In a world where mobile apps enable users to process transactions, source luxury goods, and instantly communicate with people around the world, both speed and security are key. That gave Quek Siu Rui, Lucas Ngoo, and Marcus Tan the idea for Carousell: a smartphone- and web-based marketplace that makes buying goods as easy as chatting and selling them as easy as snapping a photo.
Founded in 2012, Carousell is one of the largest C2C ecommerce marketplaces in Southeast Asia, with customers across Singapore, Indonesia, Hong Kong, Malaysia, Taiwan, Australia, and the Philippines. Users can purchase and sell items from a variety of categories — cars, property, fashion, household appliances, assistive devices, electronics, and more — and post job listings or offer services across an equally expansive range of industries.
Carousell chief architect Harshad Rotithor estimates that more than a quarter of Singapore’s entire population uses the platform, which boasts more than 250 million listings to date. Those figures are expanding as more users flock to the site, bringing a host of new performance challenges to overcome.
Carousell serves around 1 PB of images per month and utilizes artificial intelligence to create a frictionless user experience for anyone looking to buy or sell items on their platform. In order to meet intensive performance requirements for a rapidly expanding regional customer base, they need a cloud provider that can ensure uptime during high-traffic events and cache dynamic pages on an as-needed basis.
These issues come into sharp focus during Carousell’s periodic “flash sales” — a recurring limited-time event when they partner with sellers to provide deep discounts for buyers. Just one of these flash sales can attract over 3x the amount of traffic Carousell typically sees.
“Users come with certain expectations that the site will load quickly and that they will get to browse the various products on display and get to deals as quickly as possible,” Harshad explains. “If we fail to provide that, it gives our customers a very bad user experience. We want to ensure that our customers always get a very smooth experience on Carousell and can easily buy, sell, and communicate about the products they find.”
It isn’t an easy task, especially as the rapid influx of traffic during flash sales places a significant strain on the platform. Initially, Carousell turned to Amazon CloudFront to keep their site running smoothly, but soon found that they were not able to handle the site’s growing audience and performance needs.
In 2016, Carousell switched to Cloudflare.
“It started off as a solution for our DNS and SSL termination requirements,” says Harshad. “Then we started exploring the ability to cache our assets at Cloudflare and started partially moving our assets over from a different CDN. Now, we are 100% cached on Cloudflare.”
With data centers in 200 cities and 90+ countries worldwide, Cloudflare helps Carousell cache their assets on the network edge, bringing content as close to end users as possible. This ensures that the site never experiences outages during high-visibility sales or loses customers due to slow page loads.
Cloudflare also enables Carousell to cache dynamic pages for short durations, which allows them to easily handle a huge amount of traffic during flash sales and provide a seamless user experience.
“Cloudflare handles our requirements of a CDN, WAF, caching layer, SSL endpoint, and DNS,” Harshad adds. “These products help us meet our business metrics while giving us an excellent return on our investment.”
In addition to scaling and speeding up their platform, Carousell needs to stay ahead of volumetric security threats like DDoS attacks and malicious bot activity. Bots scrape content and drain internal resources by forcing Carousell to invest in additional infrastructure to serve bot-generated requests — even though Carousell doesn’t reap any benefit from the increase in traffic.
Staying ahead of these attacks requires Carousell to adopt a comprehensive security solution, one that safeguards customer data and offers premium protection without performance trade-offs.
“We explored the web application firewall offered by Cloudflare and it ticked all our boxes,” says Harshad. “It had the basic OWASP-related rules as well as various other specialized rules that Cloudflare themselves had added. We also had the ability to add custom rules. So all of the features essentially made it a perfect fit for our needs.”
The Cloudflare Web Application Firewall (WAF) leverages collective threat intelligence to identify and prevent malicious requests, empowering users to proactively defend against incoming attacks and ensure application availability. And it seamlessly integrates with bot mitigation and DDoS attack protection to shield sites from resource-draining bots, DDoS threats, cross-site scripting (XSS), and other attacks.
“Even after turning on almost all of the firewall features, we haven’t seen any measurable hit on the latency,” Harshad says. “That is one of the biggest benefits that we get out of Cloudflare. Since the security features don’t impact our overall site performance, the user experience doesn’t degrade with all of these checks that are put in place.”
Today, Carousell doesn’t have to worry about keeping up with their user base or trying to get ahead of potential attacks. Cloudflare’s integrated security and performance solutions allow them to do both, which means that users are guaranteed a smoother experience every time they come to shop or sell.
“Cloudflare is key for the experience that we offer to our users,” says Harshad, “and the focus that Cloudflare has taken — of helping make the Internet a better place — is key for us, because any product that Cloudflare develops would essentially benefit our end users and, in turn, improve the experience they have on Carousell. So it’s a win-win for us.”
«Cloudflare ensures that we have the tools to mitigate those attacks without any impact on our end users, even if adversaries choose to try out any attacks on us.»