Gyaan

CDN & Edge Networks

intermediate cdn edge anycast caching performance networking

A CDN (Content Delivery Network) is a global network of servers that caches our content close to users. Instead of every request hitting our origin server in us-east-1, a user in Mumbai gets served from a Mumbai cache.

In simple language: many copies of our static stuff, spread around the world, so the bytes don’t have to travel halfway around the planet.

This note focuses on the network mechanics — how the routing, caching, and origin protection work. (For the “what is a CDN” view in system design, that’s covered in HLD.)

Edge PoPs

A Point of Presence (PoP) is a CDN’s data center in a particular city. Cloudflare has 300+ PoPs. Akamai has 4000+. AWS CloudFront has 600+.

Each PoP holds:

  • A cache (fast SSD) for popular content.
  • Compute for edge functions (Cloudflare Workers, Lambda@Edge).
  • TLS termination — TLS handshake completes at the edge, not at origin.

The PoP closest to the user (by latency, not just by km) handles the request.

Anycast — How Routing Knows the Closest PoP

This is the magic. The CDN announces the same IP address from every PoP. When a user does DNS for cdn.example.com and gets, say, 172.67.1.1, every PoP in the world is announcing that IP via BGP.

The internet’s routing protocols naturally pick the shortest path to that IP. A user in Mumbai gets routed to the Mumbai PoP. A user in Tokyo gets routed to the Tokyo PoP. Same IP, different physical machines.

# See how routing differs by location with traceroute
traceroute 172.67.1.1
# From Mumbai - hits Mumbai PoP
# From Tokyo - hits Tokyo PoP

Compare this to unicast (each server has a unique IP), where DNS-based geo-routing is needed and is much sloppier.

Cache Hit vs Miss

When a request reaches a PoP, it checks its cache:

  • Cache hit — content is in the local SSD. Served in under 10 ms. The origin never sees this request.
  • Cache miss — content is not cached (first request, or cache expired). The PoP fetches from origin, serves to the user, and stores a copy.
# Cloudflare returns this header so we can see hit rate
CF-Cache-Status: HIT
CF-Cache-Status: MISS
CF-Cache-Status: EXPIRED
CF-Cache-Status: REVALIDATED

Cache hit ratio is the single most important CDN metric. 95%+ is the goal for static assets. Below 80% means cache rules need work.

Cache Control

The origin tells the CDN how long to cache via Cache-Control headers.

Cache-Control: public, max-age=31536000, immutable
  • max-age — seconds the response can be cached.
  • immutable — content will never change (great for hashed asset filenames like app.a8f3.js).
  • s-maxage — overrides max-age just for shared caches (CDNs).

Origin Shielding

Without shielding, every PoP that gets a cache miss hits the origin directly. With 300 PoPs, that’s 300 origin requests for one popular item right after a deployment.

Origin shield designates one regional PoP to be the parent. All other PoPs miss to the shield first. Only the shield can hit the origin. This collapses 300 origin requests into one.

User -> Mumbai PoP (miss)
       -> Singapore Shield (miss)
       -> Origin in us-east-1 (one request)

User -> Tokyo PoP (miss)
       -> Singapore Shield (HIT this time)
       -> No origin request

Push vs Pull CDN

  • Pull CDN (the standard) — we just put content on our origin. The CDN pulls it on first cache miss. Auto-managed. CloudFront, Cloudflare, Fastly all default to pull.
  • Push CDN — we explicitly upload content to the CDN ahead of time. Used for huge static archives, software downloads, video catalogs where pull-on-miss latency is unacceptable.

For most apps, pull is the right answer. Less ops work.

Signed URLs

For private content (premium video, paid downloads), we don’t want a public URL. Signed URLs include a cryptographic signature and expiry time.

https://cdn.example.com/video.mp4?Expires=1715000000&Signature=abc123...

The CDN validates the signature at the edge. Tampered or expired URLs are rejected without ever touching the origin. Used heavily by AWS S3 + CloudFront, Google Cloud CDN, and video platforms.

Cache Invalidation (Purge)

When we deploy new content, we want to evict old versions. Two strategies:

  • Versioned URLs (best) — app.v123.jsapp.v124.js. New URL means new cache key. Old version naturally fades.
  • Purge API — call the CDN: “drop this URL from all PoPs.” Slower (seconds to minutes to propagate), and rate-limited.

The “name things with a hash” pattern is dramatically better than purging.

What CDNs Do Beyond Caching

Modern CDNs are full-stack edge platforms:

  • DDoS scrubbing — absorb volumetric attacks at the edge.
  • WAF — filter malicious requests before they reach origin.
  • Edge compute — run JS/Wasm at the edge (Cloudflare Workers, Lambda@Edge).
  • TLS termination — the cert lives at the edge, origin can be HTTP-only inside a VPC.
  • Image optimization — resize/compress on the fly.

Interview Tip

When asked “how does a user in India get served from an India server?” — the answer is anycast routing (everyone advertises the same IP, BGP picks the shortest path). This single insight separates surface-level CDN knowledge from real understanding.

References