KB-002: Connecting Cloudflare to Vercel — The "DNS Only" Method
| Field | Detail |
|---|---|
| Document ID | KB-002 |
| Version | 1.0 |
| Date | March 2026 |
| Author | Jimmy (Gemini — Atlantis AI) |
| Reviewed By | Shane Hardin |
| Applies To | All Atlantis domains hosted on Vercel via Cloudflare DNS |
| Difficulty | Beginner |
| Est. Time | 10–15 minutes |
| Related Docs | KB-003 — CNAME Flattening, KB-004 — Error 1014, HT-003 — Vercel 502 Fix |
1. Overview
This article explains how to correctly connect a domain managed in Cloudflare to a frontend hosted on Vercel. The key rule for the entire Atlantis infrastructure is:
Vercel domains must always use DNS Only (Grey Cloud ☁️) in Cloudflare — never the Orange Cloud proxy.
Getting this wrong is the single most common cause of 502 errors, SSL handshake failures, and "Too many redirects" loops across Atlantis deployments.
2. When to Use This Guide
- Adding a new domain or subdomain to a Vercel project
- After a drive migration or infrastructure reset when DNS records were re-created
- When a Vercel-hosted site is returning 502, SSL errors, or redirect loops
- When setting up any new Atlantis app (IceBreakrz, Pop Off, Lexicon, Command Center, etc.)
3. How It Works
Vercel handles its own SSL certificates and global edge routing. When Cloudflare's Orange Cloud proxy is enabled, traffic routes through Cloudflare's proxy layer before reaching Vercel — which breaks Vercel's SSL handshake and causes conflicts between two CDN/proxy systems trying to manage the same request.
Setting DNS to DNS Only (Grey Cloud) means Cloudflare acts as a pure DNS resolver — it points the domain to Vercel's servers and gets out of the way.
Browser
↓
Cloudflare DNS (resolves domain → Vercel IP) ← DNS Only, no proxy
↓
Vercel Edge Network (handles SSL + routing)
↓
Your App
⚠️ NOTE: With DNS Only enabled, Cloudflare WAF and DDoS protection are not active for that record. For Atlantis, this is an acceptable tradeoff since Vercel provides its own edge protection. The n8n tunnel uses a separate Cloudflare Tunnel (not DNS proxy) for its own security layer.
4. Step-by-Step Procedure
Step 1 — Get DNS Records from Vercel
- Log in to vercel.com
- Open your project → click Settings → Domains
- Add your domain (e.g.,
atlantisits.coorai.atlantisits.co) - Vercel will display the required DNS records:
| Record Type | Used For | Example Value |
|---|---|---|
| A Record | Apex/root domain (@) |
76.76.21.21 |
| CNAME | Subdomains (www, ai, etc.) |
cname.vercel-dns.com |
💡 TIP: Copy these values exactly — do not type them manually. Vercel sometimes provides unique CNAME targets per project.
Step 2 — Add Records in Cloudflare
- Log in to dash.cloudflare.com as
Srhardin@gmail.com - Select your domain (e.g.,
atlantisits.co) - Click DNS → Records in the left sidebar
- Click Add Record and enter the values Vercel provided
- CRITICAL: Set Proxy Status to DNS Only (Grey Cloud ☁️)
| Field | Value |
|---|---|
| Type | CNAME (for subdomains) or A (for apex) |
| Name | Your subdomain (e.g., ai) or @ for apex |
| Target | Value provided by Vercel |
| Proxy Status | ☁️ DNS Only — never orange cloud |
| TTL | Auto |
- Click Save
⚠️ NOTE: If an existing record already exists for that name, edit it rather than adding a duplicate. Duplicate DNS records cause unpredictable routing behavior.
Step 3 — Verify in Vercel
- Return to your Vercel project → Settings → Domains
- Click Refresh next to the domain
- Wait for the status indicators to turn green checkmarks ✅
- DNS propagation typically takes 2–5 minutes for Cloudflare-managed domains
💡 TIP: If the checkmarks don't turn green after 10 minutes, confirm the Proxy Status is truly Grey Cloud in Cloudflare — the orange cloud is the most common cause of verification failure.
5. Atlantis Domain Reference
| Domain | Record Type | Proxy Status | Notes |
|---|---|---|---|
atlantisits.co |
A Record | ☁️ DNS Only | Primary site — Vercel |
ai.atlantisits.co |
CNAME | ☁️ DNS Only | Roofing Lead Engine — Vercel |
portfolio.atlantisits.co |
CNAME | ☁️ DNS Only | Portfolio site — Vercel |
n8n.atlantisits.co |
CNAME | 🟠 Proxied | n8n — Cloudflare Tunnel (different method) |
atlantisits.ai |
CNAME | ☁️ DNS Only | AI domain — see KB-003 for CNAME Flattening |
6. Troubleshooting
| Error / Symptom | Cause | Fix |
|---|---|---|
| 502 Bad Gateway on Vercel site | Orange Cloud proxy enabled | Set record to DNS Only (Grey Cloud) |
| "Too many redirects" loop | Cloudflare forcing HTTPS while Vercel also redirects | Set to DNS Only — Vercel handles SSL |
| SSL handshake error / ERR_SSL_PROTOCOL_ERROR | Proxy conflict between Cloudflare and Vercel SSL | Set to DNS Only |
| Vercel domain stuck on "Pending" | DNS record not propagated or wrong proxy setting | Confirm Grey Cloud + wait 5 min, then refresh Vercel |
| Domain works but www doesn't (or vice versa) | Only one record added | Add both apex A record and www CNAME in Cloudflare |
7. Quick Reference
| Item | Value |
|---|---|
| Cloudflare login | Srhardin@gmail.com → dash.cloudflare.com |
| Vercel login | vercel.com → atlantis-ai project |
| Correct proxy setting | ☁️ DNS Only (Grey Cloud) — always |
| Wrong proxy setting | 🟠 Proxied (Orange Cloud) — never for Vercel |
| Vercel apex A record IP | 76.76.21.21 |
| Vercel CNAME target | cname.vercel-dns.com |
| DNS propagation time | 2–5 minutes (Cloudflare-managed domains) |
| Related error | 502 Bad Gateway → see HT-003 |
| Related error | Error 1014 → see KB-004 |
Document prepared by Gemi (Gemini — Atlantis AI Automations)
atlantisits.info | KB-002 | v1.0 | March 2026