Content Delivery Networks (CDN)

In 2013, Cloudflare’s network was hit with the largest DDoS attack in internet history — 300Gbps targeting Spamhaus. Instead of crashing, Cloudflare’s PoP network absorbed it by distributing traffic across hundreds of edge nodes. No origin server saw more than normal traffic. That same year, BBC’s iPlayer went down for 2 hours during the Queen’s Diamond Jubilee because their CDN configuration was wrong — dynamic API responses had been accidentally cached, and every Briton who tried to watch the live stream got a stale response. CDNs can save you or break you depending on exactly what you cache.

[!IMPORTANT] In this lesson, you will master:

  1. Light-Speed Constraints: Why physical distance is the ultimate bottleneck in global system design.
  2. Anycast DNS: How the Border Gateway Protocol (BGP) routes users to the nearest hardware PoP.
  3. Edge Compute: Moving logic from heavy origin servers to lightweight V8 Isolates at the edge.

[!TIP] Interview Insight: If asked “How do you scale a news website?”, the answer is almost always CDN. It offloads 95%+ of traffic from your servers.

CDN (Content Delivery Network) does this for data.

[!NOTE] Hardware-First Intuition: The “Speed of Light” Penalty. No matter how fast your CPU is, you cannot beat physics. Light travels through fiber-optic cables at roughly 200,000 km/s. This means a round trip from New York to London (5,500km) takes at least 55ms just for the photons to travel, even if your server response time is 0ms. CDNs use BGP Anycast to ensure users hit a server in their own city, bypassing the trans-oceanic light-speed bottleneck entirely.

2. Under the Hood: How it Works

A. Points of Presence (PoPs)

A CDN isn’t one server; it’s thousands of servers scattered across the globe. These locations are called PoPs (Points of Presence).

  • Origin Server: The “Source of Truth” (Your S3 Bucket or EC2 instance).
  • Edge Server: The CDN server physically closest to the user.

B. Anycast DNS (The Magic)

How does the user find the nearest PoP?

  • The Unicast Baseline: As established in our Network fundamentals, normal Unicast routing means one IP address equals one specific physical server.
  • The Anycast Solution: One IP address (e.g., 1.1.1.1) maps to multiple physical servers globally. See Load Balancing (Anycast).
  • When you ping 1.1.1.1, the BGP (Border Gateway Protocol) automatically overrides standard routing rules to dynamically route you to the physically closest edge server.

[!TIP] Try it yourself: Click a User Location (e.g., Tokyo) to see how BGP routes you to the closest server (AP-NORTHEAST).

Anycast DNS Simulator

Click a User Location to see how BGP routes to the nearest IP: 1.1.1.1
🖥️
US-EAST
1.1.1.1
🖥️
EU-WEST
1.1.1.1
🖥️
AP-NORTHEAST
1.1.1.1
Waiting for ping...

3. The Security Shield: DDoS Protection

CDNs act as a massive distributed shield. When a DDoS Attack (Distributed Denial of Service) happens, millions of bad requests flood the target IP.

  • Without CDN: Your single origin server gets 1M req/sec. It dies instantly.
  • With CDN: The 1M requests are scattered across 200+ PoPs globally.
  • PoP A takes 5000 requests.
  • PoP B takes 5000 requests.
  • The attack is diluted by the sheer size of the CDN network.

[!TIP] Try it yourself: Launch a DDoS Attack and watch the Shield (CDN) absorb the hits, protecting the Origin.

🤖
🤖
🤖
Origin
Safe

4. Controlling the Cache (Headers)

How does the CDN know what to cache and for how long?

A. Cache-Control

The most important HTTP header.

  • public: Can be cached by anyone (CDN, ISP, Browser).
  • private: Can only be cached by the User’s Browser (e.g., “My Profile” page).
  • no-store: Never cache anything (Banking data).
  • max-age=3600: Cache for 1 hour (3600 seconds).
  • s-maxage=3600: Shared Max Age. Overrides max-age for CDNs only. Useful if you want browsers to cache for 1 minute (max-age=60) but CDNs for 1 hour.

B. Invalidation (Purging)

What if you update your website? The CDN still has the old version!

  1. TTL Expiry: Wait for max-age to expire (Passive).
  2. Purge: Manually tell the CDN “Delete /index.html”. This propagates globally in seconds (Active).
  3. Versioning: Change the filename (style-v2.css). This forces a cache miss.

5. The Future: Edge Computing (Workers)

Modern CDNs (Cloudflare, AWS CloudFront) are no longer just “dumb caches”. They run code.

Edge Workers allow you to execute JavaScript/WASM functions at the PoP, milliseconds away from the user.

Why do we need this?

Normally, any logic (Authentication, Database Logic) requires a trip to the Origin Server (Slow). Edge Workers let you run small pieces of logic at the Edge (Fast).

Common Use Cases

  1. Authentication: Verify a JWT token at the edge. If invalid, reject the request immediately (latency: 10ms). Don’t even bother the Origin.
  2. A/B Testing: Assign a user to “Experiment Group A” or “B” at the edge and serve different HTML.
  3. Custom Headers: Add security headers (HSTS, X-Frame-Options) on the fly.
  4. Geo-Routing: Detect user country and redirect to uk.site.com or us.site.com instantly.

Edge Auth Flow

👤
User
Request
Edge Worker
if (valid_token) { pass() } else { block() }
🖥️
Origin Server
🖥️
403 Forbidden

Example: Cloudflare Worker

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  // 1. Check Auth at the Edge (No trip to Origin!)
  const token = request.headers.get('Authorization')
  if (!isValid(token)) {
  return new Response('Forbidden', { status: 403 })
  }

  // 2. Personalize
  return new Response('Hello from the Edge!', { status: 200 })
}

Staff Engineer Tip: The V8 Isolate Advantage. Unlike Lambda functions that run in heavy Docker containers (causing “Cold Starts” of 500ms+), Edge Workers often use V8 Isolates. This allows Cloudflare/Fastly to spin up a worker in under 5ms. Isolates don’t have their own memory heap in the same way; they share the process but stay securely sandboxed. This is why Edge Computing is the only way to perform logic without breaking your 100ms latency budget.

6. Interactive Demo: Global Latency Map & Purge

Visualize the speed of light.

  • Origin: San Francisco (USA).
  • User: London (UK).
  • Action: Fetch via CDN. The first time is slow (Miss). The second time is fast (Hit).
  • Purge: Clear the cache and force a new Miss.
  • Edge Worker: Simulate logic running at the edge (no trip to Origin).

[!TIP] Try it yourself: Click “Fetch via CDN”. The first time is slow (Miss). Click again—it’s instant (Hit). Then try “Edge Worker Mode”.

USA
EU
🖥️
User (London)
Edge (London)
🖥️
Origin (SF)
Requests: 0 | Hit Ratio: 0%

7. Summary

  • Security: CDNs also provide DDoS protection (they act as a giant shield).

Staff Engineer Tip: For non-cacheable (dynamic) data, CDNs offer Dynamic Acceleration. Instead of the user routing over the “Public Internet” (many hops, unpredictable latency), the CDN routes the request over their private Tier 1 Backbone. They also keep “Warm” TCP/TLS connections open between the Edge and the Origin, saving the expensive 3-way handshake time for every user.

Mnemonic — “Edge = Speed, Origin = Truth”: CDN Edge = fast cache close to user (may be stale). Origin = slow but always fresh. Maximize Edge serving with high max-age for static assets. For emergencies: active Purge clears edge instantly. For safe deploys: Versioning (style-v2.css) gives a clean cache miss without affecting live users.