What is a CDN and how does it work?
A Content Delivery Network (CDN) is a geographically distributed network of servers (edge nodes or PoPs—Points of Presence) that cache and serve content closer to end users than a single origin server can.
The request flow works as follows: a user's browser performs a DNS lookup for `assets.example.com`. The CDN's authoritative DNS responds with the IP of the nearest edge node, determined by anycast routing or GeoDNS. The browser connects to that edge node. If the edge has the asset cached (cache hit), it serves it directly—often in single-digit milliseconds. On a cache miss, the edge fetches from the origin (or a mid-tier cache), stores the response according to cache-control headers, and returns it to the user.
CDNs reduce latency by eliminating round trips to a distant origin. They also reduce origin load dramatically—a popular asset served with a high cache-hit ratio means the origin receives a tiny fraction of actual user requests. This provides implicit DDoS mitigation, since the CDN absorbs volumetric traffic.
Cache behavior is controlled by HTTP headers: `Cache-Control: max-age`, `s-maxage` (CDN-specific TTL), `Surrogate-Control`, and `Vary`. `Vary: Accept-Encoding` tells the CDN to cache separate copies for gzip vs. brotli. `Vary: Cookie` essentially disables caching for authenticated content—a common pitfall.
Cache invalidation is the hard problem. Options include: TTL expiry (lazy, no active invalidation), URL versioning/fingerprinting (`app.a3f7c.js`—permanent cache, invalidation by deploy), and API-based purge (Cloudflare, Fastly, Akamai all expose purge APIs for instant invalidation by URL or tag).
Modern CDNs also support edge compute (Cloudflare Workers, Fastly Compute@Edge), allowing request manipulation, A/B testing, and auth at the edge without hitting the origin. They handle TLS termination at the edge, reducing handshake latency for users far from the origin.
Key metrics: cache-hit ratio (higher is better), TTFB (Time to First Byte), and origin offload percentage. A well-configured CDN typically achieves 90%+ cache-hit ratio for static assets.
Explains edge node concept, describes cache-hit vs. cache-miss flow with origin fetch, mentions cache-control headers and TTL-based expiry.
Covers DNS/anycast routing to nearest PoP, explains cache hierarchy (edge → mid-tier → origin), discusses Vary header pitfalls, names multiple invalidation strategies (TTL, fingerprinting, purge API), and mentions DDoS mitigation and edge compute as modern CDN capabilities.
Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.
Get Graded — Free Assessment