Announcing Built On Envoy: Making Envoy Extensions Accessible to Everyone

Learn more

Tetrate Agent Router vs. Cloudflare AI Gateway: Edge Convenience vs. Enterprise Control

Tetrate Agent Router vs. Cloudflare AI Gateway: Edge Convenience vs. Enterprise Control

Last updated: June 2026

TL;DR

Cloudflare AI Gateway is the lowest-friction option for teams already on Cloudflare — edge caching, logging, and basic routing with near-zero setup. Tetrate Agent Router is built for enterprises that need control over where AI traffic runs, who it belongs to, and what they can prove in a compliance audit.

What each product is for

Cloudflare AI Gateway sits at Cloudflare’s edge network in front of your LLM API calls. Its primary value is convenience: a one-URL change gives you request logging, caching to reduce duplicate API costs, basic rate limiting, and analytics — with no infrastructure to manage. It is most compelling for teams already invested in the Cloudflare ecosystem.

Tetrate Agent Router is a purpose-built AI gateway running on the Envoy AI Gateway data plane — co-created by Tetrate and Bloomberg. A Tetrate-managed control plane governs distributed data planes; you choose where each data plane runs (managed SaaS, dedicated cloud, on-premises, or per-region). It adds authenticated identity on every request, per-team cost attribution, MCP tool governance, runtime guardrails, and immutable audit log — designed for enterprises operating agents across many teams in regulated environments. It is not a fully customer-hosted or self-operated product.

Head-to-head comparison

Cloudflare AI GatewayTetrate Agent Router
Deployment modelManaged edge (Cloudflare network only — no data residency controls)Managed control plane + distributed data planes: on-prem, per-region, edge, multi-VPC — you choose where each data plane runs
Setup effortVery low — one URL changeLow (managed SaaS) to moderate (Enterprise data-plane placement)
Data residencyNo data residency controls on AI Gateway. AI Gateway is explicitly incompatible with Cloudflare Regional Services — your AI traffic routes Cloudflare’s global network regardless of where you need it processed.You choose where the data plane runs — cloud, on-prem, edge, or per-region.
Identity / attributionCloudflare Access for authAuthenticated identity bound to every request; per-team / agent / project attribution
Cost attributionLogs and analyticsPer-person / team / agent / project; showback + chargeback
MCP / tool governanceYes — MCP Server Portals (Open Beta via Cloudflare One), SSO/MFA via Access, DLP policies, shadow MCP detection. Strong if you’re already in the Cloudflare ecosystem.Native MCP gateway: curated tool catalog, MCP profiles, OAuth + API-key auth. Runs wherever your data plane runs, including on-prem.
Runtime guardrailsBasicPII redaction, policy enforcement, behavior supervision
Audit / compliancePlatform-levelImmutable audit logs; EU AI Act-grade; data-residency options
Envoy AI Gateway lineageNoCo-creator and maintainer

One control plane, distributed data planes

Cloudflare AI Gateway runs on Cloudflare’s global edge network. You cannot choose where a given request is processed — and as confirmed above, there are no data residency controls on AI Gateway.

Tetrate Agent Router Enterprise is architecturally the opposite: one Tetrate-managed control plane governing distributed data planes deployed wherever your agents run — Tetrate-hosted, inside your own cloud VPC, on-premises, at the edge, or per-region with localized model catalogs and compliance controls. A retail company can deploy a data plane per geographic service area with region-specific model catalogs and guardrails. A financial services firm can enforce GDPR-grade controls on the EU data plane and separate policies on the US plane — all from one control point, without duplicating logic in each application.

This is the structural reason Cloudflare AI Gateway and Tetrate Agent Router serve different enterprise needs: one is a convenience layer at a fixed edge; the other is a distributed control plane for enterprises that must govern where their AI traffic runs.

On Cloudflare’s MCP support

Cloudflare has invested meaningfully in MCP. MCP Server Portals, launched in Open Beta in late 2025, provide centralized MCP server discovery, DLP policy enforcement, Cloudflare Access-based SSO/MFA, and shadow MCP detection via Cloudflare Gateway. If you are already in the Cloudflare ecosystem, this is a credible MCP offering — not a checkbox.

The key constraint is the same as the rest of Cloudflare AI Gateway: it runs on Cloudflare’s network. Your MCP tool traffic, like your LLM traffic, routes through Cloudflare’s infrastructure. If your compliance posture requires tool calls and model requests to stay within a specific jurisdiction or your own infrastructure, Cloudflare’s MCP architecture does not satisfy that requirement. Tetrate’s MCP gateway runs wherever your Agent Router data plane runs — including on-prem and per-region.

The data residency question

This is frequently the deciding factor for regulated enterprises. Cloudflare launched Custom Regions in March 2026 for TLS termination and Layer 7 processing across its network — but Cloudflare AI Gateway is explicitly excluded. As of June 2026, the Cloudflare Community confirms AI Gateway has no data residency or regional processing controls and is listed as incompatible with Cloudflare’s Regional Services.

Tetrate Agent Router Enterprise data planes run in your cloud VPC, on-premises, at a specific region, or at the edge — governed by a Tetrate-managed control plane. If your compliance posture requires AI traffic — model calls or tool calls — to stay within a jurisdiction or inside your own infrastructure, that requirement typically eliminates Cloudflare AI Gateway from the shortlist.

Choose Cloudflare AI Gateway when

  • You are already on Cloudflare and want caching, logging, and basic observability with minimal engineering effort.
  • Your AI workloads are not subject to strict data residency or compliance requirements.
  • You want to reduce duplicate LLM API costs through response caching quickly.

Choose Tetrate Agent Router when

  • You need control over where AI data planes run — on-premises, per-region, or dedicated cloud — under a Tetrate-managed control plane.
  • Data residency, compliance audit, or regulated-industry requirements drive your architecture.
  • You need MCP tool governance, per-team cost attribution, and runtime guardrails.
  • You want a governed enterprise control plane, not an edge convenience layer.

Now Available

MCP Catalog with verified first-party servers, profile-based configuration, and OpenInference observability are now generally available in Tetrate Agent Router Service. Start building production AI agents today with $5 free credit.

Sign up now

Frequently asked questions

Can Cloudflare AI Gateway enforce per-team spend limits? Cloudflare offers logs, analytics, and unified billing introduced in 2026, but lacks granular per-team budget controls, RBAC, and hierarchical cost management. Tetrate Agent Router provides per-person, per-team, and per-agent attribution with showback and chargeback natively.

Does Cloudflare AI Gateway support MCP? Yes — Cloudflare has invested meaningfully in MCP via MCP Server Portals (Cloudflare One), including DLP policies, Cloudflare Access-based SSO/MFA, and shadow MCP detection. It is a credible option for teams in the Cloudflare ecosystem. The key constraint: all MCP traffic routes through Cloudflare’s network with no data residency controls. Tetrate’s MCP gateway runs wherever your Agent Router data plane runs, including on-prem.

Can I use both? Yes — some architectures put Cloudflare at the edge for caching on public-facing workloads and Tetrate Agent Router for governed internal agent traffic. They serve different layers and are not mutually exclusive.

What if my data can’t leave a specific region? Cloudflare AI Gateway is explicitly incompatible with Cloudflare’s own Regional Services — there are no data residency or regional processing controls on AI Gateway as of June 2026 (confirmed in the Cloudflare Community forum). Tetrate Agent Router Enterprise data planes run in the region and infrastructure you specify, governed by a Tetrate-managed control plane. This is typically the deciding factor for EU-based or financial-services enterprises.

Compare other gateways: vs. Portkey · vs. Kong AI Gateway · vs. Bifrost · vs. Envoy AI Gateway (OSS) · vs. LiteLLM

See the full 2026 enterprise AI gateway comparison.

MCP Catalog with verified first-party servers, profile-based configuration, and OpenInference observability are now generally available in Tetrate Agent Router Service . Start building production AI agents today.

related background

Related articles

MCP Architecture: Understanding Model Context Protocol Design

Master MCP's client-server architecture for production AI. Learn protocol design, transport patterns, and system components trusted by leading engineering teams.

Read More

MCP vs LangChain vs RAG: AI Context Management Comparison 2025

MCP vs LangChain vs RAG: 2025 comparison guide. Feature matrix, performance benchmarks, and decision framework to choose the right AI context management approach.

Read More

MCP Security Best Practices: Authentication, Authorization & Supply Chain Protection

Secure MCP deployments for enterprise compliance. Authentication, authorization, supply chain protection, and data privacy controls for production AI systems.

Read More
Decorative CTA background pattern background background
Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

Ready to enhance your
network
with more
intelligence?