Google Cloud CDN

• Google Cloud CDN (Content Delivery Network) uses Google’s global edge network to serve content closer to users, which accelerates websites and applications.
• Cloud CDN works with the global external Application Load Balancer or the classic Application Load Balancer to deliver content to users.
• Cloud CDN content can be sourced from various types of backends (also referred to as origin servers):
  • Instance groups
  • Zonal network endpoint groups (NEGs)
  • Serverless NEGs: One or more App Engine, Cloud Run, or Cloud Functions services
  • Internet NEGs, for endpoints that are outside of Google Cloud (also known as custom origins)
  • Buckets in Cloud Storage
  • GKE Ingress and GKE Gateway backends
• Cloud CDN with Google Cloud Armor enforces security policies only for requests for dynamic content, cache misses, or other requests that are destined for the origin server. Cache hits are served even if the downstream Google Cloud Armor security policy would prevent that request from reaching the origin server.
• Google Cloud Armor supports edge security policies (applied before CDN lookup for all traffic) and backend security policies (enforced only for cache misses/dynamic content).

Cloud CDN vs Media CDN

• Cloud CDN is Google Cloud’s web acceleration solution optimized for web content delivery (websites, APIs, and small/medium assets).
• Media CDN (GA since 2022) is Google Cloud’s media delivery CDN optimized for high-throughput egress workloads such as streaming video (VoD and live) and large file downloads. It uses YouTube’s serving infrastructure.
• Media CDN complements Cloud CDN — they are separate products for different use cases.
• Choose Cloud CDN for: websites, APIs, dynamic content caching, small/medium assets.
• Choose Media CDN for: video streaming, large file downloads, high-throughput media delivery.

Cloud CDN Flow

• When a user requests content from an external Application Load Balancer, the request arrives at a Google Front End (GFE), which is at the edge of Google’s network as close as possible to the user.
• GFE uses Cloud CDN if the load balancer’s URL map routes traffic to a backend service or backend bucket that has Cloud CDN configured.
• Cloud CDN doesn’t perform any URL redirection. The Cloud CDN cache is located at the GFE.
• Caching happens automatically for all cacheable content, once Cloud CDN is enabled.
• Cache Hits and Cache Misses
  • A cache is a group of servers that stores and manages content so that future requests for that content can be served faster.
  • Cached content is a copy of cacheable content that is stored on origin servers.
  • Cache Hit – GFE sends the cached response, if the GFE looks in the Cloud CDN cache and finds a cached response to the user’s request.
  • Partial Hit – A request is served partially from cache and partially from a backend. This can happen if only part of the requested content is stored in cache (relevant to byte range requests).
  • Cache Miss – GFE determines that it can’t fulfill the request from the cache, if the content is requested for the first time or has expired or been evicted.
• Cache Hit Ratio
  • Cache Hit Ratio is the percentage of times that a requested object is served from the cache.
  • Cache hit ratio can be monitored from the Cloud CDN page in Google Cloud Console.
• Cache Egress and Cache Fill
  • Cache Egress – Data transfer from a cache to the client.
  • Cache Fill – Data transfer to a cache.
• Cache Eviction
  • Cloud CDN removes or evicts content to insert new content once the cache reaches its capacity.
  • Content evicted is usually the one that hasn’t recently been accessed, regardless of the content’s expiration time.
  • Multiple Google Cloud projects share a common pool of cache space since they are served from the same set of GFEs.
• Cache Expiration
  • Content in HTTP(S) caches can have a configurable expiration time or Time To Live (TTL).
  • Cloud CDN supports TTL settings and overrides: client TTL, default TTL, and max TTL.
• Cache Invalidation
  • Cache Invalidation allows one to force an object or set of objects to be ignored by the cache.
  • Invalidations don’t affect cached copies in web browser caches or caches operated by third-party internet service providers.
  • Each invalidation request takes effect in about 10 seconds.
  • Invalidation supports URL path patterns (e.g., /images/* instead of each individual file).
  • Cache Tag Invalidation (GA May 2025) allows grouping objects by arbitrary metadata tags and invalidating them at scale with faster performance and higher rate limits.
• Cache Preloading
  • Caching is reactive in that an object is stored in a particular cache only if a request goes through that cache and if the response is cacheable.
  • Caches cannot be preloaded except by causing the individual caches to respond to requests.
• An object stored in one cache does not automatically replicate into other caches; cache fill happens only in response to a client-initiated request.

Cloud CDN Cache Modes

• Cloud CDN supports three cache modes that define how responses are cached:
  • CACHE_ALL_STATIC (default) – Automatically caches static content (images, CSS, JS, video, audio, web fonts) that does not have no-store, private, or no-cache directives. Responses without caching directives use the configured default TTL.
  • USE_ORIGIN_HEADERS – Requires the origin to set valid caching directives (Cache-Control and Expires headers). Responses without these headers or with no-store/private directives are not cached.
  • FORCE_CACHE_ALL – Unconditionally caches responses, overriding any cache directives set by the origin. Should NOT be used if serving private, per-user content (e.g., dynamic HTML or API responses).
• Cache modes can be configured per backend service or backend bucket.

Cloud CDN Content Targeting

• Content Targeting (GA May 2025) helps cache and deliver assets customized for end-user contexts.
• Supports:
  • Device characterization – serve different content based on device type (mobile, tablet, desktop).
  • Geo-targeting – serve content customized by user’s geographic location.
• Useful for implementing responsive websites, language customization, and currency settings.
• Content targeting works with cache keys to serve appropriate cached content per user context.

Cloud CDN Signed URLs and Signed Cookies

• Cloud CDN signed URLs and signed cookies help serve responses from Google Cloud’s globally distributed caches, even for authorized requests.
• Signed URLs
  • A Signed URL provides user read access to a private resource for a limited time without needing a Google Account.
  • Anyone who knows the URL can access the resource until the expiration time is reached or the key is rotated.
  • Cryptographic keys are created on a backend service or bucket, or both.
  • The signed URL contains authorization within the request URL with selected elements hashed and cryptographically signed using a strongly generated random key.
  • Best for controlling access to individual URLs.
• Signed Cookies
  • Signed cookies provide access to a URL prefix — all requests under that prefix are automatically authenticated.
  • Signed cookies are better suited when you need to authorize access to multiple restricted files.
  • Avoid re-signing URLs for every request or embedding custom logic in applications.

Cloud CDN Private Origin Authentication

• Private Origin Authentication (GA September 2023) gives Cloud CDN long-term resource access to private Amazon S3 buckets or other compatible object stores.
• Limits connections to your private origins and prevents users from directly accessing them.
• Uses AWS Signature Version 4 to sign requests to S3-compatible backends.
• The backend verifies that requests genuinely come from your Cloud CDN setup, allowing the bucket to remain private.
• Configurable through both gcloud CLI and Google Cloud Console.

Cloud CDN Service Extensions (Edge Compute)

• Service Extensions for Cloud CDN (GA November 2025) lets you add custom code to the request processing path of global external Application Load Balancers.
• Two types of extensions:
  • Edge Extensions (pre-cache) – run before Cloud CDN evaluates the cache, allowing you to manipulate request headers to influence caching and routing decisions.
  • Traffic Extensions (post-cache) – run after content is served from cache, allowing manipulation of cached content on the response path.
• Use cases include: custom header manipulation, A/B testing, authentication at the edge, exception handling, and custom logging.

Cloud CDN with GKE Gateway

• GKE Gateway integration (GA April 2026) allows configuring Cloud CDN using the Gateway API for workloads running on GKE.
• Cloud CDN caching behavior is defined using GCPHTTPFilter resources attached to HTTPRoute resources.
• Gateway API lets you configure, manage, and fine-tune caching configurations for different segments of traffic.
• Filters support configuration of cache policies including cache modes and TTL settings.

Cloud CDN Additional Features

• Cache Policies in URL Maps (GA May 2026) – Configure CDN cache policies at various levels of a URL map with granular control based on hostnames, URL paths, HTTP headers, and query parameters.
• TLS 1.3 Early Data / 0-RTT (February 2025) – External Application Load Balancer and Cloud CDN support early data for TLS 1.3, allowing clients to include HTTP request data with a TLS handshake, improving performance for resumed connections.
• Negative Caching – Allows configuring Cloud CDN to cache certain error responses (e.g., 404, 410) to reduce origin load for requests that consistently result in errors.
• Stale Content Serving – Cloud CDN can serve stale (expired) content while asynchronously revalidating with the origin, reducing latency for users.
• Dynamic Compression – Cloud CDN can dynamically compress responses using gzip or Brotli when serving content to clients that support it.
• Predefined Dashboards (GA October 2025) – Default dashboards for monitoring traffic distribution and cache effectiveness without manual configuration.
• Custom Cache Keys – Cache keys can include or omit any combination of protocol, host, query string, and HTTP headers to improve cache hit ratio.
• Byte Range Requests – Cloud CDN can initiate multiple cache fill requests in reaction to a single client request when the origin supports byte ranges.

Cloud CDN Best Practices

• Cache static content using CACHE_ALL_STATIC mode for automatic caching of common static content types.
• Use proper expiration time or TTL for time-sensitive data.
• Use custom cache keys to improve cache hit ratio.
  • Cloud CDN, by default, uses the entire request URL to build the cache key.
  • Cache keys can be customized to include or omit any combination of protocol, host, query string, and HTTP headers.
• Use versioning to update content instead of cache invalidation.
  • Versioning content serves a different version of the same content, effectively replacing old content before the cache entry expires.
  • Invalidation is eventually consistent and should be used as a last resort.
• Use cache tags for surgical invalidation instead of broad pattern-based invalidation when you need to purge specific groups of objects.
• Enable negative caching for error responses to reduce origin load.
• Use stale content serving (stale-while-revalidate) to improve latency for users while content is refreshed.
• Enable dynamic compression for text-based content to reduce bandwidth usage.
• Use Google Cloud Armor edge security policies for DDoS protection applied before CDN lookup.

GCP Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company wants to serve static website content globally with minimum latency. The content is hosted on Compute Engine instances. Which Google Cloud service should they use?
   1. Cloud DNS
   2. Cloud CDN with global external Application Load Balancer
   3. Cloud Interconnect
   4. Media CDN

   Answer: b – Cloud CDN with external Application Load Balancer caches static content at Google’s edge locations for low-latency delivery.

2. Your organization hosts video-on-demand (VoD) content and needs a CDN solution optimized for high-throughput media streaming. Which Google Cloud product is best suited?
   1. Cloud CDN
   2. Media CDN
   3. Cloud Storage with multi-region buckets
   4. Cloud Interconnect

   Answer: b – Media CDN is optimized for high-throughput egress workloads like streaming video and large file downloads, using YouTube’s serving infrastructure.

3. A company needs to cache content from a private Amazon S3 bucket using Google Cloud CDN without making the bucket public. What feature should they enable?
   1. Signed URLs
   2. Signed Cookies
   3. Private Origin Authentication
   4. Cloud Storage Transfer Service

   Answer: c – Private Origin Authentication allows Cloud CDN to sign requests to S3-compatible backends using AWS Signature V4, keeping the bucket private.

4. Which Cloud CDN cache mode should you use if you want to unconditionally cache all responses, including dynamic content, regardless of origin cache directives?
   1. USE_ORIGIN_HEADERS
   2. CACHE_ALL_STATIC
   3. FORCE_CACHE_ALL
   4. CACHE_DYNAMIC

   Answer: c – FORCE_CACHE_ALL unconditionally caches responses, overriding origin cache directives. Should not be used with private, per-user content.

5. You need to invalidate a large number of cached objects in Cloud CDN that belong to the same content group. What is the most efficient approach?
   1. Invalidate each URL individually
   2. Use URL path patterns with wildcards
   3. Use cache tag-based invalidation
   4. Wait for TTL expiration

   Answer: c – Cache tag invalidation (GA May 2025) allows grouping objects by arbitrary metadata tags and invalidating them at scale with better performance and higher rate limits.

6. Your application needs to serve different cached content based on user device type (mobile vs desktop). Which Cloud CDN feature supports this?
   1. Custom cache keys
   2. Content Targeting
   3. Signed URLs
   4. Cache Modes

   Answer: b – Content Targeting (GA May 2025) supports device characterization and geo-targeting for serving customized cached content.

7. You want to add custom authentication logic at the edge before Cloud CDN serves cached content. What feature should you use?
   1. Cloud Armor security policies
   2. Signed URLs
   3. Service Extensions edge extensions (pre-cache)
   4. Backend service IAM policies

   Answer: c – Service Extensions edge extensions (GA November 2025) run before Cloud CDN evaluates the cache, allowing custom code to manipulate requests and influence caching/routing.

8. Which of the following are valid Cloud CDN backend (origin) types? (Choose THREE)
   1. Managed instance groups
   2. Cloud SQL instances
   3. Cloud Storage buckets
   4. Internet NEGs (custom origins)
   5. Cloud Memorystore

   Answer: a, c, d – Cloud CDN supports instance groups, Cloud Storage buckets, internet NEGs, zonal NEGs, serverless NEGs, and GKE backends.

References

• Google Cloud CDN Overview
• Cloud CDN Caching
• Cloud CDN Release Notes
• Choose a CDN Product (Cloud CDN vs Media CDN)
• Cache Invalidation Overview
• Service Extensions for Edge Compute