This chapter covers Azure Content Delivery Network (CDN), a global caching and acceleration service that delivers static and dynamic content from edge nodes close to users. For the AZ-204 exam, CDN appears in approximately 5-10% of questions, often integrated with Azure Storage, Web Apps, and media delivery scenarios. You must understand CDN profiles, endpoints, caching rules, compression, geo-filtering, and how to purge or pre-load content. This chapter provides the depth needed to confidently answer any AZ-204 CDN question.
Jump to a section
Imagine a popular online bookstore with a single central warehouse in New York. Customers worldwide order books, but those in Tokyo wait days for delivery because every order must travel across the ocean. To solve this, the bookstore opens small local warehouses—called Point of Presence (POP) locations—in Tokyo, London, São Paulo, and Sydney. Each local warehouse stocks the most frequently ordered books (cached content). When a customer in Tokyo orders a popular novel, the request is automatically routed to the Tokyo warehouse instead of the New York warehouse. The Tokyo warehouse serves the book immediately if it has it (cache hit); if not, it fetches a copy from New York, keeps one for future requests, and delivers to the customer (cache miss). This reduces delivery time from days to hours. The local warehouses periodically check with New York to see if book editions have updated (cache validation using ETags or Last-Modified headers). If a book is revised, the old copy is replaced. The warehouse manager can also pre-stock certain books ahead of a known release (pre-loading). This system works seamlessly for the customer—they always order from the same website, but the book arrives from the nearest warehouse. Just like Azure CDN, the intelligence is in the routing and caching logic, not in the customer's browser.
What is Azure CDN and Why It Exists
Azure Content Delivery Network (CDN) is a distributed network of servers that caches content at strategically placed edge locations (Points of Presence, or POPs) to reduce latency and improve load times for users worldwide. The fundamental problem it solves is the physical limitation of the speed of light and network congestion: a user in Australia requesting a 5 MB image from a server in the US East region will experience significant latency (100-200 ms RTT) and potential packet loss. A CDN reduces this to near-zero by serving the content from a POP in Sydney, often within 10-20 ms RTT.
For the AZ-204 exam, you need to know that Azure offers two primary CDN products: Azure CDN Standard from Microsoft (built on the Microsoft global network, with over 190 POPs) and Azure CDN from Verizon (also over 190 POPs, with both Standard and Premium tiers). There is also Azure CDN from Akamai, but it's less commonly tested. The exam focuses on the Microsoft and Verizon offerings, their feature sets, and when to choose each.
How Azure CDN Works Internally
When a user requests a resource (e.g., https://<endpoint>.azureedge.net/images/logo.png), the following sequence occurs:
DNS Resolution: The client's DNS resolver queries the CDN endpoint's CNAME (e.g., myendpoint.azureedge.net). The CDN's DNS system returns the IP address of the nearest POP based on the client's geographic location and network conditions. This is typically done using anycast routing or DNS-based geographic load balancing.
Request Arrives at POP: The user's HTTP request hits the edge server at the POP. The edge server checks its local cache for the requested URL.
Cache Hit: If the resource is cached and not expired, the edge server returns it directly to the user with HTTP 200 (or 304 if conditional headers are used). This is the fastest path.
Cache Miss: If the resource is not cached or is expired, the edge server performs an origin fetch – it requests the resource from the origin server (e.g., an Azure Storage account, Web App, or any public HTTP endpoint). The origin responds, and the edge server caches the response according to the configured caching rules (e.g., Cache-Control headers, default TTL). It then serves the response to the user.
Cache Validation: For resources that have a TTL but the origin might have updated content, the edge server can use conditional requests (If-None-Match with ETag or If-Modified-Since with Last-Modified) to check if the cached copy is still valid. If the origin returns 304 Not Modified, the cached copy is served; if 200, the new content replaces the old.
Key Components, Defaults, and Timers
CDN Profile: A collection of CDN endpoints that share pricing tier and settings. You can have multiple profiles per subscription. Each profile is associated with a specific pricing tier (Microsoft Standard, Verizon Standard, Verizon Premium, Akamai Standard).
CDN Endpoint: A specific hostname (e.g., myendpoint.azureedge.net) that points to an origin. Each endpoint has:
- Origin type: Storage, Web App, Cloud Service, Custom origin (any public HTTP server).
- Origin hostname: The actual server address.
- Origin path: Optional path prefix.
- Caching rules: Global and custom rules that override Cache-Control headers. Default TTL is 7 days for general web delivery, but actual behavior depends on origin headers.
Caching Behavior:
- Default TTL: If the origin does not send Cache-Control or Expires headers, the CDN applies a default TTL of 7 days for Microsoft CDN and 7 days for Verizon CDN (but Verizon may vary). For dynamic content (e.g., ASP.NET sessions), the CDN typically does not cache unless explicitly configured.
- Cache-Control directives: The CDN honors max-age, s-maxage, private, public, no-cache, no-store. no-cache means the CDN will cache but must revalidate with the origin on every request (using conditional headers). no-store means the CDN will not cache at all.
- Query string caching: By default, the CDN treats different query strings as different URLs (cached separately). You can configure to ignore query strings, cache based on a specific query string, or cache all unique query strings.
Compression: Azure CDN can compress files on the fly. By default, it compresses files of MIME types like text/plain, text/html, text/css, text/javascript, application/json, etc. Minimum file size for compression is 128 bytes (Microsoft CDN) or 1 KB (Verizon).
Geo-filtering: You can allow or block access to content based on country/region codes. This is configured per endpoint path. For example, block requests from China (CN) for sensitive content.
Purge and Pre-load:
- Purge: Remove cached content from all POPs. You can purge by file path, wildcard, or root (/*). Purge propagation takes 5-10 minutes for Microsoft CDN, 10-30 minutes for Verizon.
- Pre-load: Pre-populate cache for specific files before a high-traffic event (e.g., product launch). Pre-load is only available on Verizon Premium tier. It can take 10-20 minutes to propagate.
Configuration and Verification Commands
Using Azure CLI:
# Create a CDN profile
az cdn profile create --name myProfile --resource-group myRG --sku Standard_Microsoft
# Create a CDN endpoint pointing to a storage account
az cdn endpoint create --name myEndpoint --profile-name myProfile --resource-group myRG --origin storageaccount.blob.core.windows.net --origin-host-header storageaccount.blob.core.windows.net
# Purge a file
az cdn endpoint purge --content-paths /images/logo.png --profile-name myProfile --name myEndpoint --resource-group myRG
# Pre-load files (Verizon Premium only)
az cdn endpoint load --content-paths /images/logo.png --profile-name myProfile --name myEndpoint --resource-group myRGUsing Azure PowerShell:
New-AzCdnProfile -Name myProfile -ResourceGroupName myRG -Sku Standard_Microsoft
New-AzCdnEndpoint -Name myEndpoint -ProfileName myProfile -ResourceGroupName myRG -OriginName storageOrigin -OriginHostName storageaccount.blob.core.windows.net
Clear-AzCdnEndpointContent -EndpointName myEndpoint -ProfileName myProfile -ResourceGroupName myRG -ContentPath @("/images/logo.png")Interaction with Related Technologies
Azure Storage: CDN is commonly used to serve static assets (images, videos, documents) from Azure Blob Storage. When configuring, set the origin type to Storage and ensure the storage account allows anonymous access (or use SAS tokens). The CDN can cache SAS URLs, but beware of SAS expiration – if the SAS expires, cached content becomes inaccessible.
Azure Web Apps: For dynamic sites, CDN can cache static files (CSS, JS, images) while dynamic pages bypass cache. You can configure caching rules to set different TTLs for different paths.
Azure Front Door: Front Door is a global load balancer and application accelerator that also provides caching. It is often confused with CDN. Key differences: Front Door supports HTTP to HTTPS redirect, URL rewrite, session affinity, and WAF policies. CDN is simpler and cheaper for pure content delivery. For the exam, know that Front Door is better for dynamic sites needing advanced routing, while CDN is for static content delivery.
Custom Domain and HTTPS: You can add a custom domain (e.g., cdn.contoso.com) to a CDN endpoint and enable HTTPS with a certificate. Azure CDN provides managed certificates (free) or you can bring your own. For Microsoft CDN, HTTPS is enabled by default for azureedge.net domains; for custom domains, you must enable it and the certificate provisioning takes a few minutes.
Create a CDN Profile
The first step is to create a CDN profile, which acts as a container for endpoints. Choose the pricing tier: Standard_Microsoft, Standard_Verizon, Premium_Verizon, or Standard_Akamai. The tier determines features and pricing. For example, only Verizon Premium supports pre-loading and advanced rules engine. Use Azure CLI: `az cdn profile create --name myProfile --resource-group myRG --sku Standard_Microsoft`. The profile can have multiple endpoints, but all endpoints share the same tier. Once created, you cannot change the tier; you must create a new profile.
Create a CDN Endpoint
An endpoint defines the origin server and the hostname (e.g., `myendpoint.azureedge.net`). Specify origin type (Storage, Web App, Custom) and origin hostname. Optionally, set an origin path (e.g., `/static`) to scope content. The endpoint URL is `<endpointname>.azureedge.net`. You can also add custom domains later. Use CLI: `az cdn endpoint create --name myEndpoint --profile-name myProfile --resource-group myRG --origin storageaccount.blob.core.windows.net --origin-host-header storageaccount.blob.core.windows.net`. The endpoint will be provisioned and ready in a few minutes.
Configure Caching Rules
Caching rules control how long content is cached and whether query strings affect caching. You can set global rules (apply to all files) and custom rules (apply to specific paths or extensions). For example, set a custom rule for `/images/*` with TTL of 30 days. Rules can override origin Cache-Control headers. Use the Azure portal or CLI: `az cdn endpoint update --name myEndpoint --profile-name myProfile --resource-group myRG --set deliveryPolicy.rules[0].actions[0].cacheBehavior=Override cacheDuration=30.00:00:00`. Note that Microsoft CDN supports only cache expiration settings; Verizon Premium has a full rules engine for URL rewrite, header modification, etc.
Enable Compression and Geo-filtering
Compression reduces file sizes for faster delivery. Enable it globally or for specific MIME types. By default, it's enabled for common text types. Geo-filtering allows or blocks countries. For example, block requests from Russia (RU) for licensing reasons. Configure geo-filtering per path. Use portal or CLI: `az cdn endpoint update --name myEndpoint --profile-name myProfile --resource-group myRG --set geoFilters[0].relativePath=/videos --geoFilters[0].action=Block --geoFilters[0].countryCodes=RU`. Note that geo-filtering is based on client IP, not user location, so VPNs can bypass it.
Purge or Pre-load Content
When content changes, purge the old cache to force fetch from origin. Use `az cdn endpoint purge` with specific paths or wildcard. Purge propagation takes 5-10 minutes for Microsoft CDN. For high-traffic events, pre-load content (Verizon Premium only) using `az cdn endpoint load`. Pre-load sends a request to all POPs to fetch and cache the file. Both operations are asynchronous. Monitor purge status via Azure Monitor logs. Note that purging the root (`/*`) clears all cached content for that endpoint, which can cause a temporary load spike on the origin.
Enterprise Scenario 1: Global Media Streaming Platform
A video-on-demand company serves 4K videos to users worldwide. They use Azure CDN from Verizon Premium to cache video segments (MP4, HLS) at 190+ POPs. The origin is Azure Blob Storage with hot tier. They configure caching rules with a TTL of 1 year for static video assets, but use cache key query strings to differentiate bitrates. Geo-filtering blocks content in countries without licensing rights. They pre-load new movie releases 24 hours in advance to ensure edge caches are warm. Performance: 95% cache hit ratio, average latency under 30 ms. Misconfiguration: If they accidentally set TTL too low (e.g., 1 hour), origin load spikes and users experience buffering. They monitor cache hit ratio via Azure Monitor and set alerts for drops below 90%.
Enterprise Scenario 2: E-commerce Website with Dynamic Content
An online retailer uses Azure CDN from Microsoft to accelerate static assets (CSS, JS, product images) while dynamic pages (cart, checkout) bypass CDN. They configure caching rules: global TTL of 7 days for images, 1 day for CSS/JS. They use query string caching based on a version parameter (e.g., ?v=2) to force cache busting on updates. They also enable compression for JSON API responses. The origin is an Azure Web App behind a WAF. They purge specific files after a product image update. Misconfiguration: If they accidentally set Cache-Control: no-store on dynamic pages, the CDN still might cache them if the caching rule overrides. They learned to use Cache-Control: private to prevent CDN caching. They also use custom domain with HTTPS managed certificate.
Enterprise Scenario 3: Software Distribution with Large Files
A software company distributes ISO files (up to 10 GB) to customers globally. They use Azure CDN from Verizon Premium with pre-loading for new releases. The origin is Azure Blob Storage with SAS tokens. They configure caching rules with a TTL of 30 days. To handle large files, they enable chunked transfer encoding and ensure the CDN supports range requests (both Microsoft and Verizon do). They also use geo-filtering to restrict downloads to authorized countries. Misconfiguration: If they use a SAS token that expires in 1 hour, the CDN caches the URL with the SAS token. When the SAS expires, subsequent requests fail. They learned to use a long-lived SAS or a managed identity with Storage. They also monitor bandwidth usage to manage costs.
Exactly What AZ-204 Tests on Azure CDN
The AZ-204 exam covers CDN under objective Monitor and optimize solutions (15-20%), specifically 4.2: Develop for content delivery. The exam expects you to:
Choose the appropriate CDN tier (Microsoft, Verizon, Akamai) based on features (e.g., rules engine, pre-loading).
Configure caching rules, compression, geo-filtering, and custom domains.
Understand purge and pre-load operations and their propagation times.
Integrate CDN with Azure Storage, Web Apps, and custom origins.
Differentiate between CDN and Azure Front Door.
Most Common Wrong Answers and Why
"CDN caches dynamic content by default" – Wrong. CDN caches only static content unless explicitly configured with caching rules that override Cache-Control headers. Dynamic content (e.g., ASP.NET sessions) typically has no-cache or private directives.
"Purge is instantaneous" – Wrong. Purge takes 5-10 minutes for Microsoft CDN and 10-30 minutes for Verizon. Candidates often assume it's immediate because other Azure operations are fast.
"Pre-loading is available in all CDN tiers" – Wrong. Pre-loading is only available in Verizon Premium tier. Microsoft and Akamai tiers do not support it.
"Geo-filtering uses user's logged-in location" – Wrong. Geo-filtering is based on the client IP address, which can be spoofed or masked by VPNs.
Specific Numbers and Terms on the Exam
Default TTL: 7 days for both Microsoft and Verizon (when no Cache-Control is set).
Minimum file size for compression: 128 bytes (Microsoft) or 1 KB (Verizon).
Purge propagation: 5-10 minutes (Microsoft), 10-30 minutes (Verizon).
Pre-load propagation: 10-20 minutes (Verizon Premium).
CDN endpoint hostname: *.azureedge.net (Microsoft and Verizon).
Supported origin types: Storage, Web App, Cloud Service, Custom.
Edge Cases and Exceptions
If the origin returns Cache-Control: no-cache, the CDN will cache the response but must revalidate with the origin on every request (using If-None-Match). This is different from no-store, which prevents caching entirely.
When using a custom domain with HTTPS, the certificate must be provisioned. For Microsoft CDN, you can use a managed certificate, but it takes about 20 minutes to provision.
If you purge a file while a user is downloading it, the download may complete from the old cache, but subsequent requests will fetch fresh content.
How to Eliminate Wrong Answers
If the question mentions "pre-loading content before a launch," the answer must include Verizon Premium tier; any other tier is incorrect.
If the question asks about "fastest purge time," the answer is Microsoft CDN (5-10 min) over Verizon (10-30 min).
If the question involves "rules engine for URL rewrite," only Verizon Premium supports that; Microsoft Standard does not.
If the question is about "cache behavior for dynamic pages," look for answers that mention Cache-Control headers – the CDN respects them.
Azure CDN caches static content at edge POPs to reduce latency; default TTL is 7 days when no Cache-Control headers are present.
Purge propagation: 5-10 minutes for Microsoft CDN, 10-30 minutes for Verizon. Pre-loading is only available on Verizon Premium.
Geo-filtering is based on client IP address (country code), not user authentication.
Compression is enabled by default for common text MIME types; minimum file size: 128 bytes (Microsoft) or 1 KB (Verizon).
CDN respects Cache-Control headers: `no-store` prevents caching, `no-cache` allows caching with revalidation, `private` prevents caching by shared caches.
Custom domains can be added with free managed HTTPS certificates (Microsoft and Verizon).
Azure Front Door is not a CDN; it is a global load balancer with caching, URL rewrite, WAF, and session affinity.
CDN endpoints have a hostname of `*.azureedge.net` (Microsoft and Verizon).
You can create multiple endpoints in one CDN profile, but all share the same pricing tier.
For dynamic content that should not be cached, set `Cache-Control: private` or `no-store` on the origin.
These come up on the exam all the time. Here's how to tell them apart.
Azure CDN Standard from Microsoft
Built on Microsoft global network with over 190 POPs
Purging takes 5-10 minutes
No rules engine (only cache expiration rules)
HTTPS for custom domains with managed certificate (free)
Minimum file size for compression: 128 bytes
Azure CDN Standard from Verizon
Built on Verizon global network with over 190 POPs
Purging takes 10-30 minutes
Rules engine available only on Premium tier
HTTPS for custom domains with managed certificate (free) or bring your own
Minimum file size for compression: 1 KB
Mistake
Azure CDN caches all content regardless of Cache-Control headers.
Correct
Azure CDN respects Cache-Control headers from the origin. If the origin sends `Cache-Control: private` or `no-store`, the CDN will not cache the response. For `no-cache`, it caches but revalidates on every request. Only if no caching headers are present does the CDN apply a default TTL of 7 days.
Mistake
Purge removes content immediately from all POPs.
Correct
Purge is asynchronous and takes 5-10 minutes for Microsoft CDN and 10-30 minutes for Verizon. During this propagation window, some POPs may still serve stale content.
Mistake
Pre-loading is available on all Azure CDN tiers.
Correct
Pre-loading (loading content in advance) is only available on Azure CDN from Verizon Premium. Microsoft and Akamai tiers do not support this feature.
Mistake
Geo-filtering blocks users based on their Azure AD location.
Correct
Geo-filtering uses the client's IP address to determine geographic location (country code). It does not use Azure AD or any authenticated user profile. Users behind VPNs or proxies may have different IP locations.
Mistake
CDN and Azure Front Door are the same service.
Correct
Azure CDN is focused on caching static content at edge nodes for performance. Azure Front Door is a global load balancer that also provides caching, but adds features like URL rewrite, session affinity, WAF, and HTTP-to-HTTPS redirect. Front Door is better for dynamic applications requiring advanced routing; CDN is simpler and cheaper for static content delivery.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure CDN is a content delivery network focused on caching static content (images, videos, CSS) at edge locations to reduce latency. Azure Front Door is a global load balancer that also provides caching, but adds advanced features like URL rewrite, session affinity, Web Application Firewall (WAF), HTTP-to-HTTPS redirect, and path-based routing. For the exam, choose CDN for simple static content delivery; choose Front Door for dynamic applications needing intelligent traffic management and security.
For Azure CDN Standard from Microsoft, purge propagation takes 5-10 minutes. For Azure CDN from Verizon (Standard or Premium), it takes 10-30 minutes. The purge is asynchronous; you cannot rely on it being immediate. Always plan for propagation delay when updating content.
Yes. You can add a custom domain (e.g., cdn.contoso.com) to your CDN endpoint and enable HTTPS. Azure CDN provides a free managed certificate (Microsoft and Verizon) or you can bring your own certificate. The provisioning process takes a few minutes. For Microsoft CDN, HTTPS is enabled by default for the azureedge.net domain.
By default, Azure CDN does not cache dynamic content because most dynamic pages send Cache-Control headers like `private` or `no-cache`. However, you can override this behavior with caching rules to force caching of specific URLs or paths. Be cautious: caching dynamic pages can serve stale data to users.
Pre-loading (or content pre-loading) is the ability to proactively populate the CDN cache with specific files before they are requested by users. This is useful for high-traffic events. Pre-loading is only available on Azure CDN from Verizon Premium tier. Microsoft and Akamai tiers do not support it.
Geo-filtering allows you to allow or block access to content based on the country/region of the client's IP address. You configure rules per endpoint path (e.g., block /videos for China). The CDN uses IP geolocation databases to map IPs to countries. Note that VPNs and proxies can bypass geo-filtering.
If the origin does not send Cache-Control or Expires headers, Azure CDN applies a default TTL of 7 days. This applies to both Microsoft and Verizon CDN. You can override this with caching rules.
You've just covered Azure Content Delivery Network (CDN) — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?