How CDNs work: the invisible layer that makes the web fast
Most popular sites are served by a Content Delivery Network — a global cache layer between you and the origin server. Here's what CDNs actually do, why they speed up the internet, and how the major ones differ.
Most pages you load today aren't served by the company that owns the domain. They're served by a CDN — a global Content Delivery Network sitting between you and the origin server. CDNs are the reason a website hosted in Virginia loads in 30ms from Tokyo, the reason a YouTube ad starts playing instantly, and the reason a New Year's Day traffic spike doesn't melt anything.
For users, CDNs are invisible. For the internet to work at modern scale, they're indispensable. Here's the practical guide.
The two-line summary
A CDN replicates a website's static content (and increasingly, dynamic content) across hundreds of data centers worldwide. When you visit the site, you're served from the nearest edge — not the origin server thousands of miles away.
That's it. Everything else is detail.
The problem CDNs solve
Imagine you run a website hosted on a single server in Virginia. Your traffic looks like this:
- Users in New York: 30ms latency, fast.
- Users in London: 80ms each round-trip × ~20 round trips per page = 1.6 seconds extra latency.
- Users in Tokyo: 200ms each round-trip × 20 = 4 seconds extra latency.
- Users in Sydney: 250ms each round-trip × 20 = 5 seconds extra latency.
That's why a Virginia-hosted site feels snappy from New York and dreadful from Australia. Distance creates latency, and modern web pages need lots of round-trips.
A CDN replicates your static assets (images, CSS, JavaScript, sometimes HTML) to data centers around the world. When a Sydney user visits, they hit Sydney's CDN edge instead of Virginia. Latency drops from 250ms to 20ms, and the page goes from miserable to instant.
How a CDN actually works
Three pieces.
1. Anycast IPs at the edge
The CDN announces the same IP from every data center using anycast routing. When you connect, BGP automatically routes you to the nearest edge — no DNS magic, no manual region picking, just network-layer routing.
This means the site's IP is the same from anywhere in the world, but the physical server you reach is local.
2. A cache at every edge
Each edge data center has a cache of recently-served content. When you request https://example.com/logo.png:
- Edge checks its cache. Cache hit → serve from disk in 5ms. Done.
- Cache miss → edge fetches from origin (or from a tier-2 regional cache), stores it, then serves to you.
- Subsequent users of the same edge get the cached copy.
Cache duration depends on HTTP cache headers the origin sets (Cache-Control: max-age=31536000 means cache for a year). For static assets — CSS, JS, images, video chunks — caches can be very aggressive.
3. Smart origin shielding
When the cache misses, the edge doesn't always go straight to the origin. Instead, it usually goes to a regional shield — a higher-tier cache that consolidates misses from many edges. The shield then asks the origin once and serves all edges. This protects the origin from traffic spikes and reduces total origin bandwidth dramatically.
What CDNs cache
Originally: just static assets — images, scripts, stylesheets, video chunks.
Today: increasingly everything, including:
- Static HTML — for sites like blogs and marketing pages, the entire HTML can be cached.
- API responses — short-TTL caching of JSON for read-heavy APIs.
- Edge-rendered pages — modern frameworks (Next.js, TanStack Start, Remix) render pages at the CDN edge, often using user-specific data, with caching at the segment level.
- Streaming — video and audio chunks are exactly what CDNs are best at; this is most of the global CDN traffic.
What CDNs can't trivially cache:
- Per-user dynamic content (personalized pages, account dashboards).
- Real-time data (stock prices, live event tickers — though even these are often cached for 1-second windows).
- Anything that must be fresh per request.
What else CDNs do besides caching
Modern CDNs are no longer just caches.
DDoS absorption
Anycast at the edge means an attack flood is automatically distributed across hundreds of locations. A 1 Tbps attack splits into ~5 Gbps per edge, often within normal capacity. Cloudflare in particular has built a business around being the world's biggest DDoS sink.
TLS termination
The edge handles HTTPS for you. SSL certs (from Let's Encrypt or the CDN's own CA) are managed centrally, and the encrypted handshake terminates at the edge — closer to the user, faster than terminating at origin. Origin can run plain HTTP behind the CDN.
WAF (Web Application Firewall)
CDNs filter malicious requests at the edge before they reach origin: SQL injection patterns, known-bad IPs, scraper bots, exploit attempts. A page never reaches origin if the CDN decides it's an attack.
Image optimization
Many CDNs automatically resize, recompress, and re-encode images per device — serving WebP or AVIF instead of JPEG, picking the right size for the screen. Saves bandwidth and improves performance with no work on the origin's part.
Edge compute
A more recent shift: running code at the edge for personalization or authentication. Cloudflare Workers, Fastly Compute@Edge, AWS Lambda@Edge — small functions that run in milliseconds, near the user, often making CDN-cacheable responses based on user context.
The major players
In 2026, the CDN market is dominated by:
| Provider | Edge locations | Strengths |
|---|---|---|
| Cloudflare | 330+ cities | Strong free tier, integrated WAF, Workers |
| Akamai | 4000+ PoPs | Largest legacy CDN, enterprise focus |
| Fastly | 80+ PoPs | Real-time control, popular with publishers |
| AWS CloudFront | 600+ PoPs | Tight integration with AWS |
| Bunny.net | 100+ PoPs | Cheap, developer-friendly |
| Google Cloud CDN | 200+ PoPs | Integrated with GCP |
| Microsoft Azure Front Door | 130+ PoPs | Integrated with Azure |
The numbers are roughly comparable for most workloads — what differs is pricing, control, and integration.
How CDN affects what users see
A few user-visible effects worth knowing:
- Sites have many IPs. A site behind a CDN doesn't have one IP — it has the CDN's anycast IP. Same IP for thousands of unrelated sites. That's why a WHOIS lookup on
cnn.com's IP shows Cloudflare, not CNN. - Geolocation can be misleading. The IP geolocates to wherever the CDN's nearest edge is, which may be a different city than where the user's home is. CDNs anchor at the edge, not the user.
- Outages affect lots of sites at once. When Cloudflare or Fastly has a 30-minute incident, half the internet seems broken simultaneously. The blast radius is the CDN's customer base, which is enormous.
- HTTPS gets faster. Edge TLS termination + HTTP/2 multiplexing + HTTP/3 over QUIC together knock 100–500ms off page load times compared to direct origin connections.
When you don't need a CDN
For a small site with mostly local traffic, a CDN may be overkill. Hosting close to your users, with a decent host and HTTPS, often performs comparably for a single region.
The CDN value scales with:
- Geographic reach (the more international, the better)
- Static content volume (the more cacheable, the better)
- Traffic spikiness (the more variable, the more origin shielding helps)
- Threat exposure (the bigger your DDoS risk, the more critical CDN is)
For a personal blog seen by 100 visitors a day in one country: probably fine without a CDN. For anything growing internationally: free Cloudflare in front of your origin is a no-brainer.
Quick FAQ
Is using a CDN a privacy concern? Mildly — the CDN sees all your traffic in plaintext after TLS termination. For most sites this is acceptable; for highly sensitive applications (banking, healthcare), TLS-passthrough configurations exist where the CDN forwards encrypted traffic without terminating it.
Why do I keep seeing Cloudflare CAPTCHAs? Cloudflare uses CAPTCHAs as part of its WAF and bot detection. If you're on a known-bad IP range, a residential proxy, or using Tor, Cloudflare often makes you prove you're human. Annoying but understandable.
Do CDNs work with dynamic sites? Yes — through edge-rendering and short-TTL caching. Most large dynamic sites (Wikipedia, Twitter, Discord) are CDN-fronted with sophisticated cache strategies.
What's the difference between a CDN and a reverse proxy? A CDN is a globally-distributed reverse proxy. The terms blur in 2026 — "Cloudflare" is both, depending on the angle.
TL;DR
- CDNs replicate a website's content to global edge data centers.
- Users hit the nearest edge via anycast routing — fewer round-trips, lower latency, faster pages.
- Modern CDNs do more than caching: DDoS absorption, TLS, WAF, image optimization, edge compute.
- Most popular sites are CDN-fronted; you've been benefiting for years without noticing.
If your site has any international audience, a CDN — even just free Cloudflare — is one of the highest-leverage performance moves you can make.