Recently, many peers came to ask me why the same high defense CDN, their website latency is still high, security incidents occur frequently? I directly dumped a sentence: your traditional CDN has long been obsolete, and now do not combine edge computing to play, simply wearing armor running - heavy and slow.
These days, DDoS attacks start at T-level without moving, and CC attacks are like flies around. Just rely on the center node to carry traffic? Not to mention the cost can not stand, the delay can let the user run out. I have tested a traditional program, the attack came, the center node directly into a sieve, the edge nodes are still leisurely drinking tea - not at all involved in the security protection.
The most pitiful thing is that some vendors boast of “global nodes”, in fact, many edge nodes simply do not have the ability to compute, purely a traffic relay station. Attack traffic has to go halfway around the world in order to be cleaned, and so return to the user when the yellow flowers and vegetables are cold. Do not believe that those who only sell bandwidth CDN service providers, they can not even tell the difference between edge computing and content distribution.
In fact, the core of the problem is: the traditional CDN to security and processing pressure are piled on the center node, while the edge nodes are idle. This is like letting the security guard stand at the gate of the company headquarters to check all the branch visitors, the efficiency can not be low?
Last year, our e-commerce station suffered a loss. During the promotion period suddenly encountered CC attacks, although the center node to carry, but all the requests have to go back to the source verification, resulting in normal users order delay soared to more than 3 seconds, the direct loss of millions of orders. Later, I pulled out the traffic logs to analyze, and found that the 80% request could actually be verified at the edge node.
The reliable solution now is to sink the security protection capability to the edge nodes. So that each edge node has a certain computing power and security policy, close to the request processing at the same time to complete the security detection. It is equivalent to assigning security guards to each branch, which is both fast and safe.
I compared three service providers: CDN5 focus on the edge of the WAF capabilities, CDN07 emphasizes the edge of the function calculation, 08Host is a compromise between cost and performance. Tested and found that the edge function of CDN07 in the processing of complex logic in the best performance, but the price is also really “beautiful”.
When landing specifically, I recommend a layered defense strategy:
The first layer does basic checks at the most edge nodes, such as human verification and IP reputation checking. These lightweight operations can be done entirely at the node closest to the user and then released to the next tier after passing.
Here we share a practical configuration example, used in edge nodes to initially filter malicious IPs:
The second tier performs in-depth detection at regional-level nodes, such as WAF rule matching and behavioral analysis. Nodes at this level have more computing power and can run more complex security algorithms.
The most important is the third layer - only requests that cannot be judged at the edge nodes are sourced back to the central node. This comes down to filtering out at least 901 TP3T of malicious requests, and the pressure on the source is directly reduced.
I have tested this architecture on 08Host, and the latency is directly reduced from 200ms to less than 80ms. Especially in Southeast Asia, because the local edge nodes have the computing power, the user feeling is particularly obvious.
The improvement in security is even more amazing: before, hundreds of thousands of attack attempts had to be handled every day, now 80% they are all intercepted at the edge nodes. The best part is that the source server bandwidth cost has been reduced by 60%, and my boss is finally no longer chasing me for bandwidth bills every day.
Specifically at the code level, the mainstream CDNs now support edge functions. For example, an edge computing platform with CDN07 can realize dynamic protection in this way:
Never underestimate the power of these edge functions - edge nodes now have even better compute performance than some cloud hosts. I've tested running WAF detection, image compression, and AB testing all at the same time on an edge node, and it's still solid as an old dog.
Of course there are pitfalls in the migration process. The biggest issue is state management - edge nodes are stateless and need to share data with the help of distributed storage. I recommend a Redis cluster for state synchronization, which adds a bit of latency but is much better than going all the way back to the source.
Another pain point is the difficulty of debugging. With so many edge nodes, it is difficult to locate the problem. My experience is to bury monitoring points in each edge function and track the entire request chain with a unique requestId. This way, no matter which node the request passes through, you can quickly locate the problem.
Don't worry about the cost either. Although the unit price of edge computing is slightly higher, the overall cost is rather reduced. Because of the reduction of back to the source traffic and the pressure of the center node, the comprehensive calculation can save about 30%. Especially for heavy traffic services such as video and games, the saving effect is even more obvious.
Recently helped a gaming company with a migration, and their median global latency dropped from 142ms to 67ms, and player churn went straight down by 181 TP3 T. Security is even more dramatic, with the cost of a DDoS attack increasing by a factor of ten-attackers now have to attack hundreds of edge nodes at the same time to be effective.
This architecture will only become more prevalent in the future. 5G and the explosive growth of IoT devices will see all computing needs migrate to the edge. If you don't get on board now, you may be obsolete later.
To be honest, technology selection is very important. If the business is mainly in Asia-Pacific, the coverage advantage of CDN5 is obvious; if powerful computing power is needed, the edge function ecology of CDN07 is the most complete; if cost-effective is pursued, the package of 08Host is really conscientious. It is best to do a small-scale PoC test first, don't blindly follow the wind.
Finally share a true story: last year a company was hit by a 300Gbps DDoS, because of the use of traditional centralized protection, the entire service down for 12 hours. Later, after migrating to the edge protection architecture, the same scale of attack could not be felt at all - the traffic was diluted and dissolved in the edge nodes. The boss specially sent me a red envelope to thank me, saying that I should have used this program earlier if I had known.
Now my architecture design principle is very clear: never go back to the source if you can put it in the edge processing, and never centralize it if you can protect it at the edge. This is not only low latency and high security, but also a significant reduction in cost. Why not?
Honestly, watching request response times drop from triple digits to double digits, and security incidents drop from dozens a day to almost zero, is more of a sense of accomplishment than anything else. Isn't the best part of being a techie the seeing your architecture actually produce value?
Next time someone tells you that CDNs are just for acceleration, just dump this article on them - it's 2024 and there can't be anyone who doesn't know that a high-defense CDN has to be combined with edge computing, right?
