cloud infrastructure

Content Delivery Network (CDN)

cdn caching performance edge infrastructure
Plain English

A CDN is a chain of warehouses for the internet. Instead of every customer driving to a single factory (your origin server) to pick up their order, the CDN pre-stocks warehouses close to each customer. When someone in Tokyo visits your website hosted in New York, they get the content from a CDN server in Tokyo instead, cutting the delivery time from 150ms to 5ms. If that warehouse runs out of something, it quietly fetches it from the factory and restocks for the next customer.

Technical Definition

A Content Delivery Network (CDN) is a geographically distributed network of Points of Presence (PoPs), each containing edge servers that cache content and serve it to nearby users. CDNs reduce latency, offload origin servers, and improve availability.

How CDN routing works:

  1. Your DNS CNAME record points to the CDN provider’s DNS (e.g., d1234.cloudfront.net)
  2. The CDN’s anycast or GeoDNS returns the IP of the nearest PoP
  3. The edge server checks its cache for the requested object
  4. On a cache miss, the edge fetches from the origin (your server) and caches the response
  5. Subsequent requests are served from cache until TTL expires (cache hit)

Cache control headers that govern CDN behavior:

HeaderExampleEffect
Cache-Control: max-age=31536000, immutableStatic assetsCached for 1 year, never revalidated
Cache-Control: s-maxage=300API responsesCDN caches for 5 min, ignores client max-age
Cache-Control: no-storeUser dashboardsCDN never caches
Surrogate-Control: max-age=600Fastly/Varnish-specificCDN-only TTL, stripped before client
Vary: Accept-EncodingCompressed assetsCDN stores separate copies per encoding

Origin pull vs. origin push:

  • Pull (most common): CDN fetches content on the first cache miss, caches it automatically
  • Push: you explicitly upload assets to the CDN storage (used for large files, video)

CDN layers of value:

  • Performance: edge caching, TCP connection reuse, HTTP/3 (QUIC), Brotli compression
  • Resilience: traffic absorbs at the edge during origin failures; many CDNs offer origin failover
  • Security: DDoS absorption, TLS termination at the edge, WAF integration, bot management
  • Edge compute: run serverless functions at PoPs (Cloudflare Workers, Lambda@Edge)

Cache behavior inspection and cache-control configuration 

# Inspect CDN cache status from response headers
$ curl -sI https://example.com/assets/logo.png
HTTP/2 200
x-cache: Hit from cloudfront
x-cache-hits: 42
age: 1823
cache-control: max-age=31536000, immutable
cf-cache-status: HIT          # Cloudflare variant
x-served-by: cache-sjc-ksjc7920-SJC  # PoP that served the response

# Force cache revalidation
$ curl -sI -H "Cache-Control: no-cache" https://example.com/assets/logo.png
x-cache: Miss from cloudfront

# Purge a URL from Cloudflare cache via API
$ curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CF_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"files":["https://example.com/assets/logo.png"]}'
# Nginx origin: set CDN-friendly cache headers
location /assets/ {
    # Cache static assets for 1 year at CDN and browser
    add_header Cache-Control "public, max-age=31536000, immutable";
    # Separate CDN copy per encoding
    add_header Vary "Accept-Encoding";
}

location /api/ {
    # CDN caches for 60s; browser does not cache
    add_header Cache-Control "public, s-maxage=60, max-age=0";
}

location /dashboard/ {
    # Never cache authenticated content
    add_header Cache-Control "private, no-store";
}
In the Wild

Cloudflare, AWS CloudFront, Fastly, and Akamai are the dominant CDN providers. Cloudflare’s free tier covers most small sites and adds DDoS protection. CloudFront is the default choice when your origin is on AWS. The most common CDN mistake is forgetting Vary: Accept-Encoding, which causes CDN servers to serve un-compressed content to clients that support Brotli or gzip. Another common error is caching API responses that contain user-specific data, leaking one user’s data to another. The pattern of using content-hashed filenames (logo.abc123.png) with immutable cache control is the standard for static assets: the hash changes when the file changes, so the CDN can cache safely forever. Edge compute is the frontier: Cloudflare Workers and Lambda@Edge let you run authentication, A/B testing, and personalization at PoPs without a round-trip to origin.

← Back to Dictionary