Dependency Mapping: How to Discover If Your Service Breaks When Cloudflare or AWS Goes Down

Is your service one Cloudflare or AWS incident away from a customer-facing outage?

Pain point: You depend on third-party CDNs, auth providers, and APIs but you don't know which of those are single points of failure. When Cloudflare, AWS, or an identity provider has a bad day (see spikes in outage reports in early 2026), the result is firefighting during business hours — and long postmortems.

Quick summary — what you'll get

• Automated approaches to discover all third-party dependencies used by your services (CDN, identity, telemetry, API gateways).
• Practical tests to simulate provider outages safely and automatically, revealing hidden single points of failure.
• Integration patterns for telemetry, SBOMs, and chaos frameworks (2026-ready: eBPF, OpenTelemetry, Sigstore/SLSA).
• Checklist & runnable commands to get started immediately in staging and CI.

The 2026 context — why this matters now

Late 2025 and early 2026 saw multiple high-profile outages and an increasing volume of outage reports for Cloudflare, major CDNs, and large cloud providers. The ZDNet signal in Jan 2026 is a reminder: aggregated third-party outages still cascade into customer impact. At the same time, adoption of edge services and SaaS integrations accelerated, increasing the surface area of third-party risk. Observability and chaos tooling evolved too: eBPF-based networking controls, standard OpenTelemetry traces across stacks, and broader adoption of supply-chain provenance tools (Sigstore, SLSA) shape modern resilience testing.

"Outage reports spiked in early 2026. If you can’t map and test your dependencies automatically, you’re fighting the last outage."

Core idea: automated dependency mapping + safe outage simulation

Manual audits miss transient dependencies embedded in client-side JavaScript, third-party OAuth endpoints, or CDN-hosted assets. The solution is two-phase:

1. Discover — build a machine-readable service graph of all external hosts and providers used by each service.
2. Validate — run automated outage simulations (chaos tests) against those dependencies in controlled environments and CI, asserting graceful degradation and fallback paths.

Phase 1 — Automated discovery: build your service graph

Goal: produce a service graph that maps services (web, mobile, backend) to external domains, IPs, and providers. The graph is the foundation for targeted chaos tests and third-party risk scoring.

Data sources for discovery

• Real traffic traces / distributed traces (OpenTelemetry / X-Ray / Datadog / New Relic)
• Reverse-proxy and CDN logs (Cloudflare logs, Fastly, ELB/ALB access logs)
• Browser network capture / synthetic crawls (Puppeteer, headless Chromium)
• Static analysis of front-end bundles (grep, regex, AST parsing) to find hard-coded endpoints
• Infrastructure as Code (Terraform, CloudFormation) to enumerate provider integrations
• SBOM and package manifests for supply-chain dependencies

Practical commands and a discovery pipeline

Below is a minimal pipeline you can run in CI to extract third-party hosts from HTML/JS bundles and live tracing data.

# 1) Headless crawl with Puppeteer to collect network hosts
node capture-network.js --url https://app.example.com --out hosts.txt

# 2) Extract hostnames from JS bundles (static assets dir)
grep -Eo "https?://[a-zA-Z0-9_.-]+" static/js/*.js | sed -E 's@https?://@@' | cut -d'/' -f1 | sort -u > static-hosts.txt

# 3) Combine and enrich with DNS/CNAME/ASN info
cat hosts.txt static-hosts.txt | sort -u | xargs -n1 -I{} sh -c "echo {}; dig +short CNAME {}; dig +short {} | sed -n '1p'" > hosts-enriched.txt

# 4) Map host -> provider (simple AS lookup)
cat hosts-enriched.txt | awk '{print $1}' | xargs -n1 -I{} sh -c "ip=$(dig +short {} | head -n1); whois $ip | grep -E 'OrgName|origin' || true" > hosts-provider-map.txt

capture-network.js is a small Puppeteer script that listens for 'response' events and writes hostnames; keep it in your companion repo. This approach uncovers client-side dependencies that static IaC scans miss.

Enrich hosts into a graph

Persist the results to a graph database (Neo4j, Amazon Neptune) or generate a Graphviz/DOT file. Minimal schema:

• Node: Service (service-id, environment)
• Node: ExternalHost (hostname, ASN, provider)
• Edge: CALLS (service -> host, protocol, path patterns, frequency)

Score third-party risk

Compute a risk score per external host using factors:

• Dependency criticality (is there a fallback?)
• Request frequency and error rate from logs or RUM
• Provider concentration (many critical hosts using a single provider like Cloudflare)
• Contract/SLAs, regulatory controls (DORA impact for EU financial services)

Phase 2 — Building outage simulations (chaos tests)

Once you can answer "which services call Cloudflare/AWS/etc?", you can write precise chaos tests to mimic provider outages. Your goal is to discover single points of failure and verify resilience mechanisms.

Safety-first rules for chaos

1. Run in non-production first (staging, pre-prod identical to prod).
2. Integrate approval gates and automated rollback.
3. Limit blast radius (single region, small percentage of traffic).
4. Automate notifications and telemetry capture before tests.
5. Have an emergency kill switch (API + chatops command to abort tests).

Common outage scenarios to simulate

• CDN outage: Simulate Cloudflare/Fastly edge failure. Validate origin response times and cache warming/fallback.
• DNS failure: Simulate authoritative DNS unavailability by returning NXDOMAIN or manipulating /etc/hosts in test agents.
• Auth provider outage: Revoke requests to OAuth/OpenID token endpoints. Validate cached sessions and offline tokens.
• API gateway or 3rd‑party API rate limiting: Inject 429 responses from downstream to validate retry/backoff/exponential jitter.
• Cloud region/zone outage: Blackhole routes to a region or shut down a subset of services to validate multi-region failover.

Tools & techniques (2026-relevant)

• Chaos frameworks: Gremlin, LitmusChaos, Chaos Mesh (Kubernetes), Simian Army-style scripts for VMs.
• Network-level: tc/netem, iptables DROP/REJECT, eBPF programs for controlled packet loss (fast, precise).
• Proxy-level: toxiproxy to inject latency, bandwidth constraints, or error codes for downstream APIs.
• DNS manipulation: run a stub resolver in test agents or use split-horizon DNS to return failures for targeted hosts.
• Synthetic clients: Puppeteer or k6 to emulate real user flows while the outage is injected.
• Telemetry: OpenTelemetry traces and logs must be harvested during tests to trace failure cascades end-to-end.

Example: Simulate Cloudflare edge outage

High-level options:

1. At the CDN side (if you own configuration), temporarily disable edge services for a subdomain or turn off a specific POP.
2. At the client side, return SERVFAIL/NXDOMAIN for *.cloudflare.com from the stub resolver used by your test clients.
3. Blackhole network by dropping TCP traffic to Cloudflare IP blocks (use with extreme caution).

# Example: block Cloudflare IP range for test clients (run on test agent / CI runner)
# list cloudflare ASN IPs beforehand: cloudflare_ips.txt
for ip in $(cat cloudflare_ips.txt); do
  sudo iptables -I OUTPUT -d $ip -j DROP
done

# Run synthetic user flows (k6 / Puppeteer) and observe
k6 run --vus 50 --duration 2m cloudflare-failover-test.js

# After test, remove rules
for ip in $(cat cloudflare_ips.txt); do
  sudo iptables -D OUTPUT -d $ip -j DROP || true
done

Better approach (safer): use a stub resolver or network namespace scoped to the test process so rules don't impact the entire host.

Example: simulate OIDC provider outage

Many apps assume tokens can always be refreshed. Tests should validate token expiry paths and cached session fallback.

# Use toxiproxy to proxy the token endpoint and return 503
# 1) Start toxiproxy and create proxy for auth.example.com:443 -> real_auth:443
# 2) During test enable a toxic that returns 503
curl -X POST localhost:8474/proxies/auth/proxy/toxics -d '{"name":"down","type":"timeout","attributes":{"timeout":0}}'

# Run API tests that perform login/token refresh and assert graceful failover

Assertions that matter

Chaos tests must check for application-level correctness, not just that something returned 500. Prioritize these assertions:

• End-user impact: page renders, critical transaction completes, or polite degradation (e.g., read-only mode).
• Background jobs: queued writes persisted or retried with backoff; no data corruption.
• Security: auth failures do not leak tokens or escalate privileges.
• Telemetries: traces pinpoint the failing dependency and false positives are eliminated.

From discovery graph to automated test generation

Once you have a machine-readable graph, generate targeted chaos tests automatically. Example pattern:

1. For each external host with risk score > threshold and used by > X services, generate a test scenario template: "simulate dns failure for host H for 90s with 10 concurrent users".
2. Attach pre-checks (verify baseline), run test, then post-checks (validate fallbacks).
3. Store results in the graph DB to show which services failed and why.

# pseudocode: generate tests from graph
for host in graph.externalHosts.where(risk > 7):
  for svc in graph.services.calling(host):
    createChaosTest(svc, host, scenario="dns-nxdomain", blastRadius="small")

Integrating with CI/CD and SRE playbooks

Run a reduced set of chaos tests in CI (fast, isolated) and full scenarios in nightly pipelines or weekly resilience windows. When a test fails, automatically open an incident with the SRE runbook linked and attach traces and timeline.

Sample CI policy

• On each merge to main: run lightweight discovery and smoke resilience tests (5–15s DNS and latency injects).
• Nightly: run deeper tests for all services with risk score > threshold.
• Quarterly: full-scale chaos window in a dedicated resilience environment that mimics production scale.

Supply-chain and integrity considerations

Dependency mapping isn’t only network endpoints. Your runtime depends on libraries and artifacts. 2025–2026 saw wide adoption of provenance tools and policies, so integrate SBOM and Sigstore verification into the discovery pipeline:

• Collect SBOMs for service builds (SPDX, CycloneDX).
• Verify binary/signature provenance with cosign/Sigstore; reject unsigned artifacts in CI.
• Map package maintainers and upstream hosts to the service graph (package -> registry -> CDN).

# verify artifact signature with cosign
cosign verify --key cosign.pub registry.example.com/myapp:1.2.3

# compute checksum for retention
sha256sum myapp-1.2.3.tar.gz

Real-world example (case study)

At a mid-sized SaaS in early 2026 we used this approach to discover a hidden dependency: a third-party analytics script pulled a config from a Cloudflare-hosted domain. Our discovery pipeline (Puppeteer + OpenTelemetry traces + IaC scanning) flagged the Cloudflare-hosted endpoint as critical to onboarding flows. We generated a DNS-failure chaos test for the host and observed onboarding failures without fallback. The fix: host essential config on origin with signed caching, implement local cached fallback, and add alerts for CDN-hosted config TTLs. Post-fix, simulated CDN outages showed zero critical-path failures.

Common gotchas and how to avoid them

• Running chaos in production without approvals — always enforce gated approvals and abort if key metrics spike.
• Not instrumenting tests — if you can’t trace a failure, you can’t fix it. Instrument traces and logs before the test.
• Missing client-side dependencies — many tools skip client-side JavaScript; include browser captures in discovery (Puppeteer).
• Hard-coded endpoints in libraries — scan node_modules/vendor directories during builds and map to providers.

Actionable checklist to get started this week

1. Run a quick client-side crawl on your main web app to capture third-party hosts (use Puppeteer).
2. Enrich host list with ASN/CNAME and persist into a simple graph (Neo4j or even a CSV).
3. Run a small chaos test in staging: DNS NXDOMAIN for a critical external host for 60s, run end-to-end tests, collect traces.
4. Review test failures and create remediation tickets: add fallback caches, degrade gracefully, or multi-provider routing.
5. Add SBOM and Sigstore checks to your build pipeline for artifact provenance checks.

Command cheat-sheet

# Capture hosts from a Chromium session with Puppeteer
# (pseudo) node capture-network.js --url https://app.example.com --out hosts.txt

# Enrich with DNS/CNAME
xargs -a hosts.txt -I{} sh -c 'echo {}; dig +short CNAME {} | sed -n 1p; dig +short {} | sed -n 1p' > hosts-enriched.txt

# Block IPs in a network namespace (safer than host-wide iptables)
ip netns add chaos-ns
ip netns exec chaos-ns iptables -I OUTPUT -d 203.0.113.0/24 -j DROP
# run test client in namespace
ip netns exec chaos-ns node run-synthetic.js

# Verify artifact signature with cosign
cosign verify --key cosign.pub registry.example.com/myapp:1.2.3

# Compute SHA256
sha256sum myapp-1.2.3.tar.gz

Future trends and what to prepare for (2026+)

• eBPF-based network fault injection will become mainstream for precise, low-latency chaos testing at L3/L4.
• Graph-based risk scoring combined with AI will automate creation of tailored chaos experiments (expect vendor tools in 2026).
• Regulatory frameworks (e.g., DORA and national critical-infrastructure rules) will push financial and telco customers to require demonstrable resilience testing against third-party outages.
• Supply-chain attestation (Sigstore, SLSA) will be required for higher assurance and to reduce integrity risks from third-party artifacts.

Closing: the minimum viable resilience program

At minimum, do these three things every sprint:

1. Auto-discover third-party hosts from both server and client sides and persist them in a service graph.
2. Run one automated chaos test per high-risk external host in staging and report findings into your runbooks.
3. Require artifact provenance verification in your CI (SBOM + Sigstore) to reduce supply-chain integrity risks.

Call to action

Start now: run a headless crawl to build your first service graph and schedule a staged DNS outage test this week. If you want a ready-made starter kit, clone the companion repo (filesdownloads.net/dependency-mapping-starter) which includes Puppeteer capture scripts, example Neo4j schema, and chaos templates for toxiproxy and eBPF-based packet dropping. Share your results with your SRE team and iterate — resilience is measurable and repeatable.

Related Reading

• Cloud Native Observability: Architectures for Hybrid Cloud and Edge in 2026
• Chaos Testing Fine‑Grained Access Policies: A 2026 Playbook for Resilient Access Control
• Advanced DevOps for Competitive Cloud Playtests in 2026
• Outage-Ready: A Small Business Playbook for Cloud and Social Platform Failures