CDN
Content Delivery Networks - global caching, edge POPs, image optimization, DDoS protection, and pricing
CDN
A Content Delivery Network is a fleet of servers spread around the world that cache and serve your content from the location closest to each user. The basic value: a user in Tokyo doesn't have to wait for bytes to fly from your origin in Virginia.
What a CDN Does
| Feature | Why it matters |
|---|---|
| Geographic caching | Serve cached content from a nearby POP — 10-100× lower latency than origin |
| TLS termination at the edge | HTTPS handshake near the user; faster page loads |
| HTTP/2, HTTP/3, Brotli | Modern transport without you upgrading your origin |
| DDoS absorption | A huge attack hits the CDN, not your origin |
| Bot mitigation / WAF | Block scrapers and exploit attempts at the edge |
| Image / video optimization | Resize, recompress, transcode on the fly |
| Edge compute | Run logic at the POP (see Edge Functions) |
| Origin offload | Most traffic never reaches your servers |
The lift isn't just speed — it's cost. A well-tuned CDN serves 95%+ of bytes from cache, your origin shrinks accordingly.
The Players
| CDN | Notes |
|---|---|
| Cloudflare | Huge POP network, generous free tier, integrated DNS/WAF/edge functions |
| Fastly | Developer-friendly, fast purge, VCL programmability, real-time logs |
| AWS CloudFront | Deeply integrated with AWS; pricing per region |
| Google Cloud CDN | Tied to GCP Load Balancer; HTTP/3-first |
| Azure CDN / Front Door | Front Door is the modern combined CDN + WAF + LB |
| Akamai | Enterprise heavyweight; broad feature set |
| Bunny.net | Cheap, fast, simple — popular for static sites |
| KeyCDN, CDN77 | Smaller commercial options |
| jsDelivr / unpkg | Public CDNs for open-source JavaScript packages |
For new projects: Cloudflare or Fastly for full-featured needs, Bunny.net when cost matters more than features.
How a Request Flows
User in Tokyo
│
▼
┌─────────────┐
│ Tokyo POP │ ← serves from cache if available
└──────┬──────┘
│ on cache miss
▼
┌──────────────────────┐
│ Shielding tier (opt) │ ← reduces origin hits across all POPs
└──────┬───────────────┘
│ on cache miss
▼
┌──────────────┐
│ Origin │ ← your servers
└──────────────┘The first user in Tokyo pays the full round trip to origin. The next 1000 users get the cached response from Tokyo at ~5 ms.
Learning Path
1. Getting Started
Put Cloudflare in front of a site, set basic cache rules, see edge caching work
2. Caching Strategies
Cache-Control headers, surrogate keys, purge, stale-while-revalidate, image optimization
3. Best Practices
Multi-CDN, security, observability, cost control, common pitfalls
What a CDN Doesn't Do
| Misconception | Reality |
|---|---|
| "CDN = faster for everything" | Dynamic per-user content doesn't cache; CDN adds a hop |
| "I can stop worrying about origin capacity" | First requests still hit it; bypass + purge floods can too |
| "CDN means I'm DDoS-protected" | Only if you enforce it; misconfigured origins are still reachable |
| "Set Cache-Control once and forget" | Cache headers, purge strategy, vary-on-cookie all need tuning |
A CDN is a caching layer with security and edge features bolted on. Most of the value comes from caching done right — see Caching Strategies.
Static vs Dynamic vs Personalized
Three traffic patterns, three approaches:
| Traffic | Cacheable? | How to handle |
|---|---|---|
| Static assets (JS, CSS, images, fonts) | Fully | Long Cache-Control: public, max-age=31536000, immutable; hash in filename |
| Public dynamic (product pages, articles) | Mostly | Short TTL + purge on update, or stale-while-revalidate |
| Per-user (account dashboard, cart) | Almost never at the CDN | Mark Cache-Control: private; consider per-user at-edge KV |
| Per-cookie variations | Carefully | Vary by a small set of "buckets" not raw cookies |
The classic mistake is caching responses keyed by raw cookies — the cache fragments into millions of entries that mostly never get hit again.
A CDN is upstream of your API Gateway. The CDN handles geography, caching, and DDoS at the edge; the gateway handles routing, auth, and rate limits per app. They compose.