# CloudFront **Introduction** * A global content delivery network (CDN) service using Edge Locations **Feature** * Edge Location * The location to cache contents, separate to a Region / AZ * For read and write * TTL from 0 s \~ 1 year. Set by origin. * Clean cached objects would be charged * Origin * AWS Services * MediaPackage channel * S3 * Enhanced security with CloudFront Origin Access Identity (OAI) * OAI can only be used if the origin is an S3 bucket **(not a S3 static website endpoint)** * **Origin can't be: ECS** * Custom Origin (HTTP) * ALB * Mus be public (then link to private EC2 / ECS). * EC2 instance * Must be public * API Gateway * Route53 * **On-premises load balancer** * Possibility to have a secondary origin for HA. * Distribution * The name given the CDN which consists of a collection of Edge Locations * Delivery Method * Web * RTMP for media streaming * HTTPS * Viewer Protocol Policy * HTTP and HTTPS * Redirect HTTP to HTTPS * HTTPS Only * Origin Protocol Policy * HTTP Only * HTTPS Only * Match Viewer (communicates with origin with HTTP / HTTPS, depending on the protocol of the viewer request.) * Custom CA / Default CA * If use your own domain name, such as example.com, need to use an SSL/TLS certificate provided by ACM, or import a certificate from a third-party certificate authority into **ACM** or the **IAM certificate store**. * If use default domain name that CloudFront assigned to your distribution, such as d111111abcdef8.cloudfront.net, CloudFront provides the default SSL/TLS certificate. * SSL / TLS termination and CA sources * For non-ELB resources (ex. EC2), CA must be issued by a 3rd-party provider like Comodo, DigiCert, Symantec. * For an ELB, can use CA by 3rd-party providers or by ACM. * Creation options: * [Signed URLs / Signed Cookies](https://docs.aws.amazon.com/zh_tw/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html) * Restrict viewer access (like premium) * Can attach policies: * Include URL expiration * Include IP ranges to access the data from * Trusted signers (which AWS accounts can create signed URLs) * Duration * Shared content: make it short * Private content: can make it last for years * Signed URLs / Signed Cookies are created by our application with AWS SDK. * A Signed URL is for one file and support RTMP (real-time streaming) * A Signed Cookies can access to multiple files and without having to change URLs * [Can use a black / white list for geographic areas](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html) * Can define **country level restriction** * CloudFront Signed URL vs S3 Pre-Signed URL * CloudFront Signed URL * Allow access to a path, no matter the origin * Account wide key-pair, only the root can manage it * Can filter by IP, path, date, expirarion * Can leverage caching features * S3 Pre-Signed URL * Issue a request as the person who pre-signed the URL * Uses the IAM key of the signing IAM prinicpal * Limited lifetime * Caching * Based on: * HTTP Headers * Session Cookies * Query String parameters * Scenario: * A request with multiple headers is sent from the client, the Edge location **white list** is made for a certain kind of attribute combination (like: host, path, user-aa-data, protocol) for similar requests later on. * Maximizing hit rate by separating static / dynamic contents * Static contents: need less headers / caching rules * Dynamic contents: cached based on correct headers and cookies * [Field-level encryption](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html#field-level-encryption-setting-up) * with HTTPS to encrypt sensitive user data up to 10 fields * [Leveraging external data in Lambda@Edge](https://aws.amazon.com/blogs/networking-and-content-delivery/leveraging-external-data-in-lambdaedge/) (Ex. accessing rules file from an S3 bucket) * Include data in your function deployment package * Change the Lambda\@Edge function code to store locally from S3 URL instead of downloading the file directly from S3. * CloudFront Global variable can be used as a cache, but it's not guaranteed for durability. (Don't remove the durable origin) * CloudFront Caching with API Gateway Caching * API Gateway (Edge-optimized) * Cache is on API Gateway, Edge location just redirects request. * API Gateway (Regional) * Cache is on API Gateway. * More control on CloudFront Edge Location over the distribution. * API Gateway (Regional) + CloudFront (caching) * Caches are both on them. * Can enable CloudFront caching but disable API Gateway caching. * Security * integrated with Shield for DDoS, WAF. * [CloudFront can use a custom SSL/TLS certificate with dedicated IP addresses to SNI (Server Name Indication)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-switch-dedicated-to-sni.html) * Scenario * CloudFront + ALB with SSL ![CloudFront + ALB with SSL](https://3303577320-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4cDbT2F2VmcAohuhSN%2F-MEMVLfG1us66Hct9uo-%2F-MEOmMyEhEtFzxpN_3qT%2FScreen%20Shot%202020-08-11%20at%203.10.27%20AM.png?alt=media\&token=4901b3cd-40f5-427c-ac28-6d1b8aebef9e) **Lambda\@Edge** * Can be used when you want custom filtering before reaching your application or run business logic at the edge locations. * Deploy Lambda alongside the CloudFront. * Scenario: * Authentication & Authorization * Modify headers to increase hit rate * Dynamic web application at the edge * **Determine the device type in the HTTP request and redirect to the origins.** * Search Engine Optimization * Intelligently route across origins and data centers * Bot mitigation at the edge * real-time image transformation * A/B Testing * User prioritization, tracking and analytics.