What:
CDN (Content Delivery Network) is a globally distributed system of proxy servers and caching caches.
Primary purpose:
Serving static and semi-dynamic data with sub-millisecond latency by shifting storage closer to users.
Usually used for:
Static asset delivery (JS, CSS, images), video segment streaming, API acceleration, and DDoS protection.
How should I think about this inside system architectures?
🚀 Push Content Closer
Physically reduce the distance packets travel to minimize physical round-trip times (RTT).
💾 Trade Storage for Latency
Replicate storage capacity globally across hundreds of edge locations to bypass origin lookup times.
🛡️ Reduce Origin Pressure
Serve as a defensive shield that absorbs 99%+ of read traffic, preserving central API servers and databases.
Needed When:
Users are distributed globally, media files are large (video/images), or you face sudden traffic spikes.
Avoids:
Centralized network bottlenecks, expensive cross-region database lookups, and origin server CPU exhaust.
Optimizes For:
Read latency (Time to First Byte - TTFB), bandwidth/egress costs, and central database availability.
CDNs rely on a multi-tier cache hierarchy to minimize origin calls:
The Request Flow
A client request always hits the Edge PoP first. If there is a miss, it propagates through Shield caches before ever querying your origin server:
- Edge PoPs: Highly distributed small data centers globally situated inside Internet Service Providers (ISPs).
- Anycast Routing: Routes users to the topologically nearest Edge PoP automatically using the same shared IP address.
- Origin Shields: A high-capacity centralized cache tier protecting the primary backend API from thundering herds.
- Optimized Cache Keys: Defining unique cache identifiers (e.g. omitting tracking tokens) to maximize hit ratios.
- TCP Edge Termination: Ends client connection handshakes close to the user, speeding up subsequent TLS connections.
| Benefit | Cost |
|---|---|
| Vastly Reduced Latency (TTFB goes from ~300ms to <20ms globally) | Stale Content Risks (cache invalidation lag means users may see outdated state) |
| Origin Cost Protection (offloads 99% of bandwidth and read compute from database/origin) | Additional Egress Fees (commercial CDNs charge per gigabyte of transferred data) |
| DDoS & Spikes Security (absorbs massive traffic floods at edge PoPs) | Cache Invalidation Complexity (purging millions of edge caches is expensive and tricky) |
Problem: Content is modified at the origin (e.g., user changes their avatar) but Edge PoPs continue serving the old version due to active Time-To-Live (TTL) policies.
Mitigation: Implement event-driven cache purges using unique tags (Cache-Tags) or utilize immutable content-addressable URLs (like adding hashes /avatar.abc123x.png) so new content naturally maps to a new key.
Problem: When a request misses the CDN cache, the user experiences a double-penalty: the time to travel to the edge plus the full transit time to the central origin server.
Mitigation: Pre-warm caches by programmatically hitting new or popular URLs before users request them, and use stale-while-revalidate to immediately serve slightly stale content while fetching fresh data in the background.
Problem: Clearing the global cache instantly (e.g., purging all product pages after a CMS deploy) forces 100% of global traffic directly to the origin, causing immediate database meltdown.
Mitigation: Enforce request collapsing (locking concurrent misses into a single origin request) and deploy an Origin Shield (Mid-Tier Cache) to aggregate edge requests.
| Problem | Usage |
|---|---|
| YouTube Video Playback | Permanent edge-caching of video segments (chunks) near users |
| Instagram Photo Loading | High-availability caching of versioned user photos globally |
| E-commerce Product Catalogs | Edge-caching of static product descriptions and images with short TTL |
| Web App Shells (React/Vue builds) | Caching static index.html, JS bundles, and CSS stylesheet assets |
| Global Dynamic APIs | Edge routing optimization and TCP termination to reduce round-trip times |
- Your users are distributed globally, causing poor performance in distant countries.
- You are building media-heavy platforms (Netflix, Instagram, TikTok, YouTube).
- Your reads outnumber your writes by a huge ratio (e.g. 100:1 or more).
- You require robust, edge-level security filters (Web Application Firewall, WAF) to block bad bots.
- You have highly structured, public metadata that remains static for minutes to days.
- Consistent Hashing (distributing cache targets across nodes)
- Reverse Proxy (origin-facing request forwarding and balancing)
- HTTP Caching Headers (controlling browser and proxy behavior with Cache-Control)
- Anycast Routing (topological DNS and IP routing algorithms)
- Cache Stampede Prevention (distributed locking and prefetching)
Cache Key Normalization & Vary Headers
The primary way to optimize CDN hit ratio is normalized cache keys. If clients send varied query params (like tracking analytics tokens: ?utm_source=x), the CDN will treat each as a separate key, dropping your hit ratio to 0%.
Normalization: At the edge, the proxy rewrites incoming request keys, stripping tracking parameters and sorting the remaining arguments before checking the cache.
Vary Headers: When serving dynamic responses (like compression formats gzip vs brotli), the origin returns Vary: Accept-Encoding. This instructs the CDN to cache distinct variants for the exact same URL based on the client's capabilities.
Anycast Routing Mechanics
Anycast is a network routing technique where multiple physical machines globally advertise the exact same IP address using the BGP (Border Gateway Protocol) routing mesh. When a user requests your site, internet routers naturally forward the packets to the topologically closest hop. This ensures instant hardware-level routing near users without geo-DNS delays.
Edge Compute & Serverless Functions
Modern CDNs (Cloudflare Workers, Fastly Compute, AWS Lambda@Edge) allow running lightweight JavaScript/Rust code directly inside Edge PoPs. Rather than just returning cached files, you can execute logic at the edge: (1) authenticating API tokens, (2) performing A/B testing splits, (3) dynamically resizing images, or (4) stitching personalized HTML templates (SSI) with sub-20ms latencies.
Signed URLs & HMAC Security
For paid or private content (e.g. Netflix movies or Dropbox files), you cannot expose public URLs. CDNs secure content with Signed URLs: the origin generates a temporary access URL containing an expiration timestamp and a cryptographic HMAC signature. The Edge PoP validates the signature locally without contacting the origin, immediately blocking hotlinking or unauthorized sharing.