A CDN turns “load assets from a single server in Virginia” into “load from the PoP closest to you, in 20ms.” Every user-facing service uses one. This post is the design.

The hierarchy

User
  ↓ DNS resolves to anycast IP
Edge PoP (closest)            ← cache hit? serve. else fetch
  ↓ on miss
Regional cache                ← cache hit? serve. else fetch
  ↓ on miss
Origin shield                 ← cache hit? serve. else fetch from origin
  ↓ on miss
Origin (your server)

Three tiers absorb load. Origin sees only what’s not cached anywhere. For popular content, origin sees 0.1% of total traffic.

Anycast

A CDN announces its IPs from many PoPs via BGP. Internet routing sends each user’s traffic to the nearest one. No DNS tricks; the network does it.

This is what makes “CDN.example.com → IP 1.2.3.4” usable globally. The IP is announced from 200+ locations.

Cache key

cache_key = host + path + query_string + accept_encoding

Modern CDNs let you customize: ignore certain query params (analytics tracking shouldn’t bust cache), include cookies for personalized routes.

Cache headers

Origin tells the CDN what to cache:

Cache-Control: public, max-age=3600, s-maxage=86400
  • max-age: client cache.
  • s-maxage: shared cache (CDN). Often longer than client.
  • stale-while-revalidate=60: serve stale up to 60s while fetching fresh.
  • stale-if-error=86400: serve stale up to 24h if origin is down.

The third and fourth are SWR / SIE — modern CDN support gives you uptime even when origin is down.

Cache hierarchy

Edge PoPs are small (memory, fast SSD). Regional caches are bigger. Origin shield is biggest.

A hot asset is in every edge. A medium-popularity asset is in the regional. Long-tail goes to shield → origin.

The hierarchy means: even when an edge cache misses, the request usually hits the regional or shield, not origin. Origin load stays low.

Purges and invalidation

Three flavors:

  • Tag-based: every cached response has tags; purge by tag (cf-tag: blog-post-42). Cloudflare and Fastly support this.
  • URL-based: purge specific URL.
  • Surrogate keys: similar to tags.

Purges propagate in seconds across the global network.

Streaming / origin pulls

For assets that update (HLS chunks, live streams), short TTLs + origin pulls per chunk. CDN serves what it has; misses fetch from origin.

For video streaming , the CDN does most of the work.

Edge compute

Modern CDNs run code at the edge:

Use cases: A/B routing, auth, image transforms, geo-rules, header rewrites.

Capacity arithmetic

For a service with 1B requests/day at 99% cache hit:

  • Origin sees: 10M requests/day = ~120 req/sec average.
  • CDN serves: 990M requests/day from cache.
  • A small Postgres + Hono service handles origin trivially.

The CDN does 99% of the work for ~$0.01/GB. Without it, you’d run a fleet.

Cost

Egress from CDNs:

  • Cloudflare: free tier; paid tiers cheap.
  • Fastly: pay per GB.
  • AWS CloudFront: pay per GB; expensive at scale.
  • Bunny: very cheap ($0.005–0.01 / GB).

Pick by volume. For startups, Cloudflare’s free tier is generous.

Common considerations

  • HTTPS everywhere: CDN terminates TLS at the edge.
  • HTTP/2 + HTTP/3: standard at modern CDNs; massive perf wins.
  • DDoS protection: built-in at major CDNs.
  • Image optimization: Cloudflare Polish, Fastly IO, etc. Auto-WebP / AVIF.

Read this next

If you want a Cloudflare + signed URL + image pipeline reference, it’s at rajpoot.dev .

Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .