DevOps
CDN and Edge Computing
In 2022, Cloudflare mitigated the largest DDoS attack in history: 26 million HTTPS RPS (each request requiring a TLS handshake). The attack lasted 15 seconds. Cloudflare absorbed it entirely - the origin never saw a single packet. This is the value of an edge network.
- **Discord** uses Cloudflare Workers for geo-routing users to the nearest voice server - voice chat latency directly depends on distance to the PoP.
- **Shopify** processes peak Black Friday traffic through Cloudflare CDN and Workers for discount A/B testing - origin servers see only 10-15% of actual traffic.
- **Vercel** built its Edge Runtime on Cloudflare Workers - Next.js pages render at 300+ PoPs simultaneously, TTFB < 50ms for users worldwide.
Cloudflare
Cloudflare is the largest CDN and edge network: 300+ PoPs (Points of Presence) in 100+ countries, 100+ Tbps network capacity. When a DNS record is proxied through Cloudflare (orange cloud), all HTTP/HTTPS traffic passes through Cloudflare before reaching the origin server.
Cloudflare acts as a shield: the origin server's IP is hidden, DDoS traffic is absorbed at the edge before reaching the origin, and valid traffic arrives pre-filtered and SSL-terminated.
What does enabling Cloudflare Proxy (orange cloud) for a DNS record mean?
Edge Functions
Edge Functions are JavaScript/WebAssembly code running on CDN edge nodes close to users. Cloudflare Workers use V8 isolates (not containers), achieving 0ms cold start. Use cases: geo-routing, A/B testing, JWT validation, request transformation, bot detection.
Workers are limited to 128MB memory and 30-second CPU time per request. For heavy computation, Workers Durable Objects provide stateful coordination. For storage, Workers KV provides global key-value with eventual consistency.
Why do Cloudflare Workers not have a cold start problem unlike Lambda?
Caching Strategies
Cache-Control headers control cache behavior at every level: browser - CDN - origin. Key directives: max-age (browser TTL), s-maxage (CDN TTL), stale-while-revalidate (serve stale while refreshing), no-store (never cache).
stale-while-revalidate eliminates the latency spike on cache miss: users always get a response immediately (stale or fresh), while CDN refreshes in the background. This converts cache TTL expiry from a user-visible latency spike into an invisible background operation.
What does `Cache-Control: public, s-maxage=3600, stale-while-revalidate=86400` mean?
Geo-Routing and Global Load Balancing
Geo-routing directs users to the nearest or most appropriate origin based on geolocation. Use cases: latency reduction (user closer to server), GDPR compliance (EU data must stay in EU), and regional failover (automatically avoid degraded regions).
Cloudflare's anycast network handles DNS-level routing automatically: users resolve api.mycompany.com and reach the nearest Cloudflare PoP, which then routes to the configured origin pool. No DNS TTL propagation delay on failover - Cloudflare controls the anycast routing internally.
CDN is only needed for static files (JS, CSS, images)
Modern CDN caches API responses via Cache-Control headers, runs edge logic (Workers), provides DDoS protection, and geo-routes traffic - all for dynamic applications.
Shopify serves Black Friday API traffic primarily from Cloudflare cache and Workers. Origin servers see only 10-15% of actual traffic. The CDN is the application layer, not just a static asset cache.
What is the purpose of the region_pools with EEA in the Cloudflare Load Balancer configuration?
Summary
- **Cloudflare** - 300+ PoPs, DDoS protection, WAF, SSL termination; Proxy mode hides origin IP and filters malicious traffic before reaching the origin.
- **Edge Functions** - Cloudflare Workers with 0ms cold start (V8 isolates): geo-routing, A/B testing, JWT validation, response transformation without added latency.
- **Caching + Geo-routing** - Cache-Tag for granular invalidation; stale-while-revalidate eliminates latency spikes on cache miss; region_pools for GDPR compliance.
Related Topics
CDN and edge computing connect serverless and reliability patterns:
- Serverless: Lambda and Cloud Functions — Cloudflare Workers are an alternative to Lambda@Edge with 0ms cold start for edge compute closer to users.
- Reliability Engineering at Scale — CDN is the first line of DDoS defense; geo-routing provides resilience during regional outages.
Вопросы для размышления
- An API returns a personalized product list for each user - how do you use CDN caching for acceleration without showing another user's data?
- During a us-east-1 regional outage - how does Cloudflare Load Balancing help maintain service availability?
- When is a Cloudflare Worker better than handling the same logic on the origin server?