Why architecture matters here

CDN architecture matters because it is the primary way most websites achieve global performance. A well-cached asset delivers in 10-50 ms from the nearest PoP; a cache miss delivers in 200-500 ms from origin. Getting cache rates high is the difference between crisp and slow.

Cost matters. CDN traffic is roughly 10x cheaper than origin traffic at scale. Bandwidth from origin to CDN edge is small; CDN edge to user is large but paid at CDN rates.

Reliability comes from geographic redundancy. Modern CDNs have hundreds of PoPs; one PoP outage silently reroutes. Origin outages become invisible to users if cached content covers the SLO window.

Advertisement

The architecture: every layer explained

Walk the diagram top to bottom.

Client. Browser or mobile app. DNS resolves your hostname to a CDN anycast address; client hits nearest PoP.

Edge PoP. A CDN point of presence with edge servers. On cache hit, serves directly. On miss, requests from origin (or shield).

Origin Shield. Middle-tier cache between edges and origin. Coalesces cache misses from multiple PoPs into a single origin fetch. Massive origin traffic reduction.

Origin. Your actual servers. Should ideally see 1-5% of traffic — the rest served from CDN cache.

Cache Rules. TTL per path, Cache-Control headers, Vary headers (cache by cookie, header), surrogate keys (tag-based purge).

Purge / Invalidate. When origin content changes, purge affected paths or tags. Purge propagates to all PoPs in seconds.

Compression + Optimization. Brotli/gzip at edge, image resizing/reformatting, HTML minification. Delivers smaller payloads to clients.

TLS + HTTP/3. TLS 1.3 termination at edge. HTTP/3 (QUIC) for faster connection setup and better mobile.

Edge Compute. Cloudflare Workers, Fastly Compute@Edge, Vercel Functions. Run code at the edge for personalization, A/B, rewriting.

Analytics + WAF. Real user monitoring; edge-level web application firewall for bot/DDoS/OWASP protection.

Clientbrowser / mobileEdge PoPgeo-nearestOrigin Shieldmiddle tier cacheOriginyour serversCache RulesTTL + Vary + surrogate keysPurge / Invalidatetag or pathCompression + OptimizationBrotli, image, minifyTLS + HTTP/3modern transportEdge Computeworkers / functionsAnalytics + WAFlogs + securityVendors: Cloudflare, Fastly, Akamai, CloudFront, Bunny, Vercel
CDN architecture: client → edge PoP → origin shield → origin; cache rules + purge + compression + TLS + edge compute + analytics + WAF.
Advertisement

End-to-end request flow

Trace a request. User in Munich requests /styles.css.

DNS resolves your hostname to a Cloudflare anycast IP. Munich edge PoP receives. Cache lookup: HIT for /styles.css with fresh TTL. Serve from cache in 15ms.

User requests /article/42. Edge cache MISS. Edge asks origin shield in Frankfurt. Shield cache MISS. Shield asks origin in AWS us-east-1. Origin responds with HTML.

Shield caches with TTL from Cache-Control. Edge caches. Client receives. Total: 250 ms for this cache-cold path.

Ten seconds later, another Munich user requests /article/42. Cache HIT at edge. 15 ms.

Origin publishes updated article. CDN API called with surrogate key "article-42". All PoPs and shield invalidate. Next request refetches; caches new version.

DDoS attempt: 100k QPS to /login from botnet. WAF at edge detects, rate-limits per IP, challenges with CAPTCHA. Origin sees zero attack traffic.

Edge Worker: on request for /product/xyz, edge compute reads user's country from headers, personalizes pricing, serves. No origin roundtrip; all at edge.