Behind the screens: 2021 in review
The internet has evolved significantly from its humble ARPANET beginnings more than 50 years ago, and thanks to “rough consensus and running code” it’s been able to meet countless challenges over the years. We can’t understate the importance of the evolution of key protocols in this longevity, with major and minor version updates improving the scalability, performance, and security of earlier foundational versions. And while the development and design of these protocols is no easy feat, the true challenge — and where their value becomes clear — is in their deployment at scale.
We’re an active participant in the internet standards development process, and understand the importance of deploying these new and updated protocols across our constantly expanding global network for the benefit of our customers and the internet community at large. But of course, none of this would be useful without last-mile connectivity — even though, as we saw this year, that can be disrupted through government action, power outages, or infrastructure damage.
Let’s take a look back at the past year through the eyes of our edge cloud network to explore what we saw across new protocol adoption, security initiatives, network growth, and more. Unless otherwise specified, the traffic percentages referenced below are medians for the given time period.
Meeting the demands of the future
In 2021, it is questionable whether IPv6 can still be called a “new” protocol, as it has its roots in the late 1990s realization that the rapid growth of the internet meant that a plan was needed to deal with the eventual exhaustion of available IPv4 address space. Regardless, the deployment of and support for IPv6 across cloud and hosting providers, backbones, and last-mile networks still has a long way to go.
We announced support for IPv6 in July 2016, and since then, we have seen gradual customer adoption. In January 2021, 10% of traffic running on our network was delivered over IPv6, and that grew to just over 11% in November. While this growth is encouraging, significant work remains to be done to drive deeper adoption across our customer base.
Transport Layer Security (TLS) is the successor to the now-deprecated Secure Sockets Layer (SSL), a foundational protocol developed in the early days of the web to enable secure communications between clients and servers. The first version of TLS (1.0) was defined in 1999, while the latest (1.3) was defined in 2018. TLS 1.3 offers several performance and security improvements over the earlier versions, including a faster TLS handshake and simpler, more secure cipher suites, as well as Zero Round-Trip Time (0-RTT) key exchanges that further streamline the TLS handshake. In 2021 the IETF formally deprecated TLS 1.0 and 1.1, with major vendors including Apple and Microsoft following suit.
Encrypted traffic comprises the overwhelming majority of the traffic we deliver across our platform. In 2021, the volume of traffic delivered over TLS grew from 88% in January to just over 91% in November, a 3% increase. Although we have not yet fully deprecated TLS 1.0 and 1.1 due to customer requirements, nearly all of the encrypted traffic we deliver uses TLS 1.2 or 1.3. The volume of secure traffic on our platform using TLS 1.2 dropped from just under 77% in January to almost 52% in November, a 32% decrease as customers shifted to TLS 1.3, which grew from 24% in January to almost 46% in November, an 89% increase. We expect that TLS 1.2 and 1.3 usage will cross in early 2022, leading to the majority of secure traffic on our network using TLS 1.3.
HTTP/3 and QUIC
From its simple beginnings 30 years ago, HTTP has evolved as the performance, scalability, and security of web content have become increasingly critical. The latest version, HTTP/3, is being built on top of QUIC, a new UDP-based transport protocol. QUIC was published as a proposed standard in May 2021, with some of our team members, including Jana Iyengar and Mark Nottingham, leading the development and standardization process.
Although we announced a customer beta program for QUIC nearly two years ago in early 2020, QUIC traffic didn’t really grow to meaningful levels until earlier this year. Comparing QUIC traffic volumes between May (when QUIC formally reached RFC status) and November, we observed over 680% growth. We expect QUIC traffic volumes to continue to grow aggressively in 2022 as more customers understand the value of supporting QUIC in their web sites and applications and enable support for it, and as HTTP/3 progresses towards RFC status.
Moving up the stack from the protocol level, Compute@Edge enables users to build high scale, globally distributed applications and execute code at the edge, without having to manage the underlying infrastructure. This allows customers to move application logic close to the users’ devices, providing fast and secure experiences for many different use cases while minimizing the reliance on centralized origin systems.
Daily request traffic for Compute@Edge experienced explosive growth in 2021, skyrocketing over 31,000% from January’s daily traffic. Customer usage is on pace to reach 2 trillion total requests across 2021, with a target to reach 50 trillion requests by the end of 2022.
Two years ago, we published a blog post highlighting our “Rack and Roll” POP delivery program, a scalable, repeatable process that enables us to efficiently bring new POPs online in locations around the world. That strategy has served us well throughout 2020 and into 2021.
This past year, we expanded the size of our network footprint by 25%, adding 18 new POP locations across five new countries (Ghana, South Korea, Malaysia, Peru, and the Philippines) in addition to upgrading a number of other POP locations. Through these new and upgraded POPs, our provisioned capacity in November reached nearly 179 Tbps, 45% higher than at the start of the year. Peak traffic also grew in 2021, as we delivered just over 49 Tbps in late November, 50% higher than 2020’s Christmas Day peak.
These new deployments, as expected, also help us improve the local end user experience. For example, in Peru, third-party measurements showed an improvement of over 60% in the median Time To First Byte (TTFB) metric. In the Philippines, the median TTFB dropped by approximately 60% as well, and in South Korea the median TTFB was reduced by nearly 80%.
Cache hit ratio
Cache hit ratio (CHR) is a metric that measures the proportion of requests to our edge network that are served from cache and do not require an origin request. The median edge cache hit ratio on our network has remained around 92% — in other words, only 8% of requests to our edge servers need to go back to an origin to retrieve content. As we continue to deploy new larger regions and upgrade existing regions, we should be able to drive incremental (or “slight”) improvements in CHR. It’s worth noting that even small improvements can result in significant origin infrastructure savings — growing CHR from 92% to 94% means a 25% reduction in origin-bound requests (from 8% to 6%). Additionally, per-customer optimizations can result in higher ratios, as they are able to tune their configurations based on their content profile.
Securing the internet
When a new vulnerability is discovered and announced, response time is of the essence. For a variety of reasons, enterprises can’t always apply immediate patches and rely on security service providers as a first line of defense to block threats and attempted exploits. During 2021, our Security Research Team quickly developed and deployed rules to our Next-Gen WAF to help protect customers against:
A path traversal and file disclosure vulnerability in the Apache HTTP server,
A Server-Side Request Forgery vulnerability in the Apache HTTP server, and
Of course, the Log4Shell Remote Code Execution vulnerability in the Apache Log4j library.
Giving back to open source
We believe that good things should thrive online, and one way we work toward that vision is by providing free services for nonprofit organizations and open source projects. Our open source customer base includes operating system distributions, programming languages, applications, tools, and supporting organizations. Between January and November 2021, daily aggregate request traffic for these customers grew by over 14%, while aggregate daily gigabytes (GB) delivered increased by nearly 74%.
Our network sits in a very privileged position; we are able to help drive the adoption of new and enhanced protocols and improve the performance, reliability, and security of customer web sites and applications all while giving back to the community. Our network also affords us a perspective on the impact of shutdowns, outages, and other disruptions to internet connectivity, as the resulting changes to regular traffic patterns are often visible in our traffic data. In the second and third quarters of 2021, we published aggregated overviews of internet disruptions observed during the quarter.
In Q2, Syria, Algeria, and Sudan all implemented near-complete multi-hour nationwide internet shutdowns across a span of several days or weeks in an effort to prevent cheating on national exams. (The effectiveness of such efforts is unclear.) In Myanmar, a two-and-a-half-month “internet curfew,” where a near-complete internet shutdown took place each night, came to an end in the second quarter. Other disruptions that were not government directed included those caused by electrical problems in Jordan and Puerto Rico, severe weather in India, and fiber damage in St. Croix, Virgin Islands, and Tumbler Ridge, British Columbia.
In Q3, Syria once again implemented a series of shutdowns intended to prevent exam cheating, as did several cities in India. In Cuba, the government shut down internet connectivity in response to what were reportedly the biggest anti-government protests on the island nation in decades. A disruption to connectivity coincident with anti-government protests was observed in South Sudan, while several Nigerian states shut down internet services in an effort to stem “bandit” attacks. Puerto Rico once again experienced internet issues due to power issues, while power outages due to a system failure impacted internet connectivity in Zambia. Infrastructure (power and cable/fiber) damage due to Hurricane Ida took much of New Orleans offline. Damage to fiber-optic cables caused multi-hour disruptions in Venezuela and Nigeria, and a likely submarine cable cut impacted connectivity to Namibia, Cameroon, and the Republic of the Congo.
In 2021, we saw pockets of everyday life return to some semblance of pre-pandemic “in person” normality, but the critical role that the internet plays in enabling online work, education, shopping, and socializing has become the “new normal.” Given this paradigm shift, it’s important that key applications, sites, and tools remain highly performant, available, reliable, and secure.
We reinforce these goals by supporting updated versions of key protocols, expanding our network footprint to be closer to more end users, and protecting customers from attacks and vulnerabilities. In addition, we support the open source community that powers so much of the web and internet, and our traffic insights bring visibility to the impact of internet shutdowns, outages, and other disruptions around the world.
This article contains “forward-looking” statements that are based on our beliefs and assumptions and on information currently available to us on the date of this article. Forward-looking statements may involve known and unknown risks, uncertainties, and other factors that may cause its actual results, performance, or achievements to be materially different from those expressed or implied by the forward-looking statements. These statements include, but are not limited to, those regarding expected future customer behavior and usage, future product offerings, traffic volumes across 2021 and 2022, and the continuation of any of the trends described above. Except as required by law, we assume no obligation to update these forward-looking statements publicly, or to update the reasons actual results could differ materially from those anticipated in the forward-looking statements, even if new information becomes available in the future. Important factors that could cause our actual results to differ materially are detailed from time to time in the reports we file with the Securities and Exchange Commission (SEC), including in our Quarterly Report on Form 10-Q for the fiscal quarter ended September 30, 2021. Copies of reports filed with the SEC are posted on our website and are available from us without charge.