CDN Resilience, Security & Observability Quiz

Q1. What does a CDN typically do as part of its auto fail-out/fail-in mechanism when a PoP (Point of Presence) is detected as unhealthy? Temporarily remove the PoP from service (fail-out) until it passes health checks again (fail-in).
Permanently shut down the PoP and require manual intervention to bring it back.
Redirect additional traffic to that PoP to test if it will recover.
Continue sending traffic to the PoP as normal, assuming it will recover on its own.

Q2. Which statement describes a trade-off between using an anycast network for DDoS mitigation and using a centralized scrubbing center? A centralized scrubbing center always has lower latency for all users compared to an anycast approach.
Anycast spreads attack traffic across multiple PoPs to absorb volume, whereas a centralized scrubbing center can deeply filter traffic in one location but may add latency and a potential bottleneck.
Anycast always provides better DDoS protection with no downsides compared to a scrubbing center.
Anycast networks are not used for DDoS defense, only centralized scrubbing can stop attacks.

Q3. Which AWS WAF rule would you use to block or allow users based on their country of origin? AWS Shield Advanced with automatic geographic blocking.
An AWS CloudFront signed URL policy with location constraint.
A rate-based rule in AWS WAF configured with request thresholds.
A geo-match rule in AWS WAF to filter requests by country.

Q4. What feature can automatically block clients who send too many requests in a short time to your AWS CloudFront distribution? An AWS WAF rate-based rule to throttle or block excessive requests.
AWS Shield Standard DDoS protection.
An AWS WAF geo-match rule restricting requests by country.
An Amazon CloudWatch alarm on high request rate.

Q5. Which of the following is NOT a recommended best practice for securing TLS connections in a CDN? Using OCSP stapling for the CDN's TLS certificates.
Enabling support for TLS 1.3 on CDN edge servers.
Disabling mutual TLS (mTLS) between the CDN and origin to simplify configuration.
Regularly rotating and renewing the CDN's TLS certificates and keys.

Q6. When would using a signed cookie be more appropriate than using signed URLs for CDN content access control? When the client's browser does not support cookies.
When you need to enforce a unique token for every individual request.
When a user should be granted access to multiple protected resources after a single authentication.
When each file needs a unique URL signature and expiration.

Q7. Which of the following describes a behavioral analysis technique for bot detection on a CDN? Fingerprinting the TLS handshake of clients (e.g., using JA3) to identify bots.
Presenting a CAPTCHA challenge that users must solve to proceed.
Blocking requests from IP addresses known to belong to bots or data centers.
Analyzing user interaction patterns (e.g., mouse movements, timing of actions) to detect non-human behavior.

Q8. Which metric is NOT typically considered one of the CDN "golden signal" performance indicators? HTTP error rate (segmented by 4xx and 5xx status codes).
The total number of PoPs (points of presence) deployed globally.
Cache hit ratio (percentage of requests served from cache).
Edge network round-trip time (latency from user to edge).

Q9. What is an error budget burn rate in the context of SLO (Service Level Objective) monitoring? The proportion of total requests that result in errors.
The percentage of CPU time spent on serving error responses.
The rate at which the servers are overheating under load.
The speed at which the service is exhausting its allowed error budget (i.e., how fast it's using up its tolerated errors).

Q10. Why would a multi-CDN strategy use Real User Monitoring (RUM) data for routing? To switch all traffic between CDNs on a fixed schedule regardless of performance.
To randomly assign users to different CDNs to spread traffic evenly.
To dynamically route each user to the CDN that is performing best for them based on real user performance metrics.
To send each user request to all CDNs simultaneously for redundancy.

Q11. What is the purpose of a surge queue in a CDN architecture? To hold new user requests until previous user sessions have finished.
To intentionally delay responses to throttle user traffic.
To temporarily buffer excess requests during sudden traffic spikes so that origin or backend servers are not overwhelmed.
To process all incoming requests strictly one at a time rather than in parallel.

Q12. What is an advantage of maintaining warm-spare PoPs (points of presence) in a CDN? They can quickly take over handling traffic if active PoPs fail or become overloaded, improving resilience.
They compress and cache content without ever serving users, saving bandwidth.
They ensure each user request is processed by two PoPs for redundancy.
They run with zero traffic to conserve energy, incurring no operational cost.

Q13. Which of these is a clear indicator that a CDN PoP is nearing capacity saturation? The cache hit ratio at the PoP has increased significantly.
The PoP is handling fewer requests per second over time.
End-user latency to that PoP is steadily decreasing.
The PoP's servers are running at consistently high CPU and bandwidth utilization.

Q14. What is one benefit of terminating client connections with TLS 1.3 on a CDN edge server instead of TLS 1.2? TLS 1.3 automatically trusts self-signed certificates, unlike TLS 1.2.
TLS 1.3 allows the CDN to serve content without needing TLS certificates.
TLS 1.3 can establish encrypted connections with fewer round trips (lower handshake latency) than TLS 1.2.
TLS 1.3 does not use encryption, making it faster than TLS 1.2.

Q15. Which is a feature of AWS Shield Advanced that is not available with AWS Shield Standard? Globally anycasted traffic distribution across AWS's network.
24/7 access to AWS's DDoS Response Team and financial protection against unexpected DDoS-related cost spikes.
Automatic mitigation of all web application vulnerabilities without configuration.
The ability to absorb any size DDoS attack without any limit.

system-design