Lesson 0002 · ~15 minutes

The request's journey: DNS, CDN edges, and where your backend actually runs

Case AI Interview prep · Layer 1.5 — the plumbing Lesson 0001 assumed · Lesson 0001 · Glossary
Why this lesson Born from your own questions after Lesson 0001: what are DNS and a CDN edge? how is IAM used for real? if Lambda is the backend, why would anyone run a dedicated server? These are the words underneath the top row of the whiteboard — get them solid and the whole diagram stops being memorized boxes and becomes things you can defend.

1 · DNS — the internet's phone book

Computers route traffic by IP addresses (numbers like 13.224.10.5), not names. DNS (Domain Name System) is the global lookup system that translates portal.caseai.com into the IP address to actually connect to. That's the whole job (Route 53 docs).

Route 53 is just AWS's DNS service — a place where you create records for your domain:

RecordMeansExample
A"this name → this IP address"caseai.com → 13.224.10.5
CNAME"this name → that other name"portal.caseai.com → d1234.cloudfront.net

You have already used DNS — every domain you've pointed at Cloudflare, every custom-domain CNAME in the Cloudflare dashboard, was you editing DNS records. Route 53 is the same dashboard page, different vendor.

2 · CDN & "edge" — copies of your content, parked near the user

A CDN (Content Delivery Network) is a fleet of cache servers in hundreds of cities. An edge server is whichever one sits closest to the user — at the "edge" of the network, as opposed to the origin, your actual application server (Cloudflare Learning Center — yes, your own vendor explains this best).

When a lawyer in Hong Kong opens the Case AI portal: the JS bundle, CSS, and logo come from an edge server in Hong Kong, not from a datacenter in Virginia. If the edge has the file cached → instant. If not → it fetches from the origin once, caches it, and serves the next thousand users locally.

The reason this feels new: on Cloudflare, the CDN is the platform — every Worker and Pages site you've shipped already ran on edge servers (this very lesson page is being served to your phone from a Cloudflare edge near you right now). AWS unbundles it: CloudFront is an explicit "distribution" you configure in front of an origin (an S3 bucket, or the ALB). Route 53 answers "what IP?", CloudFront answers from the nearest cache, and only dynamic requests travel on to your VPC.

3 · "If Lambda is the backend… why have a backend server?" — untangling the words

The confusion is two words being used as one:

The distinction Backend = your server-side code: routes, business logic, DB queries.
Server = the always-on process/machine that code traditionally runs on.

Lambda IS a backend — without a dedicated server. AWS keeps your function on disk and spins it up only when an event arrives (an HTTP request via API Gateway, an S3 upload, an SQS message). API Gateway + Lambda + DynamoDB is a complete production backend; thousands of companies run exactly that. You've built this pattern yourself — Buddy Ride's backend on Workers + Convex was serverless end-to-end. So no: if you use Lambda, you do not need another backend. The real question is different — when is a dedicated, always-on server (an ECS Fargate container) worth it? Five workload shapes:

DriverWhy Lambda strugglesCase AI example
Long jobsHard 15-minute timeoutOCR + embed a 500-page filing
Persistent connectionsBuilt per-event; WebSockets/streaming are awkwardStreaming an AI draft token-by-token to the portal
Latency floorCold starts add first-request delayA lawyer-facing API that must feel instant
Steady high trafficPer-invocation billing beats always-on only when traffic is spikyThe portal at constant weekday load
In-memory stateNo durable process → no connection pools or warm caches (the classic Postgres-from-Lambda pain)Pooled Aurora connections, cached prompts

Interview sound bite: "Serverless doesn't delete the server's job — it slices it per event. I'd run the portal and API as Fargate services because they're steady, streaming, and DB-heavy, and use Lambda for event-driven glue: an S3 upload trigger, an SQS consumer. Any job that could exceed 15 minutes is automatically container work." (That's also AWS's own framing — decision guide.)

4 · IAM in the real world — one concrete day

Abstract doctrine ("least privilege") becomes real like this. Your API container needs to read case documents from S3. In the real world you:

1. Create a role, e.g. case-api-task-role, that ECS tasks are allowed to assume (ECS task IAM role docs).
2. Attach a policy — a JSON allow-list of exactly what this service may do:

{
  "Effect": "Allow",
  "Action": ["s3:GetObject", "s3:PutObject"],
  "Resource": "arn:aws:s3:::caseai-documents/*"
}

3. That's it. At runtime ECS injects short-lived credentials for that role into the container; the AWS SDK finds them automatically. Your code just calls s3.getObject(...)no keys in env vars, no keys in code, nothing to leak or rotate by hand.

The daily texture of "using IAM" as an engineer: every new service gets its own role; every "can service X read bucket Y?" is a policy edit reviewed in a PR (IAM is code, via Terraform/CDK); and AccessDenied errors are a rite of passage — the fix is adding the one missing action, never reaching for a wildcard *. Humans, meanwhile, log in through SSO and assume roles too — nobody in a well-run shop holds permanent keys (IAM best practices).

Whiteboard drill — out loud, in English Close this page and narrate, for 60 seconds: "What happens between a lawyer typing portal.caseai.com and seeing the login page?" You should touch: DNS lookup (Route 53) → nearest CloudFront edge → cache hit for static assets / miss forwards to ALB → Fargate container → response. Then one bonus sentence: how that container proves to S3 it's allowed to fetch a document.

5 · Prove it — retrieval quiz

Primary source

Read Cloudflare's "What is a CDN?" (~10 min) — the clearest vendor-neutral explanation, and it doubles as an interview answer bank for latency/caching vocabulary. Skim "What is a CDN edge server?" after it.

Questions? Anything still fuzzy — cache invalidation, how HTTPS fits into DNS, what API Gateway does exactly — ask your teacher in the session. Next: Lesson 0003 — Security & compliance for legal data (IAM deep-dive, KMS, tenant isolation, SOC 2 vocabulary).