Every CDN's console differs; the first pull zone is the same everywhere. This is the provider-agnostic hour: make the origin ready, create the zone, get TLS on a hostname you control, verify it is genuinely caching, and cut over without holding your breath.
Minute 0: make the origin ready
A pull zone is only as good as what it pulls, so spend the first minutes on the origin. Confirm it serves correct Cache-Control headers on the assets you intend to cache (even a blanket public, max-age=3600 on static paths beats the nothing most origins ship); confirm it answers on HTTPS with a valid certificate (edge-to-origin encryption should be non-negotiable from day one); and confirm it returns sensible responses to conditional requests (If-Modified-Since/ETag), because revalidation behavior shapes your hit ratio later. If the origin sits in a cloud, note the egress rate now — every cache miss bills there, which is why the origin-cost line appears in the TCO worksheet.
Create the zone and understand its two names
In any console, zone creation asks the same two things: the origin (your server's hostname — prefer a dedicated origin hostname like origin.example.com over your apex, so you can move it later) and the zone's edge hostname (the provider-issued name like yourzone.provider-edge.net). Understand the relationship before touching DNS: your public hostname will CNAME to the edge hostname, and the edge fetches from the origin hostname. Keep the three names distinct in your head and your docs — the classic first-day incident is pointing the origin setting at the public hostname, creating a loop the moment DNS cuts over.
TLS on a hostname you control
Before any production traffic, get a certificate for a test hostname (cdn-test.example.com) onto the edge — every serious provider issues managed certificates automatically once the CNAME exists or validation records are set. Do the whole flow on the test hostname first: create the CNAME with a short TTL, wait for issuance, and confirm the padlock end to end. This rehearses the exact steps go-live will need, surfaces validation friction while nothing is at stake, and leaves you a permanently useful staging hostname on the CDN for every future config change.
Verify it is actually caching
"It loads" is not verification. Request a static asset through the test hostname twice and read the response headers: the provider's cache-status header (X-Cache, CF-Cache-Status, X-Served-By variants) should show a miss then a hit; Age should climb on repeat requests; and your origin logs should show exactly one fetch. Then verify the negative space: request a path that must never cache (an API route, a set-cookie page) and confirm it misses every time. Ten minutes with curl -I here prevents the two silent failure modes — a zone that caches nothing (default rules deferring to absent origin headers) and a zone that caches everything (including the personalized page you will hear about from customers). The follow-on discipline is measuring hit ratio properly.
Cut over, then watch three things
Go-live is a DNS change: drop your public hostname's TTL in advance (300 seconds is fine), then switch its CNAME to the edge hostname during a quiet hour. Watch three things for the first thirty minutes: error rate at the edge (any 5xx spike means an origin-connectivity or TLS-mode mismatch — the rollback is reverting one DNS record), hit ratio climbing as the cache warms, and origin request volume falling to the miss stream. Keep the old record documented and the TTL short for a day, then raise it. That is the whole hour — and the foundation the entire caching-fundamentals batch builds on, starting with the full cutover checklist when a real production estate follows this test zone.
