Skip to main content
  1. System Design Components/

CDN (Content Delivery Network) Analysis Note

CDN (Content Delivery Network) Analysis Note #

This note captures the full step-by-step analysis for a CDN: origin truth, edge cache state, invalidation, routing policy, and bounded-stale edge delivery.

Step 1 — Normalize #

Assume the baseline prompt is:

  • design a CDN
  • users request content from nearby edge nodes
  • origin content is authoritative
  • edge nodes cache content and metadata
  • content can be invalidated or refreshed
  • system scales globally across many edge locations
RequirementActorOperationState touchedPriority
Client requests contentClientread projectionS1
read projection target
EdgeCacheEntry
C1
Origin publishes or updates content metadataClientoverwrite stateS1
update target
OriginObject
C1
System fetches missing/stale content from originSystemasync processS1
hidden write target
EdgeCacheEntry
C1
System invalidates edge cache entrySystemstate transitionS1
update target
EdgeCacheEntry
C1
System updates routing/policy for edge selectionAdminoverwrite stateS1
update target
RoutingPolicy
C1
System propagates invalidation/config snapshot to edgesSystemasync processS1
hidden write target
EdgeSnapshot
C1
Client reads CDN status/analyticsClientread projectionS1
read projection target
CDNStatusView
R2

Notes on normalization:

  • client content request is read projection
    • edge cache is a derived projection of origin truth
  • origin update is overwrite state
  • origin fetch is async process
  • invalidation is a lifecycle transition on edge cache state
  • routing/policy is control-plane overwrite
  • snapshot propagation is async dissemination

This is a composition of:

  • Origin Projection + Edge Delivery Plane
  • Control Plane + Data Plane

Step 2 — Critical Path Selection #

RequirementPriority classWhy
Serve content from edgeC1wrong or excessively stale content breaks delivery correctness
Publish/update origin content metadataC1changes authoritative content truth
Fetch missing/stale content from originC1edge correctness depends on valid refresh path
Invalidate edge cache entryC1invalidation is the main safety path for freshness
Update routing/policyC1changes where/how requests are served
Propagate invalidation/config snapshotC1stale edge nodes can serve wrong content/policy
Read CDN status/analyticsR2operational only

Critical paths:

  • P1 serve content
  • P2 update origin object metadata
  • P3 fetch/refresh edge cache entry
  • P4 invalidate edge cache entry
  • P5 update routing/policy
  • P6 propagate invalidation/config snapshot

Step 3 — Primary State Extraction #

Candidate object labelCandidate sourceCandidate needed for C1/R1?Candidate decomposition actionClassPrimary?OwnerEvolutionScope kindScope value
OriginObjectdirect nounYeskeep as candidateentityYesserviceoverwriteinstanceobject_key
EdgeCacheEntryhidden write targetYeskeep as candidateprojectionYesserviceoverwriterelationedge_id + object_key
InvalidationStatelifecycle objectYeskeep as candidateprocessYesservicestate machineinstanceobject_key or invalidation_id
RoutingPolicydirect nounYeskeep as candidateentityYesserviceoverwriteinstancehostname or distribution_id
EdgeSnapshothidden write targetYeskeep as candidateprojectionYesserviceoverwriteinstanceedge_id
CDNStatusViewderived read modelNoreject as UI artifactprojectionNoderivedoverwritecollectiondistribution_id

Minimal primary set:

  • OriginObject
  • EdgeCacheEntry
  • InvalidationState
  • RoutingPolicy
  • EdgeSnapshot

Important modeling choices:

OriginObject #

Primary because:

  • origin is authoritative truth for content version/metadata

EdgeCacheEntry #

Primary enough to model explicitly because:

  • edge delivery depends on current cached version, expiry, validation state

InvalidationState #

Worth keeping explicit because:

  • invalidation is an important lifecycle/control-plane process
  • propagation and completion tracking matter

EdgeSnapshot #

Important because:

  • edge nodes serve from local config/policy/invalidation view
  • propagation lag matters

Step 4 — Hard Invariants #

PathTierTypeInvariant statement
P1 serve contentHARDeligibilityserve_content is valid only if selected edge cache entry is eligible under current cache state, routing policy, and freshness/invalidation rules for that request scope.
P2 update origin object metadataHARDorderingOrigin-object revisions are ordered by monotonic version within object_key.
P3 fetch/refresh edge cache entryHARDaccountingEdgeCacheEntry(edge_id, object_key) equals function of authoritative origin object state modulo bounded refresh/invalidation lag.
P4 invalidate edge cache entryHARDeligibilityinvalidate_entry is valid only if current invalidation lifecycle and cache state allow transition for that object scope.
P5 update routing/policyHARDorderingRouting-policy revisions are ordered by monotonic config version within distribution scope.
P6 propagate snapshotHARDfreshnessEdgeSnapshot(edge_id) reflects authoritative invalidation/routing state within configured propagation bound.

What matters most:

  • edges must not serve invalidated or too-stale content beyond the stated bound
  • edge cache state must track authoritative origin version semantics
  • invalidation propagation must be versioned and bounded
  • edge routing/policy must move monotonically forward

Step 5 — Execution Context #

FieldValueWhy
Topologysingle service distributedone logical CDN with origin-facing control plane and many edge nodes
Write coordination scopeper object scopecorrectness is per object key, invalidation scope, and edge snapshot scope
Read consistency targetbounded stale allowededge delivery is projection-based, not strong-read-on-every-request
Holder modelnoneno lease-like per-request ownership in the hot path
Compensation acceptable?Nowrong content delivery/invalidation cannot be treated as compensable workflow

Derived:

  • bounded_staleness_allowed = true
  • exclusive_claim_required = false
  • guarded_by_current_state = true

This implies:

  • origin truth plus edge projection
  • versioned invalidation/config propagation
  • local edge serving on hot path

Step 6 — Deterministic Mechanism Selection #

PathWrite shapeBase mechanismRequired companions
P2 update origin object metadataoverwrite current valueCAS on versionobject version
P3 fetch/refresh edge cache entryoverwrite current valuesingle writer edge refresh or CAS on versioncontent version/ETag
P4 invalidate edge cache entryguarded state transitionCAS on (state, version)invalidation version
P5 update routing/policyoverwrite current valueCAS on versionrouting version
P6 propagate snapshotoverwrite current valuesingle writer snapshot publicationsnapshot version

Hot path P1 is a read path.

Why these fit:

  • origin metadata and routing policy are versioned current-state config
  • edge cache refresh is current-state overwrite from origin truth
  • invalidation is a lifecycle transition
  • edge snapshots are versioned overwrite dissemination

Step 7 — Read Model / Source of Truth #

ConceptTruthRead pathRebuild path
C1 origin content metadataOriginObjectread source directlyauthoritative origin store
C2 edge cache entryEdgeCacheEntryread projectionrefresh from origin object state
C3 invalidation lifecycleInvalidationStateread source directlyauthoritative invalidation state
C4 routing policyRoutingPolicyread source directlyauthoritative policy store
C5 edge local snapshotEdgeSnapshotmaterialized viewrebuild from latest invalidation + routing state
C6 CDN status/analyticsderivedmaterialized viewrecompute from primary state

Important point:

For the hot path:

  • edge node reads local cache entry plus local snapshot
  • not origin or control plane on every request

This is the defining CDN split:

  • origin is authoritative
  • edge serves a bounded-stale projection

Step 8 — Failure Handling #

PathRetryCompeting writersCrash after commitPublish failureStale holder
origin updateretry with object versionstale update loses CAScommitted origin state survives crash if persistedinvalidation/refresh propagation may lagn/a
edge refreshretry with version/ETag validationlatest valid refresh winsrefreshed cache survives edge restart if cache persisted, otherwise repopulatesorigin fetch retry/backoffn/a
invalidationretry with invalidation versionstale invalidation transition loses CAScommitted invalidation survives control-plane crash if persistedsnapshot propagation may lagn/a
routing updateretry with routing versionstale update loses CAScommitted policy survives crash if persistedsnapshot propagation may lagn/a
snapshot propagationretry with versioned snapshotolder snapshot loses to newer versionedge keeps last good snapshot until refreshfailed push retried or pulledn/a
content serverequest retries are application-levelmany edge nodes can serve concurrently from local stateedge crash only affects local request handlingn/astale snapshot/cache bounded by TTL/invalidation/version refresh

What matters most:

  • invalidation and snapshot versions must move monotonically
  • edge cache must validate freshness against origin version semantics
  • stale edge state is allowed only within bounded configured limits

Step 9 — Scale Adjustments #

HotspotTypeFirst response
massive read volume at edgeread hotspotadd more edge capacity and keep hot path fully local
invalidation stormsfan-out hotspotbatch invalidations and use versioned incremental edge updates
hot large objects / popular assetsread hotspottiered caching and object segmentation
origin refresh bursts on cache misscontention hotspotrequest coalescing and negative caching / stale-while-revalidate
routing/config churnfan-out hotspotincremental snapshot propagation and pull-on-version-miss
analytics/status readsread hotspotderived views only

What scales well:

  • edge reads scale horizontally
  • origin truth stays centralized/narrow
  • edge nodes serve locally from cache and snapshot

What fails first:

  • invalidation fanout storms
  • origin thundering herd on misses
  • giant hot-object fetch bursts

Canonical design conclusion:

  • archetype composition:
    • Origin Projection + Edge Delivery Plane
    • Control Plane + Data Plane
  • primary truth:
    • OriginObject
    • EdgeCacheEntry
    • InvalidationState
    • RoutingPolicy
    • EdgeSnapshot
  • hot path:
    • local edge cache read + local routing/invalidation snapshot
  • control plane:
    • authoritative origin metadata + invalidation + routing + snapshot publication

Concrete Substrate #

  • origin metadata/content store as authoritative source
  • control plane in Go/Java
  • invalidation/routing state in strongly consistent control-plane store
  • edge fleet with local cache and versioned config snapshots
  • config/invalidation propagation via watch streams / push channels / pull-on-version-miss
  • content fetch from origin with ETag/version validation

Operation Layer #

  1. ServeContent(hostname, object_key, request_context)
  • entry point: edge node
  • authoritative decider: local EdgeCacheEntry + EdgeSnapshot
  • transition: none on source truth
  • response: cached object, refresh trigger, or fetch-forwarded response
  1. PutOriginObject(object_key, metadata, expected_version?)
  • entry point: control-plane/origin API
  • authoritative decider: origin metadata store owner
  • transition: overwrite OriginObject
  1. Invalidate(object_key or prefix, expected_version?)
  • entry point: invalidation API
  • authoritative decider: invalidation-state owner
  • transition: guarded update to InvalidationState
  1. PutRoutingPolicy(distribution_id, config, expected_version?)
  • entry point: control-plane API
  • authoritative decider: routing-policy owner
  • transition: overwrite RoutingPolicy
  1. internal edge refresh
  • validate cached object version/ETag against origin
  • overwrite EdgeCacheEntry
  1. snapshot propagation
  • publish latest EdgeSnapshot(version) to edge nodes

Entry Point vs Decider vs Responder #

PathEntry pointAuthoritative deciderPhysical responderLogical responder
serve contentedge nodelocal cache entry + local snapshotedge nodeCDN
origin updatecontrol-plane/origin APIorigin metadata ownercontrol-plane nodeCDN
invalidationinvalidation APIinvalidation-state ownercontrol-plane nodeCDN
routing updatecontrol-plane APIrouting-policy ownercontrol-plane nodeCDN
edge refreshedge nodelocal edge refresh worker + origin validationedge nodeCDN
snapshot propagationedge / control planesnapshot publishercontrol/data-planeCDN

Concrete HLD #

Main components:

  • origin metadata/content store
  • control-plane API
  • invalidation/routing state store
  • snapshot distribution layer
  • edge fleet with local cache
  • edge refresh/validation logic
  • derived CDN analytics/status views

Short interview version #

“I’d design the CDN as an origin-truth plus edge-projection system. Origin content metadata is authoritative, while edge nodes serve bounded-stale cached projections using local invalidation and routing snapshots. Invalidations and routing changes are versioned control-plane updates propagated to edges, and edges refresh content from origin using version or ETag validation instead of consulting origin on every request. The main correctness boundary is bounded stale delivery under explicit invalidation and refresh rules.”