An origin shield is a protective measure that shields your origin server(s) from overload, ensuring high availability, performance and uptime. While no one size fits all in terms of how a company should structure their origin shield strategy, an origin shield is always a good idea to reduce the load on your origin server and maintain high-performance content delivery.


Untitled design (18)


What is an origin shield? 

At its most basic, an origin shield is an extra caching layer between your origin server(s) and your CDN edge servers. Most organizations have implemented caching to maximize their server resources and take advantage of the performance gains caching offers. Caching also introduces a layer of protection. A total server outage with no redundancy is one of the biggest nightmare scenarios for digital business. This should never happen, given the sophisticated architecture and availability setups most businesses rely on. Yet, time and again, in high-traffic events with unpredictable peaks, these kinds of crashes continue to happen. 

Origin shields deliver the extra caching layer needed to make sure these catastrophes don’t happen. This is true both for basic setups and more complex, multi-CDN architectures. In both cases, origin-protect technology ensures optimal performance and uptime.


What benefits does origin shielding offer? 

  • Protection for the origin against traffic overloads, maintaining high availability and redundancy in your setup
  • Reduce risk from and gain protection against intentional DDoS and unintentional DDoS-like attacks
  • Enjoy an extra layer of security at no additional cost or effort
  • Enhance content delivery performance — faster and more reliable, thanks to better cache efficiency
  • Resilience for secure, high-performance for both single and multi-CDN setups

How does an origin shield work?

Fundamentally, an origin shield reduces the number of calls to your origin server by designating a proxy/cache point of presence (PoP) as the “collection point” for incoming uncached requests. The origin shield PoP is the first line of defense, shielding your origin server(s) from (potentially) thousands (or millions) of incoming individual requests. The origin server is almost untouchable from the outside, receiving only the request from your designated shield PoP, which then caches and serves the content itself. This increases your cache-hit efficiency, lets you serve content faster and more efficiently, and keeps your site running smoothly (no downtime at origin).

The same principle is at work in the multi-CDN case. One of the caching PoPs you’ve set up will be the primary CDN within the multi-CDN configuration and will continue to send a single request to the origin for content not in cache. This PoP then shares that content with the other CDNs in the configuration. 


When should an origin shield be used?

Origin shielding is never a bad idea because you never want to leave the user experience to chance. Looking out for user experience becomes all the more essential in high-performance use cases in which users are expecting (or are guaranteed) a certain level of service. Origin shielding goes from “nice to have” to “critical”. The multi-CDN configuration is becoming the norm in performance-critical use cases, such as live video and VoD, and other demanding cases, like gaming (large update files), and every now and then, a CDN has a bad day. In these cases, performance readiness means that other CDNs within the multi-CDN setup need to be ready to do the heavy lifting for underperforming CDNs in the setup. For more detail on why to use Varnish as an origin shield, check out our blog below.