Azure CDN
When a user in India visits a website hosted in the United States, every image, video, and script must travel across the globe before it appears on screen. This causes noticeable delays. A Content Delivery Network (CDN) solves this by storing copies of content at locations around the world — so users always load content from the nearest point instead of from the origin server far away.
What is a CDN?
A CDN is a distributed network of servers — called Points of Presence (PoPs) or edge servers — placed strategically around the world. When a user requests a file (image, video, CSS, JavaScript), the CDN delivers it from the nearest edge server instead of from the original server. This dramatically reduces latency and improves page load speed.
Without CDN vs With CDN
WITHOUT CDN:
User in Mumbai ──────────────────────────► Origin Server in New York
High latency (~200ms)
WITH CDN:
User in Mumbai ──► CDN Edge Node in Mumbai ──(cached)──► Fast response (~10ms)
(Content is cached here from the first request)
User in London ──► CDN Edge Node in London ──(cached)──► Fast response (~8ms)
How Azure CDN Works
- A CDN profile and endpoint are created pointing to the origin (e.g., an Azure Blob Storage account, App Service, or any web server).
- The first user to request a file hits the nearest CDN edge node. The edge node does not have the file yet, so it fetches it from the origin server — this is called a cache miss.
- The edge node caches (stores) the file and returns it to the user.
- All subsequent users requesting the same file from the same geographic region receive it directly from the edge cache — a cache hit. The origin server is not contacted again until the cache expires.
Azure CDN Providers
Azure CDN is available through multiple underlying CDN providers, each with different capabilities:
| Provider | Tier | Best For |
|---|---|---|
| Azure CDN Standard from Microsoft | Standard | General use, tightly integrated with Azure services |
| Azure CDN Standard from Akamai | Standard | Large media files, wide global PoP coverage |
| Azure CDN Standard from Verizon | Standard | Standard web content delivery |
| Azure CDN Premium from Verizon | Premium | Advanced real-time analytics, custom rules engine |
Note: Microsoft is consolidating CDN services into Azure Front Door, which combines CDN, global load balancing, and WAF in a single service. New deployments should consider Azure Front Door Standard/Premium for a modern alternative.
CDN Profile and Endpoint
- CDN Profile: The top-level container that holds one or more endpoints. The profile also specifies the CDN provider.
- CDN Endpoint: The specific configuration for caching and delivering content from one origin. Each endpoint has a unique URL like myendpoint.azureedge.net.
Diagram – CDN Endpoint and Origin
CDN Profile: myapp-cdn-profile
│
└── CDN Endpoint: myapp.azureedge.net
│
├── Origin: myapp.blob.core.windows.net (Azure Blob Storage)
│
├── Cache Rules: Cache all .jpg, .png, .css, .js for 7 days
│
└── Custom Domain: cdn.mycompany.com → myapp.azureedge.net
Caching Rules and TTL
Time to Live (TTL) controls how long content stays cached at edge nodes before the CDN re-fetches it from the origin.
| Content Type | Recommended TTL | Reason |
|---|---|---|
| Images, videos, fonts | 7 days to 1 year | Rarely change — long cache reduces origin load |
| CSS and JavaScript files | 1 day to 7 days | Change occasionally with new deployments |
| HTML pages | Minutes to hours | Change frequently — short TTL ensures freshness |
| API responses | Not cached (or very short) | Dynamic data must always come from the origin |
Cache Purging
When content changes on the origin (a new product image, updated CSS), the old version may still be cached at edge nodes until the TTL expires. Cache purging allows immediately removing specific files or all files from the CDN cache so users receive the latest version right away.
# Purge a specific file from CDN cache
az cdn endpoint purge \
--resource-group myRG \
--profile-name myapp-cdn-profile \
--name myapp \
--content-paths "/images/logo.png" "/css/style.css"
# Purge all cached content
az cdn endpoint purge \
--resource-group myRG \
--profile-name myapp-cdn-profile \
--name myapp \
--content-paths "/*"
HTTPS and Custom Domains
Every Azure CDN endpoint gets a default HTTPS-enabled URL (e.g., myapp.azureedge.net). A custom domain (cdn.mycompany.com) can be added by creating a CNAME record pointing to the CDN endpoint. Azure CDN can automatically provision and manage a free SSL certificate for the custom domain.
Azure Front Door – The Modern CDN
Azure Front Door combines CDN, global HTTP load balancing, SSL offload, and Web Application Firewall (WAF) into a single globally distributed service. It routes user traffic to the fastest available backend, caches content at edge nodes, and protects against web attacks — all from one service.
- Anycast routing: Users connect to the nearest Front Door PoP automatically.
- Origin groups: Define multiple backend origins with health probes and failover.
- Rules engine: Redirect URLs, modify headers, and route requests based on conditions.
- WAF policies: Block SQL injection, XSS, and other OWASP top 10 threats at the edge.
Key Takeaways
- Azure CDN caches content at global edge nodes so users receive files from the closest location, reducing latency.
- A CDN profile groups endpoints; each endpoint points to one origin (Blob Storage, App Service, web server).
- TTL controls how long content stays cached; purging removes stale content from the cache immediately.
- Azure CDN supports custom domains with automatic free SSL certificate management.
- Azure Front Door is the modern successor combining CDN, global load balancing, and WAF in one service.