Skip to content

CDN Guide » Origin Shield

Last updated: July 10, 2020

Introduction to Origin Shield

Origin Shield is an extra caching layer between the CDN edge servers and your origin. The shield helps offload your origin and speed up cache miss responses. Another benefit of Origin Shield is: if you want to whitelist IPs of the CDN in the firewall on your origin, you only need to whitelist a few IPs instead of many.

One (or multiple) of the POPs of the CDN will act as the shield. When a CDN edge server gets a request from a user and can't satisfy the request from cache, the edge server will fetch the object from the shield POP rather than pulling from the customer origin directly.

Origin Shield is not the same thing on all CDNs that have this feature. For example, Edgecast provides its customers the option to assign a single POP as the shield or assign shield POP per region (US, EU, Asia, ...), while other CDNs like StackPath allow the customer to have a single POP and this can be only a POP in US.
Read on to learn more about the differences between CDNs.

Does the CDN provide Origin Shield? Is it free or a paid add-on?

POP selection
Can any of the CDN POPs act as a shield or can you select from a limited number of POPs?

Can you have multiple POPs act as a shield or just one?

CDNs and Origin Shield

  • Yes = Yes
  • Sortof/partially = Sort of/partially
  • No = No
  • Extra costs = Extra costs
  • Unknown = Unknown
AdvancedHosting More info Yes No No
Akamai More info Extra costs Unknown Unknown
BaishanCloud Extra costs Unknown Unknown
BelugaCDN Extra costs Unknown No
BunnyCDN More info Unknown Unknown Unknown
CacheFly More info Sortof/partially Sortof/partially Yes
CDN77 More info Yes Sortof/partially Yes
CDNetworks More info Extra costs Yes Yes
ChinaCache More info Yes Yes Unknown
Cloudflare More info Extra costs No Yes
CloudFront More info Extra costs Sortof/partially No
Edgecast More info Extra costs Yes Yes
Fastly More info Sortof/partially Yes Sortof/partially
G-Core Labs More info Yes Yes Unknown
Imperva Extra costs Unknown Unknown
Kingsoft Cloud Yes Unknown Unknown
Limelight Yes Yes Yes
Lumen Extra costs Unknown No
StackPath More info Yes Yes Yes
Tata Communications More info No
Tencent Cloud More info Unknown Unknown No
CDNs missing in this table? That is because we don't have the relevant info

More info per CDN


A select number of POPs can act as the shield. The POP closest to the origin acts as the shield. VideoCDN customers can't enable Origin Shield, but by default several POPs act as a shield for video delivery.


The name of the Akamai origin shield product is Site Shield.


Origin Shield is in private beta testing since Q1 2019.


Customer can select from a limited number of POPs. Read the (2014) blog post on CacheFly website Maximize Your Security with Origin Shielding.


CDN77 customers requiring Origin Shield are assigned 2 IP addresses of servers - one in US and one in Europe. The customer cannot choose the locations of these two shield POPs by default, but if the customer has a strong preference to use a location closer to the origin, CDN77 is willing to change the shield(s).


On customer request, the CDNetworks support team will set up one or multiple POPs to act as a shield. The customer lists the origin server location(s) as well as the geography of end users and CDNetworks uses this info to determine which POPs can best act as a shield.


Onr request, the ChinaCache support team enables and configures the Origin Shield.


Cloudflare has Argo, a paid add-on to offload the origin, speed up cache misses and tighten security on traffic between CDN and origin. Part of Argo is the Tiered Cache and this is Cloudflare's take on Origin Shield: if a POP can't serve the response from cache, it will ask the 'nearest Tier 1 datacenter'. If that POP also does not have it in cache then it will get it from origin and serve to the requesting POP. Argo is included in Enterprise plans and available to all other customers at a minimum $5 per month and $0.10 per GB for all traffic over 1 GB/m. Read the Argo introduction blog post or Billing for Argo.


CloudFront launched Origin Shield on October 20, 2020. Origin Shield works with origins in AWS and origins outside AWS. Customers can select one of the locations where CloudFront has a regional edge cache to act as the shield. Origin Shield is charged as a request fee for each request that goes to Origin Shield. These fees are currently (Oct 2020) the same as you would pay for client-to-edge HTTP requests. View the CloudFront pricing page for more info about costs or read all about Amazon CloudFront Origin Shield in the official developer guide.


More info: Origin Shield.


Fastly has an excellent guide about their Shielding feature. The online document explains how shielding works, how to enable it and what the caveats are (potential increase in costs). We particularly like that Fastly customers who use multiple origins can define a shield per origin. View the Fastly Guide: Shielding. Furthermore, Fastly offers the shield feature as a separate product for companies using multiple CDNs for live video delivery: Media Shield for Live

G-Core Labs

Currently in beta/test mode. Read about this feature in the Origin Shielding (pre-cache server) article.


“The StackPath shield POP maintains a long-lived connection with the customer origin and merges multiple requests for the same file into a single request to the origin. Learn more about StackPath Origin Shield

Tata Communications

Tata CDN does not have an origin shield feature. They have a tiered caching architecture and claim this gratly helps reduce the load on the customer origin.

Tencent Cloud

All Origin Shield implementations are custom and conducted by the Tencent DevOps team.

Share this page on Twitter

More CDN Guides