Skip to content

Origin shield and offload testing

Origin offload — the percentage of total requests served from CDN cache instead of reaching your origin — is the headline efficiency metric for a CDN deployment. A 95 % offload rate means only 1 in 20 requests touches your origin; your infrastructure costs and MTTR under traffic spikes drop proportionally. This page shows how to measure that percentage with MaxoPerf and how to verify that your origin protection holds up when the cache is cold or under stress.

Many CDNs offer a multi-tier architecture with a shield (also called a mid-tier or parent cache) sitting between edge nodes and the origin. Instead of every edge node going directly to origin on a cache miss, they consult the shield first. If the shield has the object, it serves it and only one origin request was ever needed. If the shield misses, it fetches from origin once and stores the response for all subsequent edge requests.

The result:

  • Origin request rate is dramatically lower — especially during purge events or sudden traffic spikes.
  • Edge-to-origin round trips are reduced — only the shield-to-origin leg needs to be fast.
  • Origin connection count stays manageable — even with hundreds of edge nodes, origin never sees more simultaneous connections than the shield opens.

Providers call it different things: CloudFront calls it Origin Shield; Fastly calls it Shielding; Akamai has Tiered Distribution; Cloudflare has Argo Tiered Caching.

  • Confirm whether origin shield is enabled for your CDN configuration. In most providers this is an opt-in setting per distribution or service.
  • You need a way to measure origin request rate independently of MaxoPerf — this usually means your origin’s access logs, a Prometheus/CloudWatch metric, or your CDN’s own analytics. MaxoPerf measures end-to-end response metrics from the load runner perspective; it cannot directly observe origin request count.
  • Run a warm-cache baseline test before this test to know your expected hit ratio.

Origin offload is calculated from two numbers:

  • Total requests — all requests received by the CDN (from MaxoPerf or real users).
  • Origin requests — requests that passed through to your origin (cache misses + uncacheable requests).
Offload % = (1 - origin_requests / total_requests) × 100

MaxoPerf generates the total requests; your origin telemetry measures how many reach the origin. A properly instrumented test compares the MaxoPerf run total against your origin access log count for the same time window.

Before a full load test, run a manual check:

Terminal window
# First request — expect MISS (origin fetch)
curl -sI https://cdn.example.com/static/app.js | grep -i 'x-cache\|age\|cf-cache'
# Expected: X-Cache: Miss from cloudfront
# Second request — expect HIT (served from cache)
curl -sI https://cdn.example.com/static/app.js | grep -i 'x-cache\|age\|cf-cache'
# Expected: X-Cache: Hit from cloudfront
# If origin shield is in the path:
# First miss: edge → shield (miss) → origin
# Second miss: edge → shield (hit) — origin NOT touched

Load test pattern — origin under cache-miss pressure

Section titled “Load test pattern — origin under cache-miss pressure”

This test deliberately generates cache misses to put the origin under pressure, simulating the worst case for offload:

execution:
- concurrency: 200
ramp-up: 1m
hold-for: 5m
scenario: origin-pressure
scenarios:
origin-pressure:
default-address: https://cdn.example.com
requests:
# Append a unique query string to bust the cache on every request.
# Use this only in controlled testing — never in production.
- label: cache-busted-request
url: /static/app.js?cb=${__time()}
method: GET
assert:
- equals:
subject: http-code
value: '200'

After this test, compare:

  • Origin request rate (from your origin logs) — should approach 200 req/s if shield is absent.
  • Origin request rate with shield enabled — should be dramatically lower (shield absorbs repeated misses for the same URL).

Load test pattern — warm cache, then measure origin residual

Section titled “Load test pattern — warm cache, then measure origin residual”

This pattern verifies real-world offload for cacheable assets:

execution:
# Phase 1: warm the cache with a small amount of traffic
- concurrency: 5
hold-for: 2m
scenario: warm-pass
# Phase 2: full load — measure how little reaches origin
- concurrency: 500
ramp-up: 1m
hold-for: 10m
scenario: warm-load
scenarios:
warm-pass:
default-address: https://cdn.example.com
requests:
- url: /static/app.js
label: warm-js
- url: /static/styles.css
label: warm-css
warm-load:
default-address: https://cdn.example.com
requests:
- url: /static/app.js
label: js-bundle
assert:
- contains:
subject: headers
value: 'X-Cache: Hit'
- url: /static/styles.css
label: css-bundle
assert:
- contains:
subject: headers
value: 'X-Cache: Hit'

During Phase 2, origin traffic should be near zero for the static assets. Any origin requests you observe in your origin logs are cache misses — typically from edge nodes that had not yet cached the warm response.

When analysing MaxoPerf results for origin offload tests:

SignalWhat it means
Zero assertion failures on X-Cache: HitCache is holding under load — offload is working.
Assertion failures rising under higher VU countCache is being bypassed; origin is receiving more misses than expected.
5xx errors in Log tabOrigin is failing under the miss rate. Enable shield or add origin capacity.
TTFB bimodal distribution (fast + slow cluster)Some requests are served from cache (fast), some from origin (slow) — normal during ramp-up, should resolve as cache warms.
Elevated TTFB persisting through entire runHigh miss rate throughout — check Cache-Control headers, TTL configuration, and cache-key correctness.

To verify that origin shield is working correctly:

  1. Enable shield in your CDN configuration for the test distribution.
  2. Run the cache-busted origin pressure test above.
  3. Monitor origin request rate — with shield enabled it should be a fraction of what it was without shield (often 1/N where N is the number of edge nodes).
  4. Disable shield and repeat. The increase in origin request rate confirms the shield’s contribution.

Do:

  • Always compare origin request rate (from origin logs) with total request rate (from MaxoPerf) — this is the only way to measure actual offload percentage.
  • Test with shield enabled and disabled to quantify the shield’s protection value.
  • Run origin pressure tests against a staging environment first to establish the origin’s breaking point before running in production.

Don’t:

  • Assume a high MaxoPerf hit rate (low TTFB) equals high origin offload. A CDN may return fast responses from a regional cache even while other regions are generating heavy origin traffic.
  • Enable cache-busting parameters in production tests — this will intentionally bypass the cache and could destabilise your origin.
  • Neglect to monitor origin error rate independently. MaxoPerf shows what the CDN returns to load runners; origin errors that the CDN shields from runners (e.g. serving stale content on origin error) will not appear in MaxoPerf results.