Global CDN & Edge Caching
Problem statement
Serve static and dynamic assets with low latency worldwide, TLS, DDoS protection, cache invalidation, and A/B at the edge.
How it works
- Origin (S3, ALB, custom) is shielded; PoPs cache by Cache-Control headers.
- Cache keys include query string allowlist; vary on
Accept-Languagewhen needed. - Purge via API or versioned asset URLs (
app.js?v=hash) preferred.
Analogy: Franchise warehouses (edge PoPs) stock popular items (cached pages) so customers don’t fly to the factory (origin) every time.
High-level design
Rendering diagram…
Components explained — this design
| Component | What it is | Why we use it here |
|---|---|---|
| CloudFront / CDN | Edge caching + TLS termination. | Moves bytes closer to users; reduces origin load and improves TTFB. |
| Origin (ALB/S3) | Authoritative content or dynamic app. | CDN misses fall back here; must set correct Cache-Control headers. |
| Lambda@Edge / Workers | Run JS/Rust at edge on each request. | A/B routing, geo headers, auth at edge — but keep logic small (CPU/time limits). |
| AWS WAF | Firewall in front of CDN/origin. | Stops credential stuffing, scanner bots, application DDoS patterns. |
Shared definitions: 00-glossary-common-services.md
Low-level design
Static assets
- Immutable caching:
Cache-Control: public, max-age=31536000, immutablefor fingerprinted filenamesmain.abc123.js. - HTML entry: short TTL (
max-age=60) so new deploys propagate.
Dynamic APIs at edge
- Caching GET only if semantically safe; respect Authorization — usually no cache unless private signed URLs.
Invalidation
- CloudFront CreateInvalidation limited QPS — prefer versioned keys.
- Stale-while-revalidate improves UX during revalidation.
Security
- AWS WAF Managed rule groups; geo blocking; AWS Shield Advanced for L3/L4.
- TLS 1.3 only; OCSP stapling; HSTS headers from origin.
E2E: cache hit path
Rendering diagram…
Tricky parts
| Problem | Solution |
|---|---|
| Cache poisoning via query params | Normalize cache key allowlist |
| Authenticated images | Signed CloudFront URLs or cookies with signed cookie keys |
| Vary header explosion | Minimize Vary dimensions |
Caveats
- Personalized HTML rarely CDN-cacheable — edge includes are complex; often SSR at origin + CDN only for static chunks.
- Compliance: data residency — choose regional edge + origin in-region.
Azure
- Azure Front Door (anycast) + Rules Engine; Private Link to origin.