CDNs & Edge#

Reference of content delivery networks, edge compute platforms, and DDoS / WAF / bot-management providers. Useful for traffic-engineering, attack mitigation, OSINT fingerprinting (CDN-fronted services), and cost / latency optimization.

For DNS providers (often bundled), see DNS Providers. For cloud regions / IaaS, see Cloud Regions.

Major CDNs#

Provider

Notes

Cloudflare

~330 cities; ~14 Tbps; pay-per-tier (Free / Pro / Business / Ent); Workers (V8 isolates); R2 (S3-API egress-free); Pages; Zaraz / Turnstile / Stream; the ubiquitous tier 1.

Akamai

The original; ~4100 PoPs; very wide; expensive; legacy enterprise + media.

Fastly

~80+ PoPs; Compute@Edge (WASM); VCL-flexible; popular with publishers; Glitch / GitHub.

Amazon CloudFront

410+ PoPs; Lambda@Edge + CloudFront Functions.

Google Cloud CDN

Backed by Google’s edge; tied to LB.

Azure Front Door

MS edge; routing + WAF + caching.

Microsoft AFD Standard / Premium

Standard for caching; Premium adds full WAF / bot rules.

Imperva

WAF + DDoS focus.

StackPath / Edgio

Edgecast successor; merged with Limelight; bankruptcy 2024 pending.

Bunny.net

Lower-cost; rapid growth.

KeyCDN

Switzerland-based budget.

CDN77

Czech-based budget.

Gcore

Global; Russian-origin company; relocated to Luxembourg.

EdgeNext

CN/global; Asia-focused.

ChinaNetCenter / Wang Su

CN; Wangsu; large in CN/JP/KR.

Tencent CDN

CN; tied to Tencent Cloud.

Alibaba Cloud CDN

CN; tied to Alibaba Cloud.

HUAWEI Cloud CDN

CN; tied to Huawei Cloud.

JD Cloud CDN

CN; JD.com.

Yandex CDN

RU.

Edge compute (serverless)#

Platform

Provider

Notes

Cloudflare Workers

Cloudflare

V8 isolates; instant cold start; KV / R2 / D1 / Durable Objects.

Cloudflare Pages

Cloudflare

Jamstack hosting; tied to Workers.

AWS Lambda@Edge

AWS

Node / Python at CloudFront edges.

CloudFront Functions

AWS

Lighter; per-request JS.

Vercel Edge Functions

Vercel

Cloudflare Workers under the hood.

Vercel Functions

Vercel

AWS Lambda; Next.js-tied.

Netlify Edge Function

s Netlify

Deno-based.

Fastly Compute@Edge

Fastly

Wasm; multi-language.

Deno Deploy

Deno

V8 isolates.

Bun Workers / Edge

Bun / Oven

Newer.

Akamai EdgeWorkers

Akamai

JS at edge.

Render

Render

Container hosting + edge static.

Fly.io

Fly.io

Containers near user; not strict CDN.

DDoS protection#

Provider

Notes

Cloudflare Magic Tran

sit + Spectrum Anycast L3/4; ~71+ Tbps capacity.

Akamai Prolexic

Scrubbing centers; the original commercial DDoS scrub.

AWS Shield

Standard (free) + Advanced (paid).

Azure DDoS Protection

Standard / IP-tier.

Google Cloud Armor

L7 + L3/4 protection.

Radware

On-prem + cloud.

NETSCOUT Arbor

Carrier-grade; Sightline / TMS.

Imperva DDoS

CDN+WAF.

Fastly Next-Gen

Originally Signal Sciences.

F5 Silverline

Cloud scrubbing.

Stormwall

Russian / global; ~10 Tbps.

DDoS-Guard

RU; controversial customers.

Voxility

EU; budget L3/4.

Path.net

Anti-DDoS for game / chat.

Cosmic Defenders

Niche specialized.

Group-IB DDoS-stop

RU/global; legitimate but cross-jurisdictional.

WAF + bot management#

Provider

Notes

Cloudflare WAF

Managed rule sets; OWASP CRS + Cloudflare-curated; bot mgmt.

AWS WAF

Per-rule / per-rule-group; managed rules; Bot Control.

Azure WAF

Managed CRS + custom; Front Door / App Gateway.

Google Cloud Armor

Adaptive Protection; reCAPTCHA Enterprise.

Akamai Kona / WAAP

Site Defender / WAAP.

Imperva WAF / Cloud

Originally Incapsula.

F5 Advanced WAF

NGINX App Protect; F5 BIG-IP ASM.

Fastly Next-Gen WAF

Signal Sciences-derived.

Citrix Web App Firew all

NetScaler.

ModSecurity

OSS WAF rules; Trustwave Spiderlabs CRS.

Coraza

OSS Go-based ModSecurity-compatible.

Wallarm

API-focused.

Salt Security

API security.

Noname Security

API security; bought by Akamai 2024.

Datadome

Bot management.

HUMAN (PerimeterX)

Bot management.

Kasada

Bot management.

Akamai Bot Manager

Bot management.

Cloudflare Turnstile

CAPTCHA-alternative.

hCaptcha

CAPTCHA / privacy-focused.

reCAPTCHA Enterprise

Google.

Traffic features#

Feature

Notes

HTTP/3 + QUIC

Most CDNs support; rollout still ramping.

0-RTT TLS 1.3

Replay-vulnerable; provider-controlled.

ECH (Encrypted Client Hello)

Cloudflare GA 2023; hides SNI; not yet universal.

HSTS preload

CDN sets headers.

Brotli / Zstd

Compression at edge.

Image polish

Smart compression / resize at edge.

TLS 1.3 + post-quantu m

Cloudflare + Google + AWS rolling out hybrid X25519MLKEM768.

mTLS

Mutual TLS at the edge for B2B / API.

Edge cache

Tiered (city / region / origin) for cache-fill.

Operator notes#

  • CDN bypass is a thing, attackers find origin IP via cert-transparency, DNS history (SecurityTrails), email headers, error pages. Hide origin with allow-list + Cloudflare Argo Tunnel / AWS PrivateLink-style egress.

  • Anycast latency can hurt some workloads (sticky sessions, stateful long-lived connections); test latency from real client locations.

  • Logs to OSINT, many free CDN tiers include sampled logs; passive OSINT tools (e.g. Censys / Shodan) often identify CDN-fronted services.

  • WAF false positives, managed rule sets break legit apps; tune in monitor mode first.

  • TLS termination at edge means your provider sees cleartext; consider mTLS to origin or end-to-end E2EE.

  • CSP + SRI + COEP / COOP are origin-side defenses; the CDN can serve them but can’t enforce them.

  • Cache-poisoning is a real attack class; vary on right headers and don’t cache responses with cookies.

  • Geo / sanctions, some providers comply with US OFAC; Russian / Iranian / Cuban traffic may be blocked unilaterally.

References#