After CDN is introduced, failure no longer belongs only to the origin server. A user-facing 502, 504, certificate error, or slow page may come from the edge, origin network, firewall, TLS configuration, cache rules, or the application process. Changing many settings at once destroys the evidence needed for diagnosis.

Failure diagnosis path across user, edge, origin link, and application
Origin failure should be isolated by segment: user to edge, edge to origin, origin to application.

Confirm the request actually reaches CDN

Check DNS, response headers, certificate coverage, and hostnames before logging into the server. Some regions may still resolve legacy records and some subdomains may bypass CDN. If entry points differ, later observations cannot be compared reliably.

Confirm the edge can reach the origin

Common causes include missing source IP allowlists, closed ports, HTTPS origin validation failure, strict Host requirements, and protocol mismatch. Origin protection is useful only when it matches the CDN's actual fetch behavior.

Cache rules can amplify small problems

If HTML never caches, every request pressures the origin. If error responses are cached, a brief incident can last longer. If random query strings bypass cache, peak origin traffic grows unexpectedly. Separate rules for pages, static assets, downloads, APIs, and error pages.

SignalCheck firstTypical action
502Origin port, process, protocolRestore process or fix Host/protocol
504Origin latency, database, dependenciesReduce origin pressure and slow requests
TLS errorCertificate scope, SNI, validationCorrect certificate or origin policy
Traffic spikeCache key, random parameters, hot assetsNormalize cache and purge flow

Records are more valuable than a lucky repair

Each incident should leave a timeline: first signal, affected regions, error type, recent change, actions, and recovery evidence. Over time, those records reveal whether the recurring issue is configuration, capacity, release process, or provider boundary.