CDNs & Edge#
Reference of content delivery networks, edge compute platforms, and DDoS / WAF / bot-management providers. Useful for traffic-engineering, attack mitigation, OSINT fingerprinting (CDN-fronted services), and cost / latency optimization.
For DNS providers (often bundled), see DNS Providers. For cloud regions / IaaS, see Cloud Regions.
Major CDNs#
Provider |
Notes |
|---|---|
Cloudflare |
~330 cities; ~14 Tbps; pay-per-tier (Free / Pro / Business / Ent); Workers (V8 isolates); R2 (S3-API egress-free); Pages; Zaraz / Turnstile / Stream; the ubiquitous tier 1. |
Akamai |
The original; ~4100 PoPs; very wide; expensive; legacy enterprise + media. |
Fastly |
~80+ PoPs; Compute@Edge (WASM); VCL-flexible; popular with publishers; Glitch / GitHub. |
Amazon CloudFront |
410+ PoPs; Lambda@Edge + CloudFront Functions. |
Google Cloud CDN |
Backed by Google’s edge; tied to LB. |
Azure Front Door |
MS edge; routing + WAF + caching. |
Microsoft AFD Standard / Premium |
Standard for caching; Premium adds full WAF / bot rules. |
Imperva |
WAF + DDoS focus. |
StackPath / Edgio |
Edgecast successor; merged with Limelight; bankruptcy 2024 pending. |
Bunny.net |
Lower-cost; rapid growth. |
KeyCDN |
Switzerland-based budget. |
CDN77 |
Czech-based budget. |
Gcore |
Global; Russian-origin company; relocated to Luxembourg. |
EdgeNext |
CN/global; Asia-focused. |
ChinaNetCenter / Wang Su |
CN; Wangsu; large in CN/JP/KR. |
Tencent CDN |
CN; tied to Tencent Cloud. |
Alibaba Cloud CDN |
CN; tied to Alibaba Cloud. |
HUAWEI Cloud CDN |
CN; tied to Huawei Cloud. |
JD Cloud CDN |
CN; JD.com. |
Yandex CDN |
RU. |
Edge compute (serverless)#
Platform |
Provider |
Notes |
|---|---|---|
Cloudflare Workers |
Cloudflare |
V8 isolates; instant cold start; KV / R2 / D1 / Durable Objects. |
Cloudflare Pages |
Cloudflare |
Jamstack hosting; tied to Workers. |
AWS Lambda@Edge |
AWS |
Node / Python at CloudFront edges. |
CloudFront Functions |
AWS |
Lighter; per-request JS. |
Vercel Edge Functions |
Vercel |
Cloudflare Workers under the hood. |
Vercel Functions |
Vercel |
AWS Lambda; Next.js-tied. |
Netlify Edge Function |
s Netlify |
Deno-based. |
Fastly Compute@Edge |
Fastly |
Wasm; multi-language. |
Deno Deploy |
Deno |
V8 isolates. |
Bun Workers / Edge |
Bun / Oven |
Newer. |
Akamai EdgeWorkers |
Akamai |
JS at edge. |
Render |
Render |
Container hosting + edge static. |
Fly.io |
Fly.io |
Containers near user; not strict CDN. |
DDoS protection#
Provider |
Notes |
|---|---|
Cloudflare Magic Tran |
sit + Spectrum Anycast L3/4; ~71+ Tbps capacity. |
Akamai Prolexic |
Scrubbing centers; the original commercial DDoS scrub. |
AWS Shield |
Standard (free) + Advanced (paid). |
Azure DDoS Protection |
Standard / IP-tier. |
Google Cloud Armor |
L7 + L3/4 protection. |
Radware |
On-prem + cloud. |
NETSCOUT Arbor |
Carrier-grade; Sightline / TMS. |
Imperva DDoS |
CDN+WAF. |
Fastly Next-Gen |
Originally Signal Sciences. |
F5 Silverline |
Cloud scrubbing. |
Stormwall |
Russian / global; ~10 Tbps. |
DDoS-Guard |
RU; controversial customers. |
Voxility |
EU; budget L3/4. |
Path.net |
Anti-DDoS for game / chat. |
Cosmic Defenders |
Niche specialized. |
Group-IB DDoS-stop |
RU/global; legitimate but cross-jurisdictional. |
WAF + bot management#
Provider |
Notes |
|---|---|
Cloudflare WAF |
Managed rule sets; OWASP CRS + Cloudflare-curated; bot mgmt. |
AWS WAF |
Per-rule / per-rule-group; managed rules; Bot Control. |
Azure WAF |
Managed CRS + custom; Front Door / App Gateway. |
Google Cloud Armor |
Adaptive Protection; reCAPTCHA Enterprise. |
Akamai Kona / WAAP |
Site Defender / WAAP. |
Imperva WAF / Cloud |
Originally Incapsula. |
F5 Advanced WAF |
NGINX App Protect; F5 BIG-IP ASM. |
Fastly Next-Gen WAF |
Signal Sciences-derived. |
Citrix Web App Firew all |
NetScaler. |
ModSecurity |
OSS WAF rules; Trustwave Spiderlabs CRS. |
Coraza |
OSS Go-based ModSecurity-compatible. |
Wallarm |
API-focused. |
Salt Security |
API security. |
Noname Security |
API security; bought by Akamai 2024. |
Datadome |
Bot management. |
HUMAN (PerimeterX) |
Bot management. |
Kasada |
Bot management. |
Akamai Bot Manager |
Bot management. |
Cloudflare Turnstile |
CAPTCHA-alternative. |
hCaptcha |
CAPTCHA / privacy-focused. |
reCAPTCHA Enterprise |
Google. |
Traffic features#
Feature |
Notes |
|---|---|
HTTP/3 + QUIC |
Most CDNs support; rollout still ramping. |
0-RTT TLS 1.3 |
Replay-vulnerable; provider-controlled. |
ECH (Encrypted Client Hello) |
Cloudflare GA 2023; hides SNI; not yet universal. |
HSTS preload |
CDN sets headers. |
Brotli / Zstd |
Compression at edge. |
Image polish |
Smart compression / resize at edge. |
TLS 1.3 + post-quantu m |
Cloudflare + Google + AWS rolling out hybrid X25519MLKEM768. |
mTLS |
Mutual TLS at the edge for B2B / API. |
Edge cache |
Tiered (city / region / origin) for cache-fill. |
Operator notes#
CDN bypass is a thing, attackers find origin IP via cert-transparency, DNS history (SecurityTrails), email headers, error pages. Hide origin with allow-list + Cloudflare Argo Tunnel / AWS PrivateLink-style egress.
Anycast latency can hurt some workloads (sticky sessions, stateful long-lived connections); test latency from real client locations.
Logs to OSINT, many free CDN tiers include sampled logs; passive OSINT tools (e.g. Censys / Shodan) often identify CDN-fronted services.
WAF false positives, managed rule sets break legit apps; tune in monitor mode first.
TLS termination at edge means your provider sees cleartext; consider mTLS to origin or end-to-end E2EE.
CSP + SRI + COEP / COOP are origin-side defenses; the CDN can serve them but can’t enforce them.
Cache-poisoning is a real attack class; vary on right headers and don’t cache responses with cookies.
Geo / sanctions, some providers comply with US OFAC; Russian / Iranian / Cuban traffic may be blocked unilaterally.