AWS CloudFront Deep Dive
Home :: AWS CloudFront Deep Dive
AWS CloudFront is a content delivery network (CDN) service offered by Amazon Web Services (AWS). It helps deliver content, such as web pages, videos, images, and other static or dynamic files, to users around the world with low latency and high transfer speeds. Let’s explore some of the key features and services provided by AWS CloudFront:
Content Delivery: CloudFront improves the delivery of static and dynamic content by caching it in edge locations around the world. When a user requests content, CloudFront serves it from the edge location closest to the user, reducing latency and improving performance.\
ย Global Edge Network: CloudFront has a large network of edge locations spread across multiple continents. These edge locations act as caching endpoints, allowing users to access content with reduced round-trip times and improving the overall user experience.
HTTP and HTTPS Support: CloudFront supports both HTTP and HTTPS protocols, enabling secure content delivery using SSL/TLS encryption. You can configure CloudFront to use your own SSL certificate or use the default certificate provided by AWS.
Customizable Caching: CloudFront offers flexible caching options to control how your content is cached at edge locations. You can configure cache behaviors based on URL patterns, headers, cookies, query strings, or even specific geographic locations. This allows you to optimize caching strategies based on the specific requirements of your application.
Dynamic Content Acceleration: CloudFront integrates with AWS services like AWS Lambda, Amazon S3, Amazon EC2, and Amazon API Gateway to accelerate the delivery of dynamic content. With services like Lambda@Edge, you can execute serverless functions at the edge locations, enabling you to customize and personalize content for end users.
Origin Shield: CloudFront provides an optional Origin Shield feature that helps protect your origin infrastructure from high loads during traffic spikes. It caches content at a central shield location, reducing the load on your origin servers and improving overall performance.
Streaming Media Delivery: CloudFront supports the delivery of streaming media content, such as video and audio, using popular streaming protocols like HTTP Live Streaming (HLS), Dynamic Adaptive Streaming over HTTP (DASH), and Microsoft Smooth Streaming. It allows you to deliver media content with low latency and high-quality streaming across different devices.
Security and Access Control: CloudFront integrates with various AWS security services, such as AWS Identity and Access Management (IAM), AWS WAF (Web Application Firewall), and AWS Shield, to provide enhanced security and protect your applications against common web attacks, DDoS attacks, and unauthorized access.
Real-time Logs and Analytics: CloudFront provides detailed access logs and real-time analytics through Amazon CloudWatch, enabling you to monitor and analyze the performance of your content delivery. You can gain insights into the traffic patterns, request types, and geographical distribution of your users
How CloudFront Delivers Content
- You specifyย origin servers, like an S3 bucket or your own HTTP server, from which CloudFront gets your files which will then be distributed from CloudFront edge locations all over the world.
- Upload your files to your origin servers. Your files, also known asย objects.
- Create aย CloudFront distribution, which tells CloudFront which origin servers to get your files from when users request the files through your web site or application. At the same time, you specify details such as whether you want CloudFront to log all requests and whether you want the distribution to be enabled as soon as itโs created.
- CloudFront assigns a domain name to your new distribution that you can see in the CloudFront console.
- CloudFront sends your distributionโs configuration (but not your content) to all of itsย edge locationsโcollections of servers in geographically dispersed data centers where CloudFront caches copies of your objects.
- CloudFront supports theย WebSocket protocolย as well as theย HTTP protocolย with the following HTTP methods:
- GET
- HEAD
- POST
- PUT
- DELETE
- OPTIONS
- PATCH.
- Usingย Lambda@Edgeย with CloudFront enables a variety of ways to customize the content that CloudFront delivers. It can help you configure your CloudFront distribution to serve private content from your own custom origin, as an option to using signed URLs or signed cookies.(See AWS Compute Services Lambda Lambda@Edge)
- CloudFront also hasย regional edge caches that bring more of your content closer to your viewers, even when the content is not popular enough to stay at a CloudFront edge location, to help improve performance for that content
- You can use a zone apex name on CloudFront
- CloudFront supports wildcard CNAME
- Different CloudFront Origins
- Using S3 buckets for your originย โ you place any objects that you want CloudFront to deliver in an S3 bucket.
- Using S3 buckets configured as website endpoints for your origin
- Using a mediastore container or a media package channel for your originย โ you can set up an S3 bucket that is configured as a MediaStore container, or create a channel and endpoints with MediaPackage. Then you create and configure a distribution in CloudFront to stream the video.
- Using an Application Load Balancerย โ if your origin is more than one HTTP server, you can use an ALB to distribute traffic to the web servers.
- Using a Lambda function URLย โ you donโt need to use anย API Gatewayย or ALB since the Lambda web application can be called directly from the function URL.ย
- Using EC2 or other custom originsย โ A custom origin is an HTTP server, for example, a web server.
- Using CloudFront Origin Groups for origin failoverย โ use origin failover to designate a primary origin for CloudFront plus a second origin that CloudFront automatically switches to when the primary origin returns specific HTTP status code failure responses.
- Objects are cached for 24 hours by default. You can invalidate files in CloudFront edge caches even before they expire.
- You can configure CloudFront to automatically compress files of certain types and serve the compressed files when viewer requests includeย Accept-Encoding: gzipย in the request header.
- CloudFront can cache different versions of your content based on the values of query string parameters.
- CloudFront Distributions
- You create aย CloudFront distributionย to tell CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.
- You create a distribution and choose the configuration settings you want:
- Your content originโthat is, the Amazon S3 bucket, MediaPackage channel, MediaStore container, ELB load balancer, or HTTP server from which CloudFront gets the files to distribute. You can specify any combination of up to 25 origins for a single distribution.
- Accessโwhether you want the files to be available to everyone or restrict access to some users.
- Securityโwhether you want CloudFront to require users to use HTTPS to access your content.
- Cache keyโ uniquely identifies each file in the cache for a given distribution.
- Origin request settingsโwhether you want CloudFront to forward cookies or query strings to your origin.ย
- Geographic restrictionsโwhether you want CloudFront to prevent users in selected countries from accessing your content.
- Logsโwhether you want CloudFront to create access logs that show viewer activity, which is recorded in real-time.
- You can use distributions to serve the following content over HTTP or HTTPS:
- Static and dynamic download content.
- Video on demand in different formats, such as Apple HTTP Live Streaming (HLS) and Microsoft Smooth Streaming.
- A live event, such as a meeting, conference, or concert, in real time.
- Values that you specify when you create or update a distribution
- Origin Settings โ information about one or more locations where you store the original versions of your web content.
- Cache Behavior Settings โ lets you configure a variety of CloudFront functionality for a given URL path pattern for files on your website.
- Distribution Settings
- Custom Error Pages and Error Caching
- Restrictions โ if you need to prevent users in selected countries from accessing your content, you can configure your CloudFront distribution either to allow users in aย whitelistย of specified countries to access your content or to not allow users in aย blacklistย of specified countries to access your content.
- With CloudFront continuous deployment, you can safely deploy changes to your CDN configuration by testing first with a subset of production traffic.
Cache Behavior Settings
- The functionality that you can configure for each cache behavior includes:
- The path pattern.
- If you have configured multiple origins for your CloudFront distribution, which origin you want CloudFront to forward your requests to.
- Whether to forward query strings to your origin.
- Whether accessing the specified files requires signed URLs.
- Whether to require users to use HTTPS to access those files.
- The minimum amount of time that those files stay in the CloudFront cache regardless of the value of any Cache-Control headers that your origin adds to the files.
- CloudFront also offers a new method of cache configuration calledย policies.ย You may use the policies premade by AWS or you can create your own. These policies define how youโd like the cache to behave, such as cache TTL Settings, Cache Key Contents, and Compression settings.
- After creating your CloudFront distribution, you can invalidate its cached items by creating an invalidation request.
- The functionality that you can configure for each cache behavior includes:
Price Class
- Choose the price class that corresponds with the maximum price that you want to pay for CloudFront service. By default, CloudFront serves your objects from edge locations in all CloudFront regions.
Performance and Availability
- CloudFront also allows you to set up multiple origins to enable redundancy withย Origin Failover. To set up origin failover, you must have a distribution with at least two origins. Next, you create an origin group for your distribution that includes the two origins, setting one as the primary. Finally, you define a cache behavior in which you specify the origin group as your origin.
- The two origins in the origin group can be any combination of the following: AWS origins, like Amazon S3 buckets or Amazon EC2 instances, or custom origins, like your own HTTP web server.
- When you create the origin group, you configure CloudFront to failover to the second origin for GET, HEAD, and OPTIONS HTTP methods when the primary origin returns specific status codes that you configure.
- CloudFront is optimized for both dynamic and static content, providing extensive flexibility for optimizing cache behavior, coupled with network-layer optimizations for latency and throughput.
- CloudFront also allows you to set up multiple origins to enable redundancy withย Origin Failover. To set up origin failover, you must have a distribution with at least two origins. Next, you create an origin group for your distribution that includes the two origins, setting one as the primary. Finally, you define a cache behavior in which you specify the origin group as your origin.
Using HTTPS with CloudFront
- You can choose HTTPS settings both for communication between viewers and CloudFront, and between CloudFront and your origin.
- If you want your viewers to use HTTPS and to use alternate domain names for your files, you need to choose one of the following options for how CloudFront serves HTTPS requests:
- Use a dedicated IP address in each edge location
- Use Server Name Indication (SNI)
Amazon CloudFront Monitoring
- The billing report is a high-level view of all of the activity for the AWS services that youโre using, including CloudFront.
- The usage report is a summary of activity for a service such as CloudFront, aggregated by hour, day, or month. It also includes usage charts that provide a graphical representation of your CloudFront usage.
- CloudFront console includes a variety of reports based on the data in CloudFront access logs:
- CloudFront Cache Statistics Reports
- CloudFront Popular Objects Report
- CloudFront Top Referrers Report
- CloudFront Usage Reports
- CloudFront Viewers Reports
- You can useย AWS Configย to record configuration changes for CloudFront distribution settings changes.
- CloudFront integrates with Amazon CloudWatch metrics so that you can monitor your website or application.
- Capture API requests with AWS CloudTrail. CloudFront is a global service. To view CloudFront requests in CloudTrail logs, you must update an existing trail to include global services.
- You can view metrics about CloudFrontโs behavior and performance by enabling theย Server-Timing headerย in HTTP responses sent from CloudFront.
- With Amazon CloudWatch, you can monitor how many times a CloudFront Function was throttled in a given time period.
- Theย CloudFront-Viewer-TLSย header contains information about the TLS/SSL version and the cipher used to connect the viewer and CloudFront.
- Supports various wildcard configurations in CORS access-control headers.
- You can also specify header order and header count to identify the viewer based on the headers it sends.
Amazon CloudFront Security
- CloudFront,ย AWS Shield,ย AWS WAF, and Route 53 work seamlessly together to create a flexible, layered security perimeter against multiple types of attacks including network and application layer DDoS attacks.
- You can deliver your content, APIs or applications via SSL/TLS, and advanced SSL features are enabled automatically.
- Through geo-restriction capability, you can prevent users in specific geographic locations from accessing content that youโre distributing through CloudFront.
- You can restrict access to ALBs by configuring a custom HTTP header to the CloudFront request.
- Withย Origin Access Identityย feature, you can restrict access to an S3 bucket to only be accessible from CloudFront.
- Field-Level Encryptionย is a feature of CloudFront that allows you to securely upload user-submitted data such as credit card numbers to your origin servers.
- You can use An AWS-managed prefix list to restrict inbound HTTP and HTTPS traffic to your origins to IP addresses assigned to CloudFrontโs origin-facing servers.
- To remove headers that CloudFront received in the origin response, you can use a CloudFront response headers policy. The specified headers are not included in the response sent to viewers by CloudFront.
Amazon CloudFront Pricing
- Charge for storage in an S3 bucket.
- Charge for serving objects from edge locations.
- Data Transfer Out
- Charge for submitting data to your origin.
- Data Transfer Out
- HTTP/HTTPS Requests
- Invalidation Requests,
- Dedicated IP Custom SSL certificates associated with a CloudFront distribution.
- You also incur a surcharge for HTTPS requests, and an additional surcharge for requests that also have field-level encryption enabled.
Compliance
- CloudFront has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
- CloudFront is a HIPAA eligible service.
- CloudFront is compliant with SOC measures.
- ย