About This Architecture

Akamai CDN architecture with DNS resolution, edge TLS termination, and origin re-encryption demonstrates a multi-layer security and performance model. End users query Akamai's authoritative DNS, which returns the nearest edge PoP IP via GeoDNS; clients establish TLS 1.3 sessions with Akamai Edge Nodes where WAF (Kona Site Defender) inspects decrypted traffic and cache evaluation occurs. Cache hits serve responses directly from the edge; cache misses trigger mTLS re-encryption to the origin over HTTPS, with inbound traffic restricted to Akamai IP ranges via firewall allowlist. This architecture separates client-facing certificates (Akamai-managed) from origin certificates (customer-managed CA), reducing certificate management overhead while maintaining end-to-end encryption. Fork and customize this diagram on Diagrams.so to model your CDN topology, certificate strategy, or WAF policies.

People also ask

How does Akamai CDN handle TLS encryption between clients, edge nodes, and origin servers?

Akamai CDN terminates client TLS 1.3 at edge PoPs using Akamai-managed certificates, inspects decrypted traffic via WAF, and re-encrypts to origin using mTLS or standard HTTPS. Origin certificates are customer-managed; inbound traffic is restricted to Akamai IP ranges via firewall allowlist.