Performance guide
Multi-CDN Explained: When One CDN Is Not Enough
A practical guide to choosing, routing, testing, and operating more than one content delivery network.
Use a Multi-CDN architecture when the availability, geographic performance, regulatory exposure, or traffic volume of your website makes dependence on one delivery provider an unacceptable risk. Do not add a second CDN simply to collect another dashboard. Multi-CDN is worthwhile when you can define a routing decision, keep behavior consistent across providers, protect the origin, and prove that failover works.
The architecture normally has four layers: authoritative DNS or an edge traffic director, two or more CDN providers, a shared origin and security policy, and an observability layer that compares the providers. The director chooses a healthy provider for each region or request class. The CDNs cache and protect content. The origin remains the source of truth, not the failover mechanism.
Redundancy is not automatic resilience
A second CDN only improves resilience if traffic can move to it, the cache and security policies are compatible, and the team knows who makes the change during an incident.
When Multi-CDN makes sense
Start with the failure you are trying to reduce.
- Provider outage: A critical site cannot accept a single provider as its only delivery path.
- Regional performance variance: One network has strong peering in one market while another performs better elsewhere.
- Traffic or product concentration: A launch, sale, media event, or API workload needs independent capacity and a tested escape route.
- Contract or sovereignty constraints: Different regions or properties require different providers, points of presence, or operational controls.
- Negotiation and migration risk: You need to change providers without a risky all-at-once cutover.
Stay with one CDN when traffic is modest, the provider already meets your availability and latency objectives, and your team cannot operate the extra control plane. Multi-CDN adds DNS, configuration, purge, certificate, log, billing, and incident-response complexity. A managed CDN may be the better first step.
Choose the routing model
There is no universally best steering policy. Select one that matches the business objective and the quality of the signals available.
Failover-first sends traffic to a primary pool and moves it to a secondary pool when health checks fail. It is the simplest model and the easiest to explain during an incident. It may leave performance gains unused while the primary is technically healthy.
Geographic steering assigns regions or countries to providers. It works well when providers have known local strengths or when data handling differs by market. Keep an ordered fallback for every region, including the default path.
Performance steering compares measured latency or error signals and selects the best healthy provider. It can improve user experience, but it needs enough probes, a stable measurement window, and dampening. Otherwise, traffic can oscillate between providers because of normal network noise.
Weighted steering is useful for a canary, migration, or capacity split. Start with a small percentage, compare error rate and origin load, then increase gradually. A weight is not a health policy: a provider with a high weight still needs an independent health gate.
Cloudflare equivalents include Load Balancing pools, health monitors, and failover, geo, or dynamic steering policies. Cloudflare's dynamic steering uses monitor measurements to compare pool round-trip time. Fastly equivalents include healthy backends, health checks, directors, weights, retries, and shielding. The product names differ, but the operating principle is the same: steer only among healthy destinations and define what happens when the preferred set is empty.
Build the architecture safely
-
Inventory request classes. Separate immutable assets, HTML, authenticated pages, APIs, uploads, streaming, webhooks, and administration. They do not share the same cache or failover policy. Never route a stateful write to a provider chosen only for static asset speed.
-
Standardize the edge contract. Use the same hostnames, TLS coverage, supported protocols, compression rules, redirects, cache keys, origin headers, WAF policy, rate limits, and error responses. Record provider-specific differences rather than assuming configuration parity.
-
Create application-aware health checks. Probe a lightweight endpoint that verifies the intended host, TLS, expected status, and a safe response body. A TCP connection to a live load balancer does not prove that checkout, search, or the API is usable. Use separate checks for separate critical paths when one endpoint cannot represent the whole application.
-
Protect the origin. Allow traffic from the delivery providers, use authenticated origin connections where available, and keep the origin hostname and addresses out of public records where possible. Otherwise an attacker can bypass both CDNs and turn a failover design into an origin outage.
-
Make cache and purge portable. Use versioned asset filenames for long-lived objects. Define a provider-neutral purge procedure for HTML and mutable objects. Test that a publish or rollback updates every provider, not only the currently active one. If providers use different cache keys, explicitly reconcile query parameters, headers, cookies, and content negotiation.
-
Keep DNS assumptions realistic. DNS steering is subject to resolver and client caching. A low TTL does not guarantee that every user changes provider immediately. Set an operational recovery objective that reflects this delay, and use connection-level or application-level steering when the workload requires faster control.
Test and observe it
Baseline each provider independently before sending production traffic. Measure availability, time to first byte, Core Web Vitals, TLS errors, cache status, origin requests, 4xx and 5xx rates, and cost by region and request class. Compare like with like: the same cache state, object version, headers, and test geography.
Test these scenarios on a schedule:
- A provider returns errors from one region while remaining healthy elsewhere.
- Health checks fail, recover, and fail again during a dampened rollout.
- DNS answers remain cached beyond the intended TTL.
- A purge is issued during a deploy and each provider serves the expected version.
- The primary CDN is unavailable while the origin is healthy, then the origin is degraded too.
- A WAF, bot, or rate-limit rule behaves consistently after the switch.
Alert on user-visible symptoms, not only provider status pages: regional success rate, p95 latency, cache-hit ratio, origin saturation, DNS answer distribution, and traffic share by provider. Keep request IDs and a provider indicator in logs so the same transaction can be followed across the edge and origin. A managed Multi-CDN service is valuable only when this comparison and response work is operationally owned.
Mistakes to avoid
- Treating two CDNs with different cache keys as redundant copies of one system.
- Using a health check that always returns HTTP 200 even when the application is broken.
- Setting aggressive weights without a ramp, rollback, or capacity test.
- Forgetting certificates, redirects, CORS, security headers, or purge behavior on the standby.
- Assuming DNS TTL equals failover time.
- Allowing the origin to accept the public internet after adding an edge layer.
- Measuring only average latency and missing regional errors or a rising origin request rate.
For the standards behind cacheability and revalidation, see the IETF HTTP Caching standard. For provider implementation details, compare Cloudflare traffic steering with Fastly load balancing. For help assessing whether your site needs this level of orchestration, see Optimi's contact page.
There are only two hard things in Computer Science: cache invalidation and naming things.
Design a Multi-CDN strategy you can operate
Talk to our team about routing, failover, cache consistency, and observability for your critical properties.
Talk to an expert