Content Delivery Network (CDN) is a geographically distributed network of servers that caches and delivers content to users from the nearest point of presence (PoP - Point of Presence). CDN is critical for modern web applications, reducing latency and load on origin servers.
Source
Acing the System Design Interview
Chapter about CDN with a detailed analysis of architecture and trade-offs.
Why do you need a CDN?
- Reduced latency: content is delivered from the nearest edge server
- Unloading origin: most requests are processed on edge
- Scalability: horizontal scaling by geography
- Fault tolerance: if one PoP is unavailable, traffic goes to another
- DDoS protection: distributed infrastructure absorbs attacks
Functional Requirements
Core functions
- Caching static content
- Geographic routing
- Cache invalidation
- Origin failover
Advanced Features
- Dynamic content acceleration
- Edge computing
- SSL/TLS termination
- Request/response transformation
Non-functional requirements
| Requirement | Target value | Rationale |
|---|---|---|
| Latency | < 50ms (p99) | The user does not have to wait for loading |
| Cache Hit Ratio | > 95% | Minimizing the load on origin |
| Availability | 99.99% | CDN - Critical Infrastructure |
| Throughput | Tbps+ | Serving global traffic |
CDN architecture
System components
1. DNS-based Routing
GeoDNS or Anycast DNS determines the closest PoP to the user. The DNS server returns the IP address of the edge server with minimal latency.
2. Edge Servers (PoP)
Caching servers at points of presence. Process user requests, return content from the cache or proxy to origin.
3. Origin Shield
Intermediate caching layer between edge and origin. Aggregates cache misses from multiple PoPs, protecting origin from load.
4. Origin Server
Source server with content. The CDN only accesses it when there is a cache miss.
CDN Request Flow
Ready to run
Press a button to demo the flow
Push vs Pull CDN
Push CDN
Content is loaded onto edge servers in advance, before the user’s first request.
Advantages:
- No cold start - content is already on edge
- Predictable Performance
- Full control over distribution
Flaws:
- Requires manual control
- Excessive storage of rare content
- Synchronization difficulty
Pull CDN
Content is cached on edge at the first user request (lazy caching).
Advantages:
- Automatic caching
- Efficient use of storage
- Easy to set up
Flaws:
- Cold start for the first user
- Load on origin with cache miss
- Less predictable latency
Cache Invalidation
One of the most difficult problems in CDN is invalidation of outdated content. There are several strategies:
Cache Invalidation Strategies
TTL-based Expiration
Content expires automatically after a configured Time-To-Live (TTL)
Advantages
- •Simple setup via HTTP headers
- •No CDN API integration required
- •Predictable cache behavior
Drawbacks
- •Update delay until TTL expires
- •Hard to pick an optimal TTL
- •No instant invalidation
Caching Strategies
What to cache?
| Content type | Cacheability | Recommended TTL |
|---|---|---|
| Static files (JS, CSS) | High | 1 year (with versioning) |
| Images | High | 1 month - 1 year |
| HTML pages | Average | 5 min - 1 hour |
| API responses (public) | Average | 1 min - 1 hour |
| Personalized Content | Low | Don't cache |
Cache Key Design
Cache key determines the uniqueness of a cache entry. Wrong design leads to cache pollution or low hit ratio.
# Simple key (URL only):
cache_key = hash(url)
# Extended key:
cache_key = hash(url + headers["Accept-Encoding"] +
headers["Accept-Language"] +
query_params["version"])
# Vary header tells the CDN which headers to include in the key:
Vary: Accept-Encoding, Accept-LanguageSecurity Considerations
DDoS Protection
- Rate limiting on edge
- Anycast for load balancing
- Scrubbing centers
- Bot detection
SSL/TLS
- TLS termination at edge
- Shared vs Dedicated certificates
- Origin connection encryption
- HSTS, OCSP stapling
Access Control
- Signed URLs / Signed Cookies
- Token authentication
- IP whitelisting
- Geo-blocking
Origin Protection
- Origin Shield layer
- Request coalescing
- Secret origin hostname
- Firewall rules (CDN IP only)
Metrics and monitoring
Percentage of requests served from cache
Time to First Byte - response latency
Amount of data transferred
Key alerts:
- Cache Hit Ratio < 90% → check TTL and cache keys
- Origin 5xx > 1% → problems with the origin server
- TTFB p99 > 100ms → check routing and origin latency
- Bandwidth spike → possible attack or viral content
Interview questions
How to ensure consistency with cache invalidation?
Use versioned URLs for immutable content, purge API for urgent updates, and stale-while-revalidate for a balance between freshness and performance.
How to protect origin from thundering herd with cache miss?
Request coalescing (one request to origin, the rest are waiting), Origin Shield, circuit breaker, and pre-warming cache for popular content.
Push or Pull CDN - when to use what?
Push for a small amount of critical content (software releases, main page assets). Pull for a large volume of user-generated content with long-tail distribution.
How to cache dynamic content?
Edge Side Includes (ESI), fragment caching, short TTL with stale-while-revalidate, or edge computing to generate personalized content on the edge.
Key Findings
- 1.CDN is critical for global scaling - reduces latency and load on origin
- 2.Cache invalidation is the main difficulty; use a combination of TTL, versioning and purge API
- 3.Origin Shield protects origin from cache miss storms and reduces load
- 4.Push vs Pull - the choice depends on the nature of the content and freshness requirements
- 5.Cache Hit Ratio > 95% is a key metric for CDN effectiveness