Content Delivery Networks: Moving Bytes Closer to Users

TL;DR: A CDN is a globally distributed cache and security front door. It terminates TLS near the user, serves cacheable content from the edge, and forwards only misses to your origin. Cloudflare operates in 330+ cities with 500 Tbps of capacity ^[1]. Netflix Open Connect pre-positions video content across 1,000+ ISP-embedded appliances ^[2]. A well-tuned CDN achieves 90 to 99% cache hit ratio ^[3], meaning your origin handles 1 to 10% of traffic. Push aggressively to edge; 95%+ hit rate is the bar for static assets.

Learning Objectives#

After this module, you will be able to:

• Explain how anycast routing and GSLB direct users to the nearest edge
• Design cache keys and TTLs for dynamic and static content
• Use stale-while-revalidate, stale-if-error, and soft purges to hide origin failures
• Reason about cache hit ratio, origin offload, and egress cost
• Decide what belongs at the edge vs the origin vs the client
• Evaluate edge compute platforms and their execution constraints

Intuition#

Imagine a bookstore chain with one massive warehouse in Kansas. Every customer order ships from that warehouse. Customers in New York wait two days; customers in Tokyo wait two weeks. The fix is obvious: open small stores in every major city, stock them with bestsellers, and ship only rare titles from the warehouse.

A CDN does exactly this for HTTP traffic. Instead of every request traveling to your origin server (the warehouse), each user connects to the nearest point of presence (the local store). The PoP stocks popular content in memory and on disk. Only cache misses travel back to origin. The result: a round trip that would take 200 ms from New York to Sydney drops to under 20 ms to the nearest metro PoP. That latency win requires zero code changes. It is the single largest performance improvement available to any web application.

The tension is the same as in retail: how do you keep the local stores stocked with the right inventory (freshness), without overstocking (memory cost), and without selling yesterday's newspaper (staleness)? That is the substance of this chapter.

Theory#

Why CDNs exist#

Three forces make CDNs non-optional for any public-facing application:

The speed of light. A round trip from New York to Sydney is about 200 ms on ideal fiber. TCP handshake plus TLS 1.3 already consumes two RTTs before the first byte of response. Shortening that path to the nearest metro, often under 20 ms, eliminates the dominant latency component. Cloudflare targets less than 50 ms to 95% of Internet users ^[4] by operating data centers in 330+ cities across 125+ countries ^[1:1][5].

Origin offload. A site with heavy static assets regularly achieves 90 to 99% cache hit ratio at the edge ^[3:1][6]. That means the origin handles 1 to 10% of incoming request volume. This multiplier is what lets small origin fleets survive viral events without autoscaling panic.

DDoS absorption. A CDN with 500 Tbps of capacity can absorb volumetric attacks that would saturate any single origin. In October 2024, Cloudflare autonomously mitigated a 5.6 Tbps UDP flood from a Mirai-variant botnet in 80 seconds, with no human intervention ^[7]. Across 2024, Cloudflare blocked 21.3 million DDoS attacks, averaging 4,870 per hour ^[7:1].

Architecture: anycast, PoPs, and origin shield#

A PoP (point of presence) is a physical cluster of cache servers colocated at or near an Internet exchange point. User traffic reaches the correct PoP via one of two mechanisms:

BGP anycast announces a single IP from every PoP. Routers on the path pick the topologically nearest announcement via BGP. Cloudflare and Fastly rely primarily on anycast ^[8]. If a PoP fails, BGP withdraws the route and traffic shifts in seconds, with zero DNS TTL dependence.

DNS-based GSLB (Global Server Load Balancing) returns a different A/AAAA record per geography based on resolver IP or EDNS Client Subnet. Akamai and CloudFront historically use this approach ^[9]. The downside: failover depends on DNS TTLs, which can stick users to a suboptimal PoP for minutes.

In 2026, anycast has mostly won for new deployments. It gives automatic failover, simpler configuration, and no DNS propagation delay. GSLB remains relevant for fine-grained geo-steering and compliance routing.

Both approaches feed into a tiered cache hierarchy:

User requests resolve via anycast to the nearest edge PoP; misses escalate through regional cache and origin shield before reaching origin.

Without Origin Shield, each regional cache independently fetches from origin. A viral asset can generate multiple parallel origin requests on CloudFront (one per regional edge cache) ^[9:1]. With Origin Shield enabled, all regional caches proxy through a single designated PoP, and the origin sees one request per object ^[10]. Request collapsing at the shield handles concurrent in-flight misses for the same key.

Cache keys and hit rates#

The cache key is the tuple of (scheme, host, path, query string, selected headers) that uniquely identifies a cached object. Anything not in the key is ignored; anything added to it fragments the cache and kills hit rate.

The golden pattern for static assets: long TTL (max-age=31536000, immutable) plus hash-busting URLs (/assets/app.a3f2b1.js) ^[11]. New deploys never collide with cached versions. Hit rate approaches 100%.

The Vary trap: Vary tells caches which request headers must match for a hit. Vary: Accept-Encoding is fine (2 to 3 variants). Vary: User-Agent shatters the cache into thousands of near-duplicate variants and drops hit rate from 95% to single digits ^[3:2]. Normalize at the edge: map User-Agent to "mobile"/"desktop"/"bot" before keying.

Revalidation: ETag plus If-None-Match returns 304 Not Modified on match, saving bandwidth even when freshness is short ^[12].

Target hit rates: 95%+ for static assets, 40 to 60% for dynamic API responses with short TTLs, below 10% means something is broken (usually Vary or cookies in the key).

Purge and invalidation#

Invalidation tells the CDN that a cached object is no longer fresh. Three granularities exist:

URL purge invalidates one object. Simple but does not scale when a CMS edit affects hundreds of pages.

Tag-based purge (surrogate keys) is the industry's answer. The origin attaches space-delimited keys via the Surrogate-Key header: Surrogate-Key: user-542 user-pics template-pic-show. A single API call invalidates every object tagged with that key, globally, in a mean of 150 ms on Fastly ^[13][14]. Discord, Webflow, and Anthropic use this pattern to keep rapidly-mutating content cacheable with long TTLs ^[13:1].

Soft purge marks objects stale rather than deleting them, so stale-while-revalidate can still serve them while origin catches up ^[15]. This turns an invalidation into a revalidation rather than a cold fetch, avoiding origin stampedes.

Wildcard/prefix purge invalidates all objects matching a path pattern. CloudFront charges per path after the first 1,000 per month ^[16].

Tag-based purge propagates through a globally replicated invalidation bus; Fastly reports 150 ms mean end-to-end propagation ^[14:1].

Edge compute#

Edge compute runs user code in the CDN PoP, in the request/response path, so personalization, auth, A/B routing, and image transforms happen without a round trip to origin.

Cloudflare Workers runs multi-tenant V8 isolates. Cold start is under 5 ms. Limits: 10 ms CPU (free), up to 5 minutes CPU per HTTP request (paid, default 30 seconds), 128 MB memory per isolate, and up to 6 simultaneous open connections including TCP sockets via the connect() API ^[17][18].

Fastly Compute compiles to WebAssembly on Wasmtime. Cold starts are under 50 microseconds for lightweight modules ^[19]. True polyglot: Rust, Go (TinyGo), JavaScript (Javy).

AWS Lambda@Edge runs full Node.js/Python at CloudFront's regional edge caches. Cold starts of 50 to 200 ms, deploys that take minutes to propagate, but longer execution limits (up to 30 seconds) ^[20][21].

A Worker intercepts the request, checks the edge cache, and decides whether to serve cached content, fetch from origin, or respond directly.

Be blunt: edge compute is a request-shaping layer for most workloads, not a drop-in general-purpose runtime. Free-tier CPU budgets (10 ms on Workers) rule out heavy per-request work; even with Workers Paid allowing up to 5 minutes of CPU per request, cold-path latency, memory caps (128 MB per isolate), and the lack of local disk make the edge the wrong home for stateful backends. Use it for header manipulation, auth token validation, A/B splits, and personalization stamps on cached templates. Do not try to run your application server at the edge.

Streaming at the edge#

Video streaming is the CDN's heaviest workload. HLS (HTTP Live Streaming) and DASH (Dynamic Adaptive Streaming over HTTP) segment video into 2 to 10 second chunks (6 seconds is the HLS default) ^[22]. Each segment is a cacheable HTTP object. The manifest file lists available bitrates and segment URLs; the player fetches segments sequentially.

Low-Latency HLS (LL-HLS) targets 2 to 3 seconds glass-to-glass latency by using partial segments and blocking playlist reloads ^[22:1]. This pushes CDN requirements toward sub-second TTLs on manifest files while keeping segment TTLs long.

Netflix Open Connect is the extreme case: a private CDN with custom appliances deployed to 1,000+ ISP partners ^[2:1][23]. OCAs are push-filled during off-peak windows (2 am to 2 pm local time) so peak-hour bandwidth is 100% outbound, never inbound ^[24]. Netflix serves 325 million paid subscribers (Q4 2025) and logged 96 billion hours of viewing in H2 2025 alone ^[25].

Security at the edge#

Because all traffic transits the CDN, the edge is the right place to inspect, rate-limit, and drop hostile requests before they consume origin resources.

WAF rules match request signatures (OWASP Top 10 patterns, custom regex) and block at the edge. Ship with a staging mode first; false positives have repeatedly taken legitimate traffic down.

DDoS mitigation runs in eBPF/XDP on the network card. Cloudflare's l4drop program drops packets matching attack fingerprints before they reach user space. dosd broadcasts fingerprints colo-wide in seconds so every server in a PoP converges on the same drop list ^[1:2].

Bot management combines TLS fingerprinting (JA3/JA4), header ordering, behavioral analysis, and challenge responses (Cloudflare Turnstile) to separate legitimate browsers from headless crawlers ^[1:3].

Dropping attack traffic at 500 Tbps of absorbed capacity is the only economical answer to volumetric DDoS ^[5:1][7:2]. Rate-limiting at the edge protects origin login and checkout endpoints from credential stuffing without adding origin latency.

Real-World Example#

Netflix Open Connect: the world's largest private CDN#

Netflix delivers 100% of its video traffic through Open Connect, a purpose-built CDN serving tens of terabits per second of simultaneous peak traffic ^[2:2]. The system serves 301 million paid subscribers who watched 94 billion hours in H2 2024 ^[25:1].

Architecture. Netflix designs and ships custom appliances (OCAs) to ISPs that qualify on traffic volume. OCAs are also deployed at Netflix-operated IXP colocation sites across 60+ data centers ^[23:1]. Content is pre-positioned, not pulled on demand. A nightly fill window copies that day's predicted-popular encodes to every appliance before peak hours begin ^[24:1].

Why private? No public CDN would have been cost-effective at Netflix's scale. Open Connect appliances are given to ISPs free because both sides save transit cost ^[2:3][23:2]. The ISP avoids paying for upstream bandwidth; Netflix avoids paying CDN egress fees on petabytes of daily traffic.

Routing. Clients resolve a Netflix domain that returns an OCA selected by the Open Connect control plane based on ISP, appliance health, and geography. If an ISP's embedded OCA is down, the control plane routes to a second embedded OCA, then to a nearby IX OCA, then to a regional data center OCA ^[23:3].

The push-fill pattern. OCAs do not pull through on demand. They pre-load during the ISP's off-peak window (typically 2 am to 2 pm local time). This shifts 100% of peak-hour OCA traffic to egress with zero peak-hour ingress ^[24:2]. The result: predictable bandwidth usage, no cache-miss storms during prime time.

Failure mode. The November 2024 Jake Paul vs Mike Tyson live event exhibited widespread buffering and app crashes. Analysis attributed degradation to origin/egress congestion rather than Open Connect's steady-state CDN ^[26]. Live streaming is qualitatively different from VOD, even for a CDN of this scale.

On hit, the client gets sub-20ms response. With stale-while-revalidate, even expired content is served instantly while the edge refreshes in the background.

Trade-offs#

Common Pitfalls#

Exercise#

Design Challenge: You are building the CDN strategy for a video-on-demand platform with 100M MAU, 1080p default resolution, and a 4 PB content library. Design the caching, invalidation, and delivery architecture. Consider: where does content live at the edge? How do you handle new releases vs long-tail catalog? What is your purge strategy when a title is removed for licensing?

Key Takeaways#

• A CDN is a cache first, a compute platform second. Cache hit ratio is the metric that matters. Target 95%+ for static assets.
• The speed-of-light argument is not rhetorical: 200 ms NYC-to-Sydney RTT drops to under 20 ms to the nearest PoP. This is the largest latency win available without code changes.
• Long TTLs plus hash-busting URLs (app.a3f2b1.js with max-age=31536000, immutable) are the highest-leverage CDN pattern ever invented ^[11:1].
• Stale-while-revalidate hides origin failures and latency. It is nearly free to enable and should be on every cacheable response ^[12:1].
• Tag-based purge (surrogate keys) lets you cache aggressively with long TTLs and still invalidate in 150 ms globally ^[13:2][14:3].
• Edge compute is a request-shaping layer, not a general runtime. Workers caps CPU at 10 ms (free) or up to 5 minutes (paid, default 30 seconds) and memory at 128 MB per isolate. Use it for auth, A/B splits, and personalization stamps.
• Your CDN is a single point of failure. The 2021 Fastly outage took down half the internet for an hour ^[29:1]. Multi-CDN is a resilience pattern for any tier-1 product.

Further Reading#

• Cloudflare: 500 Tbps of capacity, 16 years of scaling - Concrete 2026 network numbers, architecture of l4drop/Unimog/Quicksilver; read to understand how a modern CDN absorbs 5+ Tbps attacks.
• Netflix Open Connect program overview - The canonical source for the private-CDN model; explains why Netflix builds its own hardware and gives it to ISPs for free.
• Fastly: Surrogate Keys Part 1 - The founding blog post for tag-based purge; explains the Surrogate-Key header and why URL-based purge does not scale for CMS workloads.
• RFC 5861: Cache-Control Extensions for Stale Content - The spec behind stale-while-revalidate and stale-if-error; short, readable, and immediately actionable.
• AWS CloudFront: Increase origin offload - Cache hit ratio math, Origin Shield architecture, and practical tuning for CloudFront deployments.
• High Performance Browser Networking by Ilya Grigorik - The definitive free reference on HTTP caching, TLS latency, and network performance; read Chapter 11 before designing any CDN strategy.
• Fastly 2021 outage retrospective (Reuters) - The case study for single-CDN risk; one valid config change triggered a latent bug that took down 85% of the network.
• Cloudflare DDoS Threat Report 2024 Q4 - 5.6 Tbps mitigation details and full-year attack statistics; essential context for security-at-the-edge arguments.

Flashcards#

References#