CDN Deep Dive: From Protocol Internals to Global Networks - Cloudflare vs EdgeOne

中文摘要 (TL;DR)

本文深度解析 CDN 工作原理，涵盖 DNS/GSLB 智能调度、BGP Anycast 路由、QUIC/HTTP3 协议优化等核心技术。对比 Cloudflare 与腾讯 EdgeOne：Cloudflare 采用纯 Anycast 架构，全球覆盖优秀但在中国大陆因缺乏与运营商直连而绕道美国，延迟 200ms+；EdgeOne 海外用 Anycast，国内通过 GSLB + 腾讯专线实现低延迟，但必须完成 ICP 备案才能接入国内节点。关键优化：源站启用 BBR 拥塞控制、强制 HTTP/3 (QUIC)、使用 Full Strict SSL 模式、配置 HSTS。核心结论：全球业务选 Cloudflare，国内用户为主且有备案选 EdgeOne，两者结合可实现最优性能。

Preface: Witnessing the Magical Journey of Data Packets

When you type a URL into your browser and hit Enter, what actually happens? We're usually given a simplified answer: DNS lookup, TCP connection, HTTP request. However, this process is far more complex and fascinating than textbooks portray.

The performance, security, and stability of the modern internet largely depend on an invisible "operating system"—the CDN (Content Delivery Network). Why does the same website sometimes load lightning-fast and other times crawl like a snail? Why do Cloudflare's IP addresses seem to be everywhere? Why did the HTTP/3 protocol choose to embrace UDP?

This article will unveil the technical black box of CDN giants like Cloudflare and Tencent EdgeOne, taking you inside data packets and diving from the application layer down to network routing, revealing the true nature of data flow in this deep ocean we call the internet.

I. The Essence of CDN — A "Highway" Built on Top of the Internet

The core philosophy of CDN can be traced back to resolving a fundamental and ancient contradiction: the conflict between the laws of physics and ever-increasing network bandwidth.

1.1 The Core Conflict: The Speed of Light Limit and "Long Fat Pipes"

The total latency of internet communication consists of four components:

$$\text{Total Latency}=\text{Propagation}+\text{Transmission}+\text{Processing}+\text{Queuing}$$

• Propagation Delay: Determined by distance / speed of light, this is an insurmountable physical law. The theoretical minimum round-trip time (RTT) from Beijing to Los Angeles via direct fiber is about 140ms, while actual routing often exceeds 200ms.
• Long Fat Pipe: This is a classic network model. When the product of bandwidth and RTT is large, it's like a very long and thick water pipe. Traditional TCP congestion control algorithms perform poorly on such links, with their congestion window growing slowly, making it difficult to fully utilize available bandwidth.

1.2 Architectural Solution: An "Overlay Network" Trading Space for Time

The essence of CDN is building an intelligent application-layer overlay network on top of the physical IP network (network layer).

Think of it as building a private highway system with intelligent dispatch centers (CDN network) on top of ordinary city roads (public internet).

• Origin: Your server, deployed on AWS or Alibaba Cloud, holding the authoritative version of all content.
• Edge Node (Edge / PoP): Server clusters deployed by CDN providers in ISP data centers globally, serving as highway entrances and exits.
• Cache: Following HTTP RFC 7234 standards, "pre-downloading" static resources (images, JS, CSS) to edge nodes closest to users, allowing users to fetch content locally.

Architecture Diagram

mermaid

II. DNS and GSLB — The Intelligent Traffic Baton

The first step in configuring a CDN typically involves modifying your domain's NS (Nameserver) records. This seemingly simple step actually transfers the "supreme command" of your website's traffic to the CDN.

2.1 Authoritative DNS Takeover

When you point the NS records of example.com to bob.ns.cloudflare.com, all DNS queries for example.com ultimately reach Cloudflare's DNS servers. This is fundamentally different from traditional DNS static mapping (one domain -> one fixed IP).

A CDN's DNS system is essentially a GSLB (Global Server Load Balancing) engine. It's a dynamic computational system that calculates the optimal server IP address for the current user in real-time based on a series of factors.

2.2 Intelligent Scheduling Algorithm: GeoIP and EDNS

How does a CDN know to route "Beijing users" to "Beijing nodes"?

1. GeoIP Database: The GSLB system queries the geographic location and operator (ASN) of the query source's IP address (i.e., the user's local DNS server IP) in commercial databases like MaxMind.

2. EDNS Client Subnet (ECS):

   • Problem: If a user uses public DNS (like 8.8.8.8), the CDN sees the query source as Google's server in the US, causing GSLB to incorrectly route Beijing users to US nodes.
   • Solution: RFC 7871 defines the ECS extension. ECS-supporting local DNS servers attach the user IP's prefix (e.g., 202.106.0.0/24) when querying authoritative DNS, enabling GSLB to make more precise geolocation judgments.

Note

It's worth noting that Cloudflare, for privacy protection and improved DNS cache hit rates, does not fully support ECS by default in its free tier. This sometimes results in lower scheduling precision in mainland China compared to deeply localized services like Tencent EdgeOne. This represents a typical trade-off between privacy, cost, and performance.

Full GSLB Scheduling Flow Diagram:

mermaid

III. Cloudflare's Nuclear Weapon — Anycast and BGP Routing Magic

One of Cloudflare's core technologies that made it a disruptor in the global CDN market is its large-scale application of Anycast. This requires us to dive into the network layer and understand the internet's routing protocol—BGP.

3.1 Unicast vs. Anycast

• Unicast: The mode we're most familiar with. One IP address globally corresponds to one unique network interface. The data packet's destination is unique.
• Anycast: One IP address can be assigned to different servers at multiple locations worldwide. When a packet is sent to this IP, the internet's routing protocols will "automatically" deliver it to the topologically nearest server.

Cloudflare's magic lies in simultaneously advertising the same IP range (e.g., 104.16.0.0/12) from routers in over 300 data centers worldwide.

3.2 Leveraging BGP Path Selection Principles

BGP (Border Gateway Protocol) is the internet's foundation—a decentralized routing protocol responsible for exchanging routing information between autonomous systems (AS, like an operator's network). When routers worldwide receive multiple origin advertisements for the same IP, they follow a complex set of path selection principles to determine the best path, with the most critical being:

• Shortest AS-PATH preferred: Routers choose the path traversing the fewest autonomous systems (AS).

This is the core of how Anycast works. For a Beijing user, when their request for 104.16.x.x reaches the operator's router, the router discovers that the AS-PATH to Cloudflare's Hong Kong node is shorter than to the Los Angeles node, so the packet naturally flows toward Hong Kong.

3.3 Why Cloudflare Sometimes Becomes a "Decelerator" in Mainland China

This is a classic issue of network geopolitics and economics, involving Peering and Transit.

• Tier-1 ISP Barriers: China Telecom (AS4134), China Unicom (AS4837), and China Mobile (AS9808) are global top-tier Tier-1 operators. They possess massive global networks and typically only engage in free peering with other Tier-1 operators, while charging steep transit fees to smaller networks.
• Cloudflare's Cost Considerations: Cloudflare's free and low-tier plans don't have sufficient budget to purchase expensive direct connections with China's three major operators.
• "Routing Detour" Disaster:
  • When a China Telecom user accesses a Cloudflare-hosted website, due to the lack of direct peering relationships, Telecom's BGP policy selects the lowest-cost path for traffic exchange.
  • This path typically routes through congested international exits, detouring via public internet exchange points (IXP) on the US West Coast (like Los Angeles).
  • Path: User's computer → Telecom metro network → Telecom backbone → Guangzhou/Shanghai exit → Trans-Pacific cable → Los Angeles IXP → Cloudflare node.
  • Consequence: Latency skyrockets from an ideal 30ms to 250ms+, accompanied by packet loss rates up to 20%.

IV. Tencent EdgeOne's Breakthrough — Hybrid Architecture and Compliance Threshold

Since Cloudflare's pure Anycast model struggles in China's special network environment, how do localized CDNs like Tencent EdgeOne (TEO) solve this problem? The answer lies in hybrid architecture and strict adaptation to domestic compliance requirements.

4.1 Architectural Differences: EdgeOne's Hybrid Model and Access Rules

EdgeOne employs a more flexible hybrid architecture, which can be viewed as a combination of CDN + SD-WAN (Software-Defined Wide Area Network). However, unlike Cloudflare, EdgeOne has strict threshold restrictions for accessing domestic nodes.

• Anycast (Overseas): Overseas, EdgeOne also uses Anycast technology to absorb global traffic, especially for DDoS mitigation, with capabilities comparable to Cloudflare.
• Unicast + Intelligent Scheduling (Domestic): In China's complex operator environment, EdgeOne relies on GSLB to precisely guide users to the nearest node of their corresponding operator.

⚠️ Critical Prerequisites: ICP Filing and Acceleration Region

EdgeOne's "domestic acceleration capability" is not enabled by default. Mainland China users will only access domestic edge nodes if both conditions are met:

1. The domain must hold a valid mainland China ICP filing.
2. Acceleration region must be configured as "Global (including mainland China)" or "Mainland China".

If your domain lacks ICP filing, or you only selected "Global (excluding mainland China)" acceleration, even if your user is in Beijing, EdgeOne will route them to the nearest overseas node (typically Hong Kong, Japan, or Korea). In this case, user traffic still needs to traverse cross-border public exits, unable to benefit from domestic nodes' low latency.

4.2 Middle Mile Optimization: The Magic of Private Backbone

Excluding access point compliance restrictions, EdgeOne's true "black technology" lies in Middle Mile Optimization:

From edge nodes (whether domestic or overseas access points) back to origin servers, EdgeOne doesn't traverse the uncertainty-filled public internet but utilizes Tencent Cloud's massive internal backbone private network built globally.

4.3 Comparison Diagram: A Cross-Border Origin Fetch Journey

Assume your origin server is on AWS Singapore, and your user is in Beijing.

Scenario 1: Cloudflare (Free/Pro) or EdgeOne (No ICP Filing)Note: Without ICP filing, EdgeOne typically performs better than Cloudflare, as it routes to Hong Kong/nearby nodes rather than the US, but still requires cross-border transit.

mermaid

Scenario 2: Tencent EdgeOne (With ICP Filing + Domestic Acceleration Enabled)This is EdgeOne's complete form, achieving true cross-border acceleration.

mermaid

In Scenario 2, EdgeOne's advantage is that it splits one long, unstable "public network link" into three segments, cleverly solving the cross-border congestion problem:

1. Short and fast "last mile": Users directly connect to the Beijing node (without going through congested international exits).
2. Long but stable "middle mile": Traffic enters Tencent's internal network at the Beijing node, transmitted via private backbone directly to the Singapore node (avoiding public cross-border packet loss and jitter).
3. Short and fast "first mile": The Singapore edge node fetches from origin.

Summary: For businesses with overseas origins and domestic users, EdgeOne can only unleash its overwhelming network advantage over Cloudflare after resolving ICP filing; otherwise, the difference mainly manifests in edge node geographic distance (e.g., Hong Kong vs. US).

V. Transport Layer Revolution — HTTP/3, QUIC, and BBR

The modern CDN performance battle has long descended from application-layer caching to transport-layer protocol innovation. The battlefield's core is replacing TCP with UDP.

5.1 TCP's Achilles' Heel: Head-of-Line Blocking (HoL Blocking)

TCP provides reliable, in-order byte stream transmission. This means if packet N is lost, even if N+1, N+2 have arrived at the receiver's buffer, the OS kernel must wait for N to be retransmitted and successfully received before delivering all data to the application layer.

This problem became particularly acute in the HTTP/2 era. HTTP/2 introduced multiplexing, allowing concurrent transmission of multiple independent resource streams on a single TCP connection. But this brought a catastrophic consequence: if the underlying TCP loses one packet, all concurrent streams get blocked, waiting together for retransmission. This is TCP-level head-of-line blocking.

5.2 QUIC: Rebirth on Top of UDP

QUIC (Quick UDP Internet Connections) is the transport layer foundation of HTTP/3, cleverly solving the above problem.

• Moving to User Space: QUIC runs on top of UDP, transferring reliable transmission, congestion control, flow control, and other logic originally handled by the OS kernel to the application layer (user space).
• True Multiplexing: Because logic is in the application layer, QUIC can define its own rules. It stipulates that each stream is independent. Packet loss in Stream A only blocks Stream A, completely unaffecting Stream B's delivery.
• 0-RTT Connection Establishment:
  • TCP + TLS 1.2: Requires at least 3-RTT to complete handshake and send application data.
  • QUIC + TLS 1.3: Initial connection requires only 1-RTT, subsequent connections can achieve 0-RTT, meaning encrypted application data is carried in the very first packet.
• Connection Migration: When your phone switches from Wi-Fi to 5G, the IP address changes and TCP connections break. QUIC connections are identified by a unique "connection ID", unaffected by IP address changes, enabling seamless connection migration.

5.3 BBR: Dimensional Reduction Strike in Congestion Control

Traditional congestion control algorithms (like Reno, Cubic) are loss-based. Their logic: once packet loss occurs, assume network congestion and immediately halve the sending rate.

However, in modern networks (especially lossy wireless networks or long-distance fiber), packet loss doesn't always equal congestion. Random physical noise can also cause packet loss. Cubic makes incorrect judgments in such cases, causing bandwidth utilization to plummet.

Google's BBR (Bottleneck Bandwidth and Round-trip propagation time) algorithm brings a new approach:

• Model-Based Control: BBR no longer focuses on packet loss but continuously models two core network parameters through active probing:
  • BtlBw (Bottleneck Bandwidth): The link's bottleneck bandwidth.
  • RTprop (Round-trip propagation time): The link's physical minimum latency.
• Pacing: BBR smoothly sends packets based on measured bottleneck bandwidth, rather than violently "filling" the pipe until overflow (packet loss) like traditional algorithms.

Experiments prove that even in 20% high packet loss environments, BBR can still saturate bandwidth because it "knows" packet loss isn't caused by congestion.

Important Note

Enabling BBR on your origin server is a crucial step to maximize CDN performance. For Linux (Kernel 4.9+), enable it with:

bash

# Write to sysctl config
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf

# Apply config
sysctl -p

VI. Rock-Solid Security Layer — HTTPS, HSTS, and WAF

An excellent system must not only be fast but also secure. CDNs play a crucial role as the first line of defense in security.

6.1 SSL/TLS Handshake and Configuration Modes

In Cloudflare or EdgeOne consoles, SSL/TLS mode selection directly determines your security posture.

• Flexible Mode

  • Client --(HTTPS)--> CDN --(HTTP)--> Origin
  • Extremely dangerous, strongly discouraged. While the user's browser address bar shows a green lock, the "second half" from CDN to your origin is plaintext transmission, vulnerable to eavesdropping. This creates a false sense of security.

• Full (Strict) Mode

  • Client --(HTTPS)--> CDN --(HTTPS+cert validation)--> Origin
  • The only recommended mode. It implements end-to-end encryption throughout, and the CDN strictly validates whether your origin's SSL certificate is valid, preventing man-in-the-middle attacks.

6.2 HSTS: Eliminating Downgrade Attacks with "Forced HTTPS"

HSTS (HTTP Strict Transport Security) aims to resolve the "SSL stripping attack" risk during users' first visit or access via insecure links.

Attackers can downgrade users' requests for https://example.com to http://example.com on insecure networks (like public Wi-Fi), thereby stealing information.

By adding an HSTS header in server responses, this possibility can be completely eliminated:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

• max-age: Tells the browser that for the next two years, any access to this domain must forcibly use HTTPS.
• includeSubDomains: This policy also applies to all subdomains.
• preload: Requests browser vendors to hard-code your domain into their "HSTS preload list", so even first-time visitors are forced to use HTTPS.

6.3 WAF (Web Application Firewall)

WAF operates at the application layer to defend against SQL injection, XSS cross-site scripting, and other application-layer attacks.

• Cloudflare WAF: Its greatest advantage is the global network effect. If an attacking IP targets a bank in New York, that IP is instantly added to the global blacklist. Seconds later, your personal blog in Beijing is automatically immune to attacks from this IP.
• EdgeOne WAF: More focused on deep analysis and optimization of China-specific network attack traffic (like CC attacks in gaming or malicious crawlers in e-commerce), with more localized rule sets.

VII. Summary and Architectural Decisions

After understanding the underlying principles, how should we choose the right CDN solution for our projects?

7.1 Selection Matrix

Feature	Cloudflare	Tencent EdgeOne
Underlying Routing	Pure BGP Anycast	Anycast (overseas) + Smart scheduling (domestic)
Origin Fetch Link	Public Internet	Tencent private backbone
China Access	Slow (limited by peering policies)	Extremely fast (local access + private backbone)
Protocol Support	Full HTTP/3, QUIC, 0-RTT support	Full HTTP/3, QUIC support
Configuration Complexity	Very low, mature ecosystem, quick start	Medium, powerful rule engine, more flexible
Use Cases	Global business, personal projects, mega DDoS	China-focused, going global, gaming, e-commerce

7.2 Final Recommendations

• For global audiences or extremely cost-sensitive personal projects: Cloudflare remains an unparalleled choice, with its free tier providing world-class security and basic acceleration.
• For businesses with users primarily in mainland China or extremely high latency requirements: Tencent EdgeOne and similar CDNs deeply integrating local operators and private backbones are undoubtedly the "version answer".
• Origin optimization is fundamental: Regardless of CDN choice, be sure to enable BBR congestion control on your origin server.
• Embrace new protocols: Force-enable HTTP/3 (QUIC) in CDN consoles for significant experience improvements, especially for mobile users.
• Security is the baseline: Always enable Full (Strict) SSL mode and configure HSTS.

Epilogue

True "technical depth" isn't about memorizing scattered knowledge points, but being able to clearly construct the complex and precise system behind a familiar scenario in your mind.

The next time you hit Enter in your browser, I hope you can "see" that packet crossing mountains and seas: empowered by DNS GSLB, relay-transmitted by BGP routing protocols across global networks, racing at near light-speed through undersea cables, flexibly changing lanes in the congested "TCP lane" with QUIC protocol's help, finally presenting safely and completely before the user.

This is the charm of CDN, and the romance of network technology as a discipline.