CDNs and anycast routing

A CDN (Content Delivery Network) puts cached copies of your content in datacenters near users globally. Anycast routing means one IP address is advertised from many locations; BGP routes each user to the closest one. The user's TCP connection lands at the nearest PoP, not your origin.

Why CDNs win

• RTT: 20 ms to a local PoP vs 200 ms to an origin on another continent. 10x latency cut.
• Throughput: PoPs have massive bandwidth, far more than typical origin.
• Reliability: 200 PoPs survive better than 1 origin region.
• DDoS absorption: PoPs absorb floods before they reach you.

What anycast actually is

The CDN announces the same IP prefix from every PoP via BGP. Each PoP's upstream provider sees a route to that prefix. Internet routing naturally picks the shortest AS path, which is usually geographically closest.

The user has no idea they hit a CDN. They typed example.com, DNS gave them 1.1.1.1, they connected. They got served from Tokyo when they were in Tokyo, from London when they were in London.

What a modern CDN does

• Static cache: images, JS, CSS cached at every PoP.
• HTML cache: with smart invalidation.
• API cache: cache GETs that opt in.
• TLS termination: every PoP holds your cert, terminates the TLS handshake near the user.
• Edge compute: Cloudflare Workers, Fastly Compute@Edge run your JS or Wasm at the PoP.
• Image optimization: resize, reformat (AVIF, WebP), strip metadata.
• Bot mitigation, WAF, DDoS protection.

How a request flows

1. DNS resolves example.com to the CDN's anycast IP.
2. User's packet hits the nearest PoP.
3. PoP terminates TLS using your cached cert.
4. PoP checks cache. If hit, serve from local SSD.
5. If miss, PoP fetches from origin (or tier-1 cache PoP), caches it, serves it.
6. Origin is shielded from most traffic.

Cache control

You control caching with HTTP headers:

• Cache-Control: public, max-age=86400: cache for 1 day.
• Cache-Control: private: do not cache in shared caches.
• Cache-Control: s-maxage=3600: CDN-specific TTL.
• Vary: Accept-Encoding: cache per-encoding (gzip vs brotli vs identity).
• ETag and If-None-Match: revalidation.

Anycast vs DNS-based routing

• Anycast: routing decision at IP level via BGP. Reroutes within seconds on PoP failure.
• DNS-based geo-routing: authoritative DNS returns different IPs per region. Cheaper but takes TTL to reroute.

Cloudflare and Fastly are anycast-heavy. AWS CloudFront uses DNS routing more. Both work; anycast usually fails over faster.

Numbers to memorize

• Local PoP RTT: 5-30 ms.
• Cross-continent without CDN: 100-300 ms.
• Typical CDN cache hit rate: 90%+ for static, 60-80% for HTML, 20-50% for APIs.
• Cloudflare PoP count: 300+ cities.
• BGP convergence on failure: seconds to minutes.