums (SHA‑1/256) appear to be supported now even though docs lag.
  • Lack of global replication and fixed regions is a blocker for some.

Performance: latency vs throughput

  • Several comments argue the article over-emphasizes latency; many S3 workloads are throughput‑oriented (data lakes, warehouses).
  • Ex‑S3 practitioners say S3 is optimized to deliver massive aggregate throughput from HDD-based backends.
  • Reports suggest R2 latency, especially for ListObjects, and throughput can be more variable than S3.
  • One user saw erratic upload speeds and another hit HTTP Range bugs (sometimes receiving full object instead of a range).

Location, regions & replication

  • R2 bucket placement is opaque; you can’t reliably choose a specific city/region, which is a dealbreaker for latency‑sensitive, non‑public workloads or compliance.
  • Cloudflare’s regional metadata/storage model differs conceptually from AWS regions/AZs, which drives some of these design choices.

Pricing, egress & billing risk

  • Free R2 egress is widely praised but distrusted at scale.
  • Multiple anecdotes say CDN/egress is “free until it’s not,” with upsell pressure or special pricing for high bandwidth, image/video traffic, or certain geos.
  • S3 egress is seen as expensive and a DoS/bill-shock risk; R2’s integrated DDoS protection is viewed as an advantage.
  • Offsetting alternative: use cheap CDNs (e.g., Bunny) in front of any object store.

Reliability & durability claims

  • Some question how R2 credibly offers “11 nines” durability on par with S3 without comparable visible investment in formal methods and reliability tooling.
  • Others note 11‑9s durability is mostly about redundancy/erasure coding, not necessarily the advanced tooling AWS advertises.

Security, IAM & access control

  • Lack of rich IAM in R2 is a major limitation for complex orgs (no path‑scoped roles, easy SSO integration, blast-radius control).
  • Suggested workaround is to funnel all access through Workers and implement custom authz, but that adds cost and duplicated effort.
  • Separate thread on CDN‑level access control: CloudFront’s signed cookies are praised; similar features exist in some other CDNs but aren’t as prominently integrated with R2.

Use cases & when S3 still wins

  • For small or cold archival datasets (especially Glacier / Deep Archive) AWS can be dramatically cheaper overall; R2 doesn’t compete in non‑instant‑access archival.
  • Migrating long‑lived S3 data often isn’t worth small savings due to engineering effort and risk of breaking old links.
  • Some indie developers and at least one open-source registry report excellent real‑world experience with R2 and near‑zero cost for typical web workloads.

Broader ecosystem & alternatives

  • Commenters note the article barely mentions other S3‑compatible providers (Backblaze B2, Wasabi, Akamai/Linode, etc.).
  • B2 is cheaper but reported as slow and region‑limited; Wasabi has minimum bucket lifetimes that can be problematic.

Cloudflare’s role, trust, and ethics

  • Debate over Cloudflare’s business model: seen both as a genuine disruptor (cheaper, nicer DX) and as a CDN retrofitted into a “cloud” in ways you wouldn’t design from scratch.
  • Concerns raised about Cloudflare’s selective ToS enforcement, perceived arbitrariness around “free” egress/CDN, and high‑profile controversies over serving hate or extremist sites.
  • Others strongly defend the stance that infrastructure providers shouldn’t act as arbiters of acceptable content absent clear legal orders.