Origin shield and offload testing
Origin offload — the percentage of total requests served from CDN cache instead of reaching your origin — is the headline efficiency metric for a CDN deployment. A 95 % offload rate means only 1 in 20 requests touches your origin; your infrastructure costs and MTTR under traffic spikes drop proportionally. This page shows how to measure that percentage with MaxoPerf and how to verify that your origin protection holds up when the cache is cold or under stress.
What origin shield is
Section titled “What origin shield is”Many CDNs offer a multi-tier architecture with a shield (also called a mid-tier or parent cache) sitting between edge nodes and the origin. Instead of every edge node going directly to origin on a cache miss, they consult the shield first. If the shield has the object, it serves it and only one origin request was ever needed. If the shield misses, it fetches from origin once and stores the response for all subsequent edge requests.
The result:
- Origin request rate is dramatically lower — especially during purge events or sudden traffic spikes.
- Edge-to-origin round trips are reduced — only the shield-to-origin leg needs to be fast.
- Origin connection count stays manageable — even with hundreds of edge nodes, origin never sees more simultaneous connections than the shield opens.
Providers call it different things: CloudFront calls it Origin Shield; Fastly calls it Shielding; Akamai has Tiered Distribution; Cloudflare has Argo Tiered Caching.
Before you start
Section titled “Before you start”- Confirm whether origin shield is enabled for your CDN configuration. In most providers this is an opt-in setting per distribution or service.
- You need a way to measure origin request rate independently of MaxoPerf — this usually means your origin’s access logs, a Prometheus/CloudWatch metric, or your CDN’s own analytics. MaxoPerf measures end-to-end response metrics from the load runner perspective; it cannot directly observe origin request count.
- Run a warm-cache baseline test before this test to know your expected hit ratio.
Measuring offload percentage
Section titled “Measuring offload percentage”Origin offload is calculated from two numbers:
- Total requests — all requests received by the CDN (from MaxoPerf or real users).
- Origin requests — requests that passed through to your origin (cache misses + uncacheable requests).
Offload % = (1 - origin_requests / total_requests) × 100MaxoPerf generates the total requests; your origin telemetry measures how many reach the origin. A properly instrumented test compares the MaxoPerf run total against your origin access log count for the same time window.
Quick smoke check with curl
Section titled “Quick smoke check with curl”Before a full load test, run a manual check:
# First request — expect MISS (origin fetch)curl -sI https://cdn.example.com/static/app.js | grep -i 'x-cache\|age\|cf-cache'# Expected: X-Cache: Miss from cloudfront
# Second request — expect HIT (served from cache)curl -sI https://cdn.example.com/static/app.js | grep -i 'x-cache\|age\|cf-cache'# Expected: X-Cache: Hit from cloudfront
# If origin shield is in the path:# First miss: edge → shield (miss) → origin# Second miss: edge → shield (hit) — origin NOT touchedLoad test pattern — origin under cache-miss pressure
Section titled “Load test pattern — origin under cache-miss pressure”This test deliberately generates cache misses to put the origin under pressure, simulating the worst case for offload:
execution: - concurrency: 200 ramp-up: 1m hold-for: 5m scenario: origin-pressure
scenarios: origin-pressure: default-address: https://cdn.example.com requests: # Append a unique query string to bust the cache on every request. # Use this only in controlled testing — never in production. - label: cache-busted-request url: /static/app.js?cb=${__time()} method: GET assert: - equals: subject: http-code value: '200'After this test, compare:
- Origin request rate (from your origin logs) — should approach 200 req/s if shield is absent.
- Origin request rate with shield enabled — should be dramatically lower (shield absorbs repeated misses for the same URL).
Load test pattern — warm cache, then measure origin residual
Section titled “Load test pattern — warm cache, then measure origin residual”This pattern verifies real-world offload for cacheable assets:
execution: # Phase 1: warm the cache with a small amount of traffic - concurrency: 5 hold-for: 2m scenario: warm-pass
# Phase 2: full load — measure how little reaches origin - concurrency: 500 ramp-up: 1m hold-for: 10m scenario: warm-load
scenarios: warm-pass: default-address: https://cdn.example.com requests: - url: /static/app.js label: warm-js - url: /static/styles.css label: warm-css
warm-load: default-address: https://cdn.example.com requests: - url: /static/app.js label: js-bundle assert: - contains: subject: headers value: 'X-Cache: Hit' - url: /static/styles.css label: css-bundle assert: - contains: subject: headers value: 'X-Cache: Hit'During Phase 2, origin traffic should be near zero for the static assets. Any origin requests you observe in your origin logs are cache misses — typically from edge nodes that had not yet cached the warm response.
How to read origin offload results
Section titled “How to read origin offload results”When analysing MaxoPerf results for origin offload tests:
| Signal | What it means |
|---|---|
Zero assertion failures on X-Cache: Hit | Cache is holding under load — offload is working. |
| Assertion failures rising under higher VU count | Cache is being bypassed; origin is receiving more misses than expected. |
| 5xx errors in Log tab | Origin is failing under the miss rate. Enable shield or add origin capacity. |
| TTFB bimodal distribution (fast + slow cluster) | Some requests are served from cache (fast), some from origin (slow) — normal during ramp-up, should resolve as cache warms. |
| Elevated TTFB persisting through entire run | High miss rate throughout — check Cache-Control headers, TTL configuration, and cache-key correctness. |
Shield tier testing
Section titled “Shield tier testing”To verify that origin shield is working correctly:
- Enable shield in your CDN configuration for the test distribution.
- Run the cache-busted origin pressure test above.
- Monitor origin request rate — with shield enabled it should be a fraction of what it was without shield (often 1/N where N is the number of edge nodes).
- Disable shield and repeat. The increase in origin request rate confirms the shield’s contribution.
Do / don’t
Section titled “Do / don’t”Do:
- Always compare origin request rate (from origin logs) with total request rate (from MaxoPerf) — this is the only way to measure actual offload percentage.
- Test with shield enabled and disabled to quantify the shield’s protection value.
- Run origin pressure tests against a staging environment first to establish the origin’s breaking point before running in production.
Don’t:
- Assume a high MaxoPerf hit rate (low TTFB) equals high origin offload. A CDN may return fast responses from a regional cache even while other regions are generating heavy origin traffic.
- Enable cache-busting parameters in production tests — this will intentionally bypass the cache and could destabilise your origin.
- Neglect to monitor origin error rate independently. MaxoPerf shows what the CDN returns to load runners; origin errors that the CDN shields from runners (e.g. serving stale content on origin error) will not appear in MaxoPerf results.
Where to go next
Section titled “Where to go next”- Cache invalidation and purge testing — origin protection under purge events.
- Multi-region edge performance — how shield tiers interact with geographic distribution.
- Cache hit/miss testing — verify the cache is warm before origin offload tests.
- TTFB and asset delivery — understand the latency breakdown between edge and origin legs.