Content Delivery Network¶
Service ownership
Owner: network-platform (network-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11
A domestic-first CDN with on-shore edge POPs in Dhaka, Chattogram, and Sylhet. Cache once, serve from BDIX-adjacent edges with sub-10 ms first-byte to most BD users.
What it is¶
A CDN service you put in front of your origin (Cloud Digit, on-prem, or a third party). Configure a distribution, point your DNS at it, and we cache, compress, and route. Edge POPs are inside Bangladesh — content does not have to come back from Singapore or Mumbai for BD users.
Why an on-shore CDN¶
International CDNs (Cloudflare, Fastly, Akamai) typically serve BD users from Singapore, Mumbai, or Chennai. Latency is reasonable when the cache is hot, but every cache miss takes a full international round-trip. Cloud Digit CDN keeps the path inside BD, anchored at BDIX, which makes:
- Cache misses fast (origin is on-shore too)
- Sovereignty stories clean (data and logs stay onshore)
- Egress cheap (BDIX-direct → no international transit)
Features¶
- Origin protection — only Cloud Digit edge IPs can reach origin (recommend pinning)
- TLS — managed certs (auto-renewing) or BYO
- HTTP/2 + HTTP/3 (QUIC) — both at the edge
- Cache rules — by path, header, query string
- Purge — by URL or by tag (header-driven cache tags)
- Compression — Brotli + gzip, content-type aware
- Image transformation — resize, format conversion (avif, webp), quality
- Real-user metrics — push to SIEM or Object Storage
- Origin shielding — designate an edge POP as the canonical cache layer to reduce origin load
Use cases¶
| Use case | Pattern |
|---|---|
| Marketing site / SaaS dashboard | CDN in front of LB, default cache rules |
| Media library (videos, images) | CDN with image transformation |
| Software distribution | Long TTL, signed URLs, byte-range supported |
| API edge cache | Cache GETs by query string + custom keys |
| Sovereign-only delivery | BDIX-only mode (no international answer plane) |
Pricing¶
- Per-GB delivered (lower in-BD than international CDNs because no FX)
- Per-million-requests (small)
- Image transformations billed per-1000 transforms
- Free between CDN and Cloud Digit origin
See Pricing.
Related¶
- Object Storage (S3) — common CDN origin
- Load Balancer — alternative CDN origin
- DNS — apex CNAME via alias records
- WAF — pair with CDN at the edge
Operate this service¶
CDN with POPs across BD (Dhaka, Chattogram, Sylhet) and select international locations.
When to use the CDN¶
- Static asset delivery (JS/CSS/images)
- Video streaming (HLS/DASH)
- API responses with cache-friendly headers
- Software downloads
- Any audience >50% in Bangladesh — BD POPs are much closer than the international CDN they'd otherwise hit
IAM¶
| Role | Can do |
|---|---|
cdn.viewer | Read distributions, view metrics |
cdn.builder | Create / modify distributions |
cdn.cache-admin | Purge cache, change cache policies |
cdn.admin | Above + delete distributions, edge-rule management |
cache-admin is a separate role because over-eager purges are expensive.
Distribution layout¶
Recommended: - One distribution per public hostname - Use path-based behaviors within a distribution for different cache rules (/assets/* → 1y; /api/* → 60s)
Origin protection¶
CDN-only origin access: - Origins behind a private VPC, never publicly reachable - Origin's security group allows only CDN edge IPs - Origin verifies a CDN-signed header on every request
bash cd cdn distribution origin set \ --distribution acme-www \ --origin lb-internal.acme-prod-vpc \ --auth-header "X-CDN-Auth: $(openbao://acme/cdn-secret)"
TLS¶
- TLS 1.3 default, 1.2 minimum
- Certificates via ACM (auto-renew) or BYO PEM
- HSTS recommended (with preload after verification)
Cache policy templates¶
| Template | TTL | Use case |
|---|---|---|
static-immutable | 1 year + immutable | Versioned JS/CSS |
static-mutable | 1 hour | Images, fonts |
api-short | 60 seconds | Cacheable API responses |
no-cache | 0 (pass-through) | Authenticated content |
Apply per path; don't blanket the whole distribution.
Related¶
Metrics¶
| Metric | Healthy | Alert |
|---|---|---|
cdn.requests_per_sec | varies | |
cdn.cache_hit_ratio | > 90% (static) | < 80% (cache misconfigured) |
cdn.origin_5xx_rate | < 0.1% | > 1% |
cdn.bandwidth_to_origin | low (mostly cached) | spike (cache cold) |
cdn.bandwidth_to_clients | matches traffic | sudden 10× spike (popular content or attack) |
cdn.tls_handshake_failures | 0 | > 0 |
Cache hit ratio tuning¶
Sub-90% hit ratio on a static distribution is wasted CDN spend. Common causes:
- Cache headers from origin override CDN config — set
cdn.cache-policy override-origin true - Querystring variations (random
?v=...busts cache) — strip querystring at the edge or normalize - Many small files — consider sprite sheets / bundling
- Geographic mismatch — content rarely re-accessed in same POP; pre-warm via
cdn cache preload
Cache purge¶
```bash
Purge by path¶
cd cdn purge --distribution acme-www --path "/assets/main.css"
Purge by tag (preferred — set via response header)¶
cd cdn purge --distribution acme-www --tag "user-avatars"
Full purge (rare — emergency only)¶
cd cdn purge --distribution acme-www --all ```
Full purges are expensive and trigger origin pressure. Use versioned asset URLs (main.abc123.css) instead — no purge needed.
Origin shielding¶
Enable for high-traffic distributions:
bash cd cdn shield enable --distribution acme-www --shield-pop bd-dha-1
All edge POPs route misses through the shield POP, which fans out to origin. Cuts origin requests by ~70% for content that's hot in multiple POPs.
Real-time logs¶
Stream to your log pipeline:
bash cd cdn logs stream --distribution acme-www --to s3://acme-cdn-logs/
5-minute batched delivery. For real-time (sub-second), use the WebSocket API:
bash cd cdn logs ws --distribution acme-www | jq '.client_ip, .status, .uri'
Pre-warming¶
Before a known traffic spike (campaign launch, product release):
bash cd cdn preload --distribution acme-www --urls @release-urls.txt
Loads URLs into all POPs ahead of time.
Related¶
Cache hit ratio dropped¶
| Symptom | Likely cause |
|---|---|
| Drop after a code deploy | New asset URLs busted entire cache |
| Steady-state low | Origin sends Cache-Control: no-cache headers |
| Spiky low | Querystring variation; client sending random ?_=N |
| Geographic — only one POP | POP capacity issue; check status page |
Inspect origin headers: bash curl -I https://origin.acme.com/assets/main.css
Origin overloaded after cache invalidation¶
A bulk purge or deploy invalidated cache; origin gets hammered by cold-cache misses ("thundering herd"):
- Use origin shielding to deduplicate origin requests
- Pre-warm cache after deploy:
cd cdn preload - For unavoidable purges: stagger via path
TLS handshake failures spike¶
WARN: cdn.tls_handshake_failures > 0
- Cert expiring / expired (ACM should auto-renew; BYO won't)
- Client base includes legacy TLS clients (TLS 1.0/1.1 disabled)
- SNI mismatch — clients sending wrong hostname
cd cdn logs query --filter "tls.handshake.failure" shows client details.
403 from CDN, 200 from origin¶
Path is being blocked at edge: - Geo-restriction policy excluding the client's country - WAF rule blocking (often false positive — see WAF troubleshooting) - Origin-protection header mismatch (if cross-region edge cache evicted, re-check X-CDN-Auth)
Stale content despite purge¶
Purge propagation: < 60s for most POPs, up to 5 min for outliers. If sustained:
- Purge by tag instead of path (avoids path-normalization issues)
- Verify the purge succeeded:
cd cdn purge status --request-id <id> - Some browsers cache aggressively — set short max-age on HTML
Bill spike¶
| Source | Reason | Fix |
|---|---|---|
| Bandwidth to clients | Real traffic, or DDoS | Verify with logs; engage DDoS |
| Bandwidth to origin | Cache miss surge (deploy purge?) | Origin shielding |
| Number of requests | API distribution; lots of small responses | Bundle or move out of CDN |
| Purge requests | Over-aggressive invalidation | Switch to versioned URLs |