·

System Design Deep Dive - 17 How Cloudflare Handles Edge Requests

Post by ailswan May. 26, 2026

中文 ↓

🎯 How Cloudflare Handles Edge Requests


1️⃣ Core Edge Framework (Staff-Level)

When discussing a Cloudflare-like edge request system, I frame it as:

  1. Anycast routing to nearest edge
  2. TLS termination
  3. WAF, bot, and rate-limit checks
  4. Cache lookup
  5. Edge compute or rules
  6. Origin fallback
  7. Observability and policy propagation
  8. Trade-offs: latency vs consistency vs security vs origin protection

2️⃣ Core Problem

The edge must improve performance and protect origins.

It needs to handle:


👉 Interview Answer

A Cloudflare-like system moves traffic handling closer to users. The edge terminates connections, applies security policies, serves cached content when possible, and only forwards requests to origin when necessary.


3️⃣ High-Level Request Flow

User Request
   ↓
Anycast Routes to Nearby PoP
   ↓
TLS Termination
   ↓
WAF / Bot / Rate Limit
   ↓
Cache Lookup
   ↓
Edge Rules / Workers
   ↓
Origin Fetch on Miss
   ↓
Response Cached or Returned

4️⃣ Anycast and PoPs

Anycast lets the same IP be advertised from many locations.

Benefits:


5️⃣ Security Checks

Edge security can include:


👉 Interview Answer

Security should happen before origin fetch. Blocking bad traffic at the edge protects origin capacity and reduces attack blast radius.


6️⃣ Cache Decision

Cache key may include:

Cache outcomes:


7️⃣ Origin Fallback

On cache miss:

Important:

The edge should protect origin from retries and thundering herds.


8️⃣ Policy Propagation

Customer rules must propagate globally:

Trade-off:

Fast propagation improves responsiveness, but inconsistent rollout can cause temporary regional differences.


9️⃣ Staff-Level Trade-offs

Decision Benefit Cost
Cache at edge Low latency and origin relief Invalidation complexity
Strict WAF Better protection False positive risk
Serve stale Better availability May show old content
Edge compute Flexible behavior Sandbox and resource limits
Fast rule rollout Operational agility Consistency challenges

中文部分

中文速记

一句话

Cloudflare Edge 的核心是把 performance 和 security 前移到离用户最近的 PoP:先拦截、再查缓存,必要时才回源。


背诵要点


中文面试回答

我会把 Cloudflare edge request flow 设计成 anycast ingress、TLS termination、安全检查、cache lookup、edge rules 和 origin fallback。 用户请求通过 anycast 到最近的 PoP,edge 先终止 TLS,然后执行 WAF、bot detection、IP reputation、rate limit 和客户自定义 firewall rules。

如果请求可以缓存,edge 根据 cache key 做 lookup。 Cache hit 直接返回,cache miss 才访问 origin,并根据规则决定是否缓存响应。 对 origin 不健康的情况,可以在安全前提下 serve stale,避免用户完全不可用。

Staff 级重点是:edge 同时是性能层和安全层。 它降低用户延迟,减少 origin load,也把恶意流量挡在后端之前。 主要权衡是缓存一致性、规则传播、误拦截和 origin 保护。


✅ Final Interview Answer

A Cloudflare-like edge system receives user traffic through anycast routing to a nearby point of presence. The edge terminates TLS, applies WAF, bot, and rate-limit checks, evaluates cache rules, and serves cached content when possible. On cache misses or dynamic requests, it forwards to origin with protection against retries and overload.

At staff level, the edge is both a performance layer and a security layer. The core trade-off is latency and origin protection versus cache consistency, policy correctness, and false positives. A good design keeps bad traffic away from origin, serves repeated content near users, and degrades gracefully when origin is unhealthy.

Implement