A Content Delivery Network (CDN) reduces latency and origin load by caching content at geographically distributed Points of Presence (PoPs) close to end users. Understanding CDN internals is essential for designing globally distributed systems with low-latency asset delivery, DDoS mitigation, and cache invalidation strategies.
Points of Presence and Anycast
CDNs operate PoPs in dozens or hundreds of cities. Anycast routing uses a single IP address advertised from multiple PoPs; BGP routes user traffic to the nearest PoP based on network topology. When a user in Tokyo requests cdn.example.com, BGP delivers them to the Tokyo PoP rather than the US origin. Anycast also provides DDoS absorption: attack traffic is spread across all PoPs rather than hitting a single origin.
Cache Hierarchy
CDNs use a two-tier cache hierarchy: edge nodes (PoPs close to users) and shield nodes (mid-tier aggregation layer between edge and origin). On an edge cache miss, the request goes to the shield node before hitting the origin. The shield node collapses multiple edge misses into one origin request (request coalescing). This dramatically reduces origin load: if 1,000 edge nodes miss simultaneously, only one request reaches the origin via the shield.
Cache Key and Vary Header
The cache key determines whether two requests are served from the same cached object. Default cache key: URL including query string. The Vary header extends the cache key with request headers: Vary: Accept-Encoding means cache separately for gzip and brotli responses. Vary: Accept-Language creates per-language cache entries. Over-varying fragments the cache and reduces hit rate; minimize Vary headers. Strip irrelevant query parameters (UTM tracking params) from the cache key.
Cache TTL and Cache-Control
Cache-Control: max-age=3600 tells the CDN to cache for 1 hour. s-maxage overrides max-age for shared caches (CDNs) while max-age applies to browsers: Cache-Control: max-age=60, s-maxage=86400 caches in CDN for 1 day and browser for 1 minute. Stale-while-revalidate: serve the stale cached response while asynchronously fetching a fresh copy in the background, eliminating latency spikes on cache expiry.
Cache Invalidation
Two strategies: purge (immediately remove a specific URL from all PoPs) and surrogate keys (tag cached objects with logical keys; purge all objects with a given tag). Surrogate keys (Cache-Tag header in Cloudflare, Surrogate-Key in Fastly) allow purging all cached variants of a product page with one API call rather than enumerating every URL. Purge propagation takes 1-5 seconds to reach all PoPs globally.
Origin Shield and Request Coalescing
When a cache entry expires, multiple concurrent requests for the same URL will all miss and send parallel requests to the origin (thundering herd). Request coalescing (collapsed forwarding) holds all concurrent requests for the same cache key and forwards only one to the origin. When the origin responds, all waiting requests are served from the single response. This is critical for high-traffic assets where cache expiry would otherwise spike origin QPS.
Edge Computing
CDN edge computing (Cloudflare Workers, Fastly Compute@Edge, Lambda@Edge) runs code at PoPs with sub-millisecond cold start. Use cases: A/B testing at the edge (split traffic before origin is hit), request/response transformation, authentication token validation, dynamic personalization of cached pages, geo-based redirects. Edge functions reduce origin calls for logic that can be executed at the CDN layer.
CDN for APIs vs Static Assets
Static assets (JS, CSS, images) are ideal CDN candidates: long TTL, globally consistent, no user-specific content. APIs are harder: responses are often user-specific (authenticated, personalized) and cannot be shared across users. For public API responses (search results, product listings), add Cache-Control: public, s-maxage=60 and strip the Authorization header from the cache key. Use surrogate keys to invalidate cached API responses when underlying data changes.