CloudFront

Introduction

  • A global content delivery network (CDN) service using Edge Locations

Feature

  • Edge Location

    • The location to cache contents, separate to a Region / AZ

    • For read and write

    • TTL from 0 s ~ 1 year. Set by origin.

    • Clean cached objects would be charged

  • Origin

    • AWS Services

      • MediaPackage channel

      • S3

        • Enhanced security with CloudFront Origin Access Identity (OAI)

          • OAI can only be used if the origin is an S3 bucket (not a S3 static website endpoint)

      • Origin can't be: ECS

    • Custom Origin (HTTP)

      • ALB

        • Mus be public (then link to private EC2 / ECS).

      • EC2 instance

        • Must be public

      • API Gateway

      • Route53

      • On-premises load balancer

    • Possibility to have a secondary origin for HA.

  • Distribution

    • The name given the CDN which consists of a collection of Edge Locations

  • Delivery Method

    • Web

    • RTMP for media streaming

  • HTTPS

    • Viewer Protocol Policy

      • HTTP and HTTPS

      • Redirect HTTP to HTTPS

      • HTTPS Only

    • Origin Protocol Policy

      • HTTP Only

      • HTTPS Only

      • Match Viewer (communicates with origin with HTTP / HTTPS, depending on the protocol of the viewer request.)

    • Custom CA / Default CA

      • If use your own domain name, such as example.com, need to use an SSL/TLS certificate provided by ACM, or import a certificate from a third-party certificate authority into ACM or the IAM certificate store.

      • If use default domain name that CloudFront assigned to your distribution, such as d111111abcdef8.cloudfront.net, CloudFront provides the default SSL/TLS certificate.

    • SSL / TLS termination and CA sources

      • For non-ELB resources (ex. EC2), CA must be issued by a 3rd-party provider like Comodo, DigiCert, Symantec.

      • For an ELB, can use CA by 3rd-party providers or by ACM.

  • Creation options:

    • Signed URLs / Signed Cookies

      • Restrict viewer access (like premium)

      • Can attach policies:

        • Include URL expiration

        • Include IP ranges to access the data from

        • Trusted signers (which AWS accounts can create signed URLs)

      • Duration

        • Shared content: make it short

        • Private content: can make it last for years

      • Signed URLs / Signed Cookies are created by our application with AWS SDK.

      • A Signed URL is for one file and support RTMP (real-time streaming)

      • A Signed Cookies can access to multiple files and without having to change URLs

    • Can use a black / white list for geographic areas

      • Can define country level restriction

  • CloudFront Signed URL vs S3 Pre-Signed URL

    • CloudFront Signed URL

      • Allow access to a path, no matter the origin

      • Account wide key-pair, only the root can manage it

      • Can filter by IP, path, date, expirarion

      • Can leverage caching features

    • S3 Pre-Signed URL

      • Issue a request as the person who pre-signed the URL

      • Uses the IAM key of the signing IAM prinicpal

      • Limited lifetime

  • Caching

    • Based on:

      • HTTP Headers

      • Session Cookies

      • Query String parameters

    • Scenario:

      • A request with multiple headers is sent from the client, the Edge location white list is made for a certain kind of attribute combination (like: host, path, user-aa-data, protocol) for similar requests later on.

      • Maximizing hit rate by separating static / dynamic contents

        • Static contents: need less headers / caching rules

        • Dynamic contents: cached based on correct headers and cookies

  • Field-level encryption

    • with HTTPS to encrypt sensitive user data up to 10 fields

  • Leveraging external data in Lambda@Edge (Ex. accessing rules file from an S3 bucket)

    • Include data in your function deployment package

    • Change the Lambda@Edge function code to store locally from S3 URL instead of downloading the file directly from S3.

    • CloudFront Global variable can be used as a cache, but it's not guaranteed for durability. (Don't remove the durable origin)

  • CloudFront Caching with API Gateway Caching

    • API Gateway (Edge-optimized)

      • Cache is on API Gateway, Edge location just redirects request.

    • API Gateway (Regional)

      • Cache is on API Gateway.

      • More control on CloudFront Edge Location over the distribution.

    • API Gateway (Regional) + CloudFront (caching)

      • Caches are both on them.

    • Can enable CloudFront caching but disable API Gateway caching.

  • Security

    • integrated with Shield for DDoS, WAF.

  • CloudFront can use a custom SSL/TLS certificate with dedicated IP addresses to SNI (Server Name Indication)

  • Scenario

    • CloudFront + ALB with SSL

Lambda@Edge

  • Can be used when you want custom filtering before reaching your application or run business logic at the edge locations.

  • Deploy Lambda alongside the CloudFront.

  • Scenario:

    • Authentication & Authorization

    • Modify headers to increase hit rate

    • Dynamic web application at the edge

    • Determine the device type in the HTTP request and redirect to the origins.

    • Search Engine Optimization

    • Intelligently route across origins and data centers

    • Bot mitigation at the edge

    • real-time image transformation

    • A/B Testing

    • User prioritization, tracking and analytics.

PreviousACMNextDirect Connect

Last updated