Content Delivery Network — How CDNs Work, Benefits, and Configuration Explained
A Content Delivery Network (CDN) is a geographically distributed network of proxy servers that caches static and dynamic content closer to end users, reducing latency and offloading traffic from the origin server.
Why CDNs Matter
The speed of light is fast but not fast enough. A request from Japan to a server in Virginia takes at least 200ms round-trip just due to physics. A CDN places edge servers in 50+ global locations, so the user’s request travels only a few dozen miles. Akamai, one of the oldest CDNs, handles 15-30% of all web traffic. Without CDNs, streaming 4K video, global e-commerce, and real-time collaboration tools would be unusable outside the origin region.
Plain-Language Explanation
Imagine a small town has one grocery warehouse ten miles away. Every time someone wants milk, they drive ten miles. Now imagine the warehouse opens pickup locations in every neighborhood — same milk, same price, but now it’s a one-mile walk. That’s a CDN.
The warehouse is your origin server (where your website lives). The neighborhood pickup locations are edge servers (CDN nodes). The milk is your cached content — images, videos, CSS, JavaScript files. When you request a website served by a CDN, the nearest edge server answers instead of the origin.
graph TD
UserTokyo[User in Tokyo] --> EdgeTokyo[CDN Edge
Tokyo]
UserLondon[User in London] --> EdgeLondon[CDN Edge
London]
UserNY[User in New York] --> EdgeNY[CDN Edge
New York]
EdgeTokyo -->|Cache Miss| Origin[Origin Server
Virginia]
EdgeLondon --> Origin
EdgeNY --> Origin
UserTokyo2[User in Tokyo] --> EdgeTokyo
EdgeTokyo -->|Cache Hit| UserTokyo2
style EdgeTokyo fill:#8e44ad,color:#fff
style EdgeLondon fill:#8e44ad,color:#fff
style EdgeNY fill:#8e44ad,color:#fff
style Origin fill:#c0392b,color:#fff
Origin Pull vs Origin Push
Origin pull (passive): The CDN fetches content from your origin on demand. When a user requests something that isn’t in the edge cache, the edge server pulls it from your origin, caches it, and serves it. This is the most common approach — simple to set up, no manual uploads.
Origin push (active): You proactively upload content to the CDN’s edge servers before users request it. Useful for large files, time-sensitive content, or when you want full control over what gets cached.
Most CDNs (CloudFront, Cloudflare) default to pull. Push is used with setups like AWS S3 + CloudFront where you upload assets to S3 and the CDN fetches them from there.
Benefits Beyond Speed
DDoS protection: CDNs absorb massive traffic spikes. Since edge servers handle requests, your origin never sees the attack directly. Cloudflare and Akamai have absorbed attacks exceeding 2 Tbps.
TLS termination: Edge servers handle SSL/TLS handshakes, reducing load on your origin. Many CDNs provide free SSL certificates.
Global reach: A single TLS handshake can take 100ms. With a CDN, the handshake happens at the edge near the user, and the connection to your origin stays warm over a faster backbone network.
Reduced bandwidth costs: Your origin serves fewer total bytes because edge servers cache and serve content locally.
AWS CloudFront Configuration
Here’s how to set up a CloudFront distribution for static assets:
import boto3
client = boto3.client('cloudfront')
# Create a CloudFront distribution pointing to an S3 origin
response = client.create_distribution(
DistributionConfig={
'Comment': 'Static assets CDN',
'Enabled': True,
'DefaultRootObject': 'index.html',
'Origins': {
'Quantity': 1,
'Items': [{
'Id': 'my-s3-origin',
'DomainName': 'my-bucket.s3.amazonaws.com',
'S3OriginConfig': {'OriginAccessIdentity': ''},
}]
},
'DefaultCacheBehavior': {
'TargetOriginId': 'my-s3-origin',
'ViewerProtocolPolicy': 'redirect-to-https',
'MinTTL': 86400, # 1 day minimum cache
'DefaultTTL': 86400, # 1 day default
'MaxTTL': 604800, # 7 days maximum
'ForwardedValues': {
'QueryString': False,
'Cookies': {'Forward': 'none'},
}
},
'PriceClass': 'PriceClass_100', # US, Canada, Europe only (cheaper)
}
)
distribution_id = response['Distribution']['Id']
domain = response['Distribution']['DomainName']
print(f"Distribution ID: {distribution_id}")
print(f"CDN Domain: {domain}")
print("Assets available at: https://{domain}/images/logo.png")How CDNs Route Traffic
CDNs use anycast routing — the same IP address is advertised from multiple locations. When you request a CDN-hosted resource, BGP (Border Gateway Protocol) routes you to the nearest edge server automatically.
Some CDNs offer DNS-based routing — the CDN’s DNS resolver returns the IP of the nearest edge server based on the requester’s geographic location or latency measurements.
Caching Rules via Headers
Your origin controls CDN caching behavior through HTTP headers:
# NGINX configuration to set cache headers
location /assets/ {
expires 30d;
add_header Cache-Control "public, immutable, max-age=2592000";
}
location /api/ {
# Don't cache API responses
add_header Cache-Control "no-cache, no-store, must-revalidate";
}The CDN respects these headers. A max-age of 2592000 seconds (30 days) tells the CDN to cache for 30 days. immutable tells browsers the content will never change — useful for versioned assets like styles.a1b2c3.css.
Common Mistakes
Caching dynamic content at the edge: Personalized pages (user dashboards, cart contents) shouldn’t be cached at the CDN. Use
Cache-Control: privateto restrict caching to the browser only.No cache invalidation plan: When you update a CSS file, old cached versions break your site. Use versioned filenames (
styles.v2.css) or purge the CDN cache.Ignoring cache hit ratio: A low cache hit ratio means the CDN is just proxying traffic, not accelerating it. Check your CDN provider’s analytics.
Single origin for everything: If your CDN origin is also your application server, a traffic spike can still overwhelm it. Use a separate origin (S3 or dedicated server) for static assets.
Not configuring TLS: Unencrypted CDN traffic is vulnerable to ISP injection and hijacking. Always enable HTTPS at the edge.
Practice Questions
How does a CDN know which user is closest to which edge server? Through anycast routing (same IP advertised globally, BGP routes to nearest) or DNS-based routing (DNS returns IP of closest edge based on requester’s resolver location).
What is the difference between origin pull and origin push? Pull: CDN requests content from origin on demand (cache miss). Push: content is proactively uploaded to edge servers. Pull is simpler; push gives more control over timing.
How do you update content that’s already cached at the edge? Use cache invalidation (purge specific paths) with the CDN provider’s API, or use versioned filenames so new content has different URLs.
Can a CDN serve dynamic content? Yes, but it requires more configuration. Some CDNs support dynamic content acceleration by optimizing the connection from edge to origin (TCP optimization, keep-alive, route optimization).
How does a CDN help with DDoS protection? CDN edge servers absorb and filter malicious traffic before it reaches the origin. The origin is never directly exposed to the public internet.
Mini Project
Measure the performance difference between direct origin access and CDN delivery. Use Python to fetch a resource from both and compare:
import urllib.request
import time
direct_url = "https://your-origin.com/assets/logo.png"
cdn_url = "https://your-cdn.com/assets/logo.png"
for url, label in [(direct_url, "Direct"), (cdn_url, "CDN")]:
times = []
for _ in range(5):
start = time.time()
resp = urllib.request.urlopen(url)
data = resp.read()
elapsed = time.time() - start
times.append(elapsed)
print(f"{label}: {len(data)} bytes in {elapsed:.3f}s")
avg = sum(times) / len(times)
print(f"{label} average: {avg:.3f}s\n")Expected output (varies by location):
Direct: 12345 bytes in 0.342s
Direct: 12345 bytes in 0.351s
CDN: 12345 bytes in 0.045s
CDN: 12345 bytes in 0.038sCross-References
- System Design Overview
- Caching
- Load Balancing
- Event-Driven Architecture
- IoT Overview
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro