What Is It?
CDN (Content Delivery Network) is a globally distributed system of edge servers that caches and delivers web content closer to end users. By serving requests from the nearest edge location, CDN reduces latency, improves load times, and handles traffic spikes automatically while providing built-in security features including DDoS Layer 7 protection, Web Application Firewall, and SSL/TLS encryption.
Quick Facts
| Aspect | Details |
|---|---|
| Type | Global edge caching and content delivery network |
| Distributions | Up to 20 per contract (increase via support) |
| Routing Rules | 1 to 25 per distribution |
| Geographic Coverage | Locations in key European markets, including Germany (Berlin, Frankfurt), Spain, the United Kingdom, and the United States |
| Protocols | IPv4 and IPv6 (dual-stack) |
| Security | DDoS Layer 7 protection, optional WAF, SSL/TLS encryption |
| Cache Behavior | HTTP 200 cached 24h, 301/302/404 cached 10 min (default) |
Rate Limiting Classes
| Class | Requests per Second (per client IP) |
|---|---|
| R1 | 1 req/s |
| R5 | 5 req/s |
| R10 | 10 req/s |
| R25 | 25 req/s |
| R50 | 50 req/s |
| R100 | 100 req/s (default) |
| R250 | 250 req/s |
| R500 | 500 req/s |
SSL/TLS Certificate Requirements
Supported Certificate Authorities: GeoTrust, Let's Encrypt intermediate certificates (R5, R6, R10, R11, R12, R13, R14), GlobalSign, and other reputable public CAs. Custom certificates can be uploaded or auto-renewed via ACME.
Not Supported: Self-signed certificates are rejected.
What You Can Do
Edge Caching
Cache static and dynamic content at edge servers closest to users. Caching reduces origin load, lowers latency, and enables faster page loads. You can enable or disable caching per routing rule based on cache-control headers.
Note: Custom cache policies are not supported. You can only enable or disable caching per routing rule.
Flexible Routing Rules
Define up to 25 routing rules per distribution to control how requests are handled. Each rule specifies scheme (HTTP/HTTPS), hostname, path prefix, upstream host, caching behavior, WAF status, rate limiting class, geo-restrictions, and SNI mode. Rules are evaluated in order with the first match taking precedence.
Note: Do not set "/" as the first rule, as it will override all subsequent rules.
SSL/TLS Encryption
Secure data in transit with end-to-end encryption between edge servers and users. Upload custom certificates from the Certificate Manager or use auto-renewed certificates via ACME (such as Let's Encrypt).
Web Application Firewall
Enable optional per-routing-rule WAF protection based on the OWASP Core Rule Set. WAF analyzes request bodies up to approximately 15 MB and protects against common web application attacks.
Note: Enabling WAF incurs additional costs.
DDoS Layer 7 Protection
Built-in protection against application-layer DDoS attacks. The edge network absorbs malicious traffic before it reaches your origin servers.
Geo-Based Routing and Restrictions
Route traffic to the nearest edge location based on user geography. Optionally allow or block traffic from specific countries using allow-lists or block-lists.
Rate Limiting
Limit request rates per client IP address using predefined classes (R1 to R500). Rate limiting applies to both cached and uncached requests and helps protect against abusive traffic patterns.
High Availability
Redundant edge servers with automatic failover ensure service continuity. If a node fails, traffic is automatically rerouted. Cached "stale" content can still be served even when the origin server is unavailable.
Bandwidth Offload
Reduce origin server load by serving content from edge caches. This lowers bandwidth consumption at the origin and improves overall infrastructure efficiency.
Best For
| Scenario | Why It Fits |
|---|---|
| Global website delivery | Serves static assets (HTML, CSS, JS, images, video) from edge servers nearest to users, reducing latency and improving page load times |
| Dynamic content delivery | Caches API-driven or personalized content based on cache-control headers, delivering dynamic responses faster than origin-only architectures |
| Software distribution | Handles large-scale delivery of updates, patches, or installers with high throughput and low latency during demand spikes |
| API request optimization | Caches repeated API calls (configuration data, catalog lookups) at the edge, reducing round-trip time to backend services |
| Traffic spike handling | Automatically scales to serve more concurrent users during traffic surges without degrading performance |
| Security hardening | Reduces direct traffic to origin servers while providing DDoS protection, WAF, and SSL/TLS encryption |
Key Considerations
Billing & Costs
- Main billing: Monthly per-distribution fee
- Additional costs: WAF protection incurs extra charges per routing rule
Limitations
- Geographic coverage currently focused on Europe with US coverage
- Maximum 20 distributions per contract (increase requires support request)
- Maximum 25 routing rules per distribution
- Caching can only be enabled or disabled per routing rule
- Self-signed SSL/TLS certificates are not accepted (only public CA-issued certificates)
- WAF request body analysis limited to approximately 15 MB
- Only two SNI modes available (distribution or origin)
Management Options
- Data Center Designer (DCD) for UI-based management
- Full CDN REST API with Bearer JWT authentication
- Go SDK for programmatic integration
- Terraform provider for infrastructure-as-code deployments