What a CDN Does
A Content Delivery Network caches content at edge Points of Presence (PoPs) geographically close to users, reducing latency and origin server load. A user in Tokyo hitting a CDN-cached asset fetches from a Tokyo PoP instead of a US-East origin — 5ms vs 200ms.
Architecture
Client → GeoDNS/Anycast → Edge Server → (cache hit: return)
→ (cache miss: L2 PoP cache)
→ (L2 miss: origin pull)
- GeoDNS: maps client IP to nearest PoP. Returns PoP’s IP in DNS response.
- Anycast: same IP advertised from multiple PoPs; BGP routes to nearest.
- Origin shield: designate one PoP as the sole origin gateway — all other PoPs pull through it, collapsing N PoP requests into 1 origin request.
Cache Hierarchy
- L1: edge server in-memory cache, TTL 5 minutes, ~10GB per server
- L2: shared SSD cache across servers in the PoP, TTL 1 hour, ~10TB per PoP
- L3: origin pull (with request coalescing to prevent thundering herd)
Cache Key and TTL
Cache key = scheme + host + path + normalized_query_string. Strip tracking params (utm_source, fbclid) before hashing. Support Vary: Accept-Encoding for gzip/br variants.
TTL from origin: Cache-Control: max-age=3600 sets both browser and CDN TTL. s-maxage=86400 overrides CDN TTL only (browser still gets 1h). Cache-Control: private prevents CDN caching entirely (for user-specific responses).
Request Coalescing
On a cache miss, if 100 concurrent requests arrive for the same URL, the edge server makes exactly one origin request and queues the other 99. When the origin responds, all 100 requests are served from the single fetched copy. Without coalescing, a cold edge server would fire 100 origin requests simultaneously (thundering herd).
Cache Invalidation
- URL purge: DELETE /cache?url=https://example.com/image.jpg — propagated to all PoPs via control plane message bus within seconds.
- Tag-based purge: tag assets with logical keys (e.g.,
product:42). When product 42 updates, purge all assets with that tag across all PoPs with one API call. Store tag→URL mapping in a distributed key-value store. - Prefix purge: purge all URLs matching /api/v1/products/* in bulk.
- Surrogate-Key header: origin sends
Surrogate-Key: product-42 category-5; CDN indexes assets by these tags.
Security at the Edge
- TLS termination at edge (not origin) — reduces handshake latency, centralizes cert management
- DDoS absorption: PoPs absorb volumetric attacks; origin never sees flood traffic
- WAF rules evaluated at edge: block SQLi, XSS, bad bots before requests reach origin
- Rate limiting per IP at edge layer
Dynamic Content Acceleration
For non-cacheable dynamic content: route through CDN for network optimization (TCP connection reuse, TLS pre-warming to origin, faster routing than public internet). Edge Side Includes (ESI) cache page fragments — cache the static header/footer, fetch only the personalized body from origin.
Data Model
CacheEntry: url_hash, etag, content_type, body_bytes, expires_at, tags[] PurgeJob: purge_id, type (URL|TAG|PREFIX), key, status, created_at, propagated_at PoP: pop_id, region, anycast_ip, capacity_tb, status
Key Design Decisions
- Cache at the edge, not in a central datacenter — the whole point is geographic proximity
- Coalesce origin requests to prevent thundering herd on cold cache or after purge
- Tag-based invalidation scales better than URL-by-URL purge for content-heavy sites
- Origin shield reduces origin load from O(PoPs) to O(1) per unique URL
{“@context”:”https://schema.org”,”@type”:”FAQPage”,”mainEntity”:[{“@type”:”Question”,”name”:”How does a CDN route requests to the nearest edge server?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Two mechanisms: GeoDNS and Anycast. GeoDNS: the CDN's authoritative DNS server receives a DNS query, looks up the client's IP geolocation, and returns the IP of the nearest PoP. Different clients in different cities get different DNS responses. Anycast: the same IP address is advertised from multiple PoPs via BGP. Network routers automatically deliver packets to the topologically nearest PoP that advertises that IP. Anycast is faster (routing happens at the network level, not DNS) but GeoDNS offers more fine-grained control (can route by latency rather than just BGP topology). Most large CDNs use both: Anycast for the DNS servers themselves, GeoDNS for content routing.”}},{“@type”:”Question”,”name”:”What is request coalescing in a CDN and why does it matter?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Request coalescing (also called request collapsing or thundering herd prevention) ensures that when a cache miss occurs, only one origin request is made even if hundreds of clients request the same URL simultaneously. The edge server marks the URL as "fetching" and queues all subsequent requests for it. When the origin response arrives, the edge serves all queued clients from the single fetched copy and populates the cache. Without coalescing: if 1000 users simultaneously request an uncached popular image, the edge fires 1000 concurrent origin requests, potentially overwhelming the origin server. After purge or cache expiry, coalescing is critical for high-traffic assets. Implementation: a per-URL mutex/lock on the edge server with a wait queue.”}},{“@type”:”Question”,”name”:”How does cache invalidation work at CDN scale?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Three mechanisms: (1) URL purge: send a DELETE request to the CDN API with a specific URL. The CDN propagates the purge to all edge PoPs within seconds via a control plane message bus. (2) Tag-based purge (Surrogate Keys / Cache Tags): origin sends a Surrogate-Key header with logical tags (e.g., product:42). When product 42 is updated, a single API call purges all URLs tagged product:42 from all PoPs. This is far more efficient than tracking and purging individual URLs. (3) Prefix purge: purge all URLs matching a path prefix (e.g., /images/product-42/*). CDNs like Fastly, Cloudflare, and Varnish support tag-based purging. Most CDNs propagate purges globally within 1-5 seconds.”}},{“@type”:”Question”,”name”:”What is origin shield in a CDN and when should you use it?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Origin shield designates one specific PoP as the sole gateway to the origin. All other edge PoPs, on a cache miss, fetch from the shield PoP rather than directly from origin. Benefits: (1) Reduces origin load from O(number of PoPs) to O(1) per unique URL — only the shield PoP ever hits origin. (2) Concentrates caching: if the shield PoP has a URL cached, no other PoP can miss to origin. (3) Consolidates origin connections: the shield maintains a warm connection pool to origin, reducing TCP and TLS overhead. Use origin shield when: origin has limited capacity, origin is expensive (e.g., database-backed), or content has uneven popularity (long-tail URLs that only cache-miss occasionally still benefit from a single origin path).”}},{“@type”:”Question”,”name”:”How does a CDN handle dynamic, personalized, or authenticated content?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”CDNs traditionally cache public static content. For dynamic content, three approaches: (1) Pass-through with acceleration: route requests through CDN for network optimization (TCP connection reuse, anycast routing, TLS pre-warming to origin) without caching. Reduces latency 20-40% even without caching. (2) Edge Side Includes (ESI): split the page into cacheable fragments (header, nav, product listing) and non-cacheable fragments (personalized recommendations, cart count). CDN assembles fragments at the edge. (3) Vary header: cache separate copies per header value (e.g., Vary: Accept-Language caches one copy per language). Use sparingly — each Vary dimension multiplies cache storage. For authenticated content: use short-TTL tokens or signed URLs; never cache responses with Set-Cookie unless Vary: Cookie is intentional.”}}]}
Amazon system design interviews cover CDN and content delivery at scale. See common questions for Amazon interview: CDN and content delivery system design.
Netflix system design covers CDN and adaptive video delivery. Review design patterns for Netflix interview: CDN and video delivery system design.
Snap system design covers media delivery and CDN architecture. See patterns for Snap interview: media delivery and CDN system design.