FinOps guide
CDN Cost Optimization: Egress, Cache Hits and Origin Shielding
A higher cache-hit ratio is not automatically a lower bill. Attribute delivery, origin, shield, compute, and log meters to the request paths that produce them.
On this page
CDN cost optimisation is a measurement problem, not a universal TTL recommendation. A cache hit may avoid an origin fetch, but its financial impact depends on object size, contracted rates, origin work, shielding topology, edge products, and observability retention.
Overview
Outcome
Build a cost-to-serve model and safe experiment loop that can distinguish a real cost change from a local metric improvement or a shifted bill.
Model the complete delivery path
total = delivery bytes + CDN requests + shield or inter-POP traffic
+ edge products + origin egress + origin requests and compute
+ logging, storage, queries + allocated fixed commitmentsUse effective, region-specific contract rates rather than public-list-price examples. Separate avoided usage from financial savings: fewer origin requests do not reduce a fixed reserved-capacity bill until a capacity decision changes.
Viewer delivery, edge policy, shield, origin transfer, application work, and telemetry can each be metered independently.
Measure bytes and origin work, not one cache ratio
Request cache-hit ratio gives a cached thumbnail and a cached video segment equal weight. Byte offload shows how much delivered body volume was served by cache. Origin-request avoidance is often closer to API and compute impact. Define the cacheable population and report PASS, private, write, error, and revalidation traffic separately.
| Metric | Calculation | Decision use |
|---|---|---|
| Request hit ratio | hits / eligible requests | Diagnose cache behaviour |
| Byte offload | cache-served bytes / eligible delivered bytes | Estimate transfer avoided |
| Origin avoidance | 1 - origin fetches / eligible requests | Model API and compute pressure |
| Cost per unit | attributed cost / GB, request, stream, order, or tenant | Connect technical use to business value |
Fix fragmentation before extending freshness
Query order, tracking parameters, cookies, headers, image transformations, locale, experiments, and signed URLs can divide a reusable representation into many keys. Remove or normalise a dimension only after proving it does not change the representation or weaken authorisation. Never raise a hit ratio by exposing private data.
Treat shielding as a break-even experiment
Origin shielding can consolidate duplicate misses, especially for globally requested cacheable objects and constrained origins. It can also add inter-POP requests, bandwidth, and double edge execution. Measure pre/post origin cost, added shield cost, latency, errors, freshness, and fallback behaviour before retaining it.
Troubleshooting
Cost optimisation guardrails
- Do not add local hit ratios across CDNs; use end-user and shared-origin denominators.
- Do not extend a public cache policy to authenticated, personalised, or transaction state.
- Do not retain raw logs indefinitely just to preserve a future optimisation option.
- Do not declare a saving until billing and capacity evidence support it.
Related guides
Authoritative references
- FinOps Foundation: Unit Economics
- AWS: Improve CloudFront cache-hit ratio
- AWS: CloudFront Origin Shield
- Cloudflare: How charges accrue
- Fastly: Shielding
Measure delivery economics before changing cache policy
Optimi can help join edge, origin, and usage evidence into a cost model that preserves correctness and reliability.
Assess CDN cost drivers