Amazon CloudFront is AWS's Content Delivery Network (CDN) service, designed to accelerate the delivery of web content to users worldwide.
Amazon CloudFront automatically maps network conditions and intelligently routes user traffic to the most performant AWS edge location to serve up cached or dynamic content. It is a global CDN service that integrates with other AWS products to give developers and businesses an easy way to distribute content to end users with low latency, high data transfer speeds, and no minimum usage commitments. It delivers data and applications globally with low latency and is a web service for high-performance content delivery. CloudFront is a global content delivery network (CDN) that securely delivers frequently requested content to over 100 edge locations across the globe.
Technical Specs: over 100 edge locations across the globe
CloudFront makes content available globally or restricts it based on location. It speeds up the delivery of static and dynamic web content and uses edge locations to cache content. It reduces the number of network hops for requests, providing high speed and low latency for end-users. CloudFront also caches and distributes static content across its edge locations, reducing the load on EC2 instances and significantly reducing costs.
When a user makes a request, CloudFront first checks if the content is already cached at the nearest edge location. If it is (a cache hit) and within its Time To Live (TTL), the content is delivered immediately. If not (a cache miss), CloudFront fetches the content from the origin server, delivers it to the user, and then caches it at the edge location for future requests. CloudFront optimizes downloads by using geolocation to identify the geographical location of users, then serving and caching content at the edge location closest to each user to maximize performance.
Edge locations are a world-wide network of data centers that act as mini data centers where files are cached. By default, edge locations check for updated content every 24 hours, but this value can be changed. They can also be configured with a 0-second expiration period, which effectively means no caching occurs. Setting an expiration period to 0 seconds expires all content.
Technical Specs: updated content checked every 24 hours by default; 0-second expiration period to disable caching
An origin server is the location of content to be delivered and stores the original, definitive version of your objects. For HTTP content, an origin server is either an Amazon S3 bucket or an HTTP server. This HTTP server can run on an Amazon EC2 instance or on a web server you manage (for web content only, not RTMP). CloudFront must have access to the origin server. CloudFront can front services like AWS Shield (for DDoS protection), Elastic Load Balancers (including ALBs), Lambda@Edge, AWS WAF, or even non-AWS origin servers.
A CloudFront distribution is the setup that defines your origin servers and how their content is distributed via CloudFront. It tells CloudFront which origin servers to fetch files from and specifies their Time To Live (TTL). When a distribution is created, CloudFront assigns it a domain name, which can also be an alternate domain (CNAME). Distributions, or specific parts of them, can be invalidated to force edge locations to fetch new content from the origin. The invalidation API is the fastest way to remove a file or object from the cache, though it typically incurs additional cost.
CloudFront offers a variety of features to enhance content delivery, security, and access control for various use cases.
Content Delivery
CloudFront is designed to deliver both static and dynamic web content globally. For dynamic content, strategies include using a low TTL or only caching static content, not dynamic. CloudFront primarily caches responses to GET and HEAD requests, although it can be configured to cache responses to OPTIONS requests. Other HTTP methods like POST, PUT, or DELETE are simply proxied back to the origin server without caching.
cached_http_methods:
GET, HEAD, OPTIONS
proxied_http_methods:
POST, PUT, DELETE
Use Cases:
- Speeds up delivery of static and dynamic web content
- Supports low-latency real-time video streaming for global audiences
- Caches on-demand video at edge locations
Security
CloudFront provides basic protection against Distributed Denial of Service (DDoS) attacks out of the box and can integrate with AWS WAF for advanced web application protection. Field-Level Encryption allows for encrypting specific sensitive data fields at the edge, before they reach the origin, ensuring data protection throughout the application stack and restricting decryption to authorized applications with the correct private key. Geo-restriction capabilities allow preventing users in certain countries from accessing content.
protection_types:
Basic DDoS, AWS WAF integration, Field-Level Encryption, Geo-restriction
field_level_encryption_mechanism:
encrypts specific sensitive data fields at the edge
field_level_encryption_decryption_control:
only authorized applications with the correct private key can decrypt the data
Use Cases:
- Protecting sensitive user-submitted information
- Mitigating DDoS attacks
- Restricting content access based on user geography
Access Control for Private Content
CloudFront offers mechanisms to securely deliver confidential content. Origin Access Identity (OAI) restricts direct access to S3 buckets, allowing only CloudFront to retrieve content. For temporary and secure access to private objects or multiple restricted objects, Signed URLs or Signed Cookies can be used. For durations longer than 7 days, CloudFront Signed URLs or Signed Cookies should be considered instead of S3 pre-signed URLs.
restricted_access_mechanisms:
Origin Access Identity (OAI), Signed URLs, Signed Cookies
s3_access_restriction_method:
OAI restricts direct access to S3 bucket
signed_url_cookie_use_case:
temporary secure access to private objects or multiple restricted objects
Use Cases:
- Delivering confidential media files globally
- Securing static websites with S3 origins
- Providing temporary access to private files for users without AWS credentials
Integration with AWS services
CloudFront integrates natively with Amazon S3 for content caching. It can be used with Route 53 to forward requests for a domain name to the CloudFront service. For HTTPS communication and better search engine ranking, CloudFront distributions can be associated with SSL certificates managed by AWS Certificate Manager (ACM). CloudFront is leveraged by S3 Transfer Acceleration to route data over optimized network paths using global edge locations.
integrated_aws_services:
Amazon S3, Amazon Route 53, AWS WAF, AWS Shield, Elastic Load Balancers (ALBs), Lambda@Edge, AWS Certificate Manager (ACM), S3 Transfer Acceleration
http_redirection:
redirect HTTP to HTTPS
domain_association:
set up in Amazon Route 53
Use Cases:
- Secure delivery of confidential content from S3
- Improving global content delivery with custom domains and HTTPS
- Accelerating S3 transfers over long distances
Creating a CloudFront distribution involves specifying content origins and configuring how that content is delivered globally. This process allows for optimal performance, security, and cost efficiency.
Step-by-step process for setting up a CloudFront distribution to serve content, including origins, domain names, SSL certificates, and caching behavior.
Prerequisites
- Content to be distributed (e.g., in an S3 bucket or on an HTTP server).
- An AWS Account with appropriate IAM permissions to create CloudFront distributions.
- Optional: SSL certificate for HTTPS (from AWS Certificate Manager).
1
Specify the origin of distribution.
π‘ The origin server stores the original, definitive version of your objects. CloudFront pulls content from this source when it's not cached.
Select your S3 bucket (e.g., backspace-lab.com.s3.amazon.aws.com) or an HTTP server on EC2 or a custom origin.
2
Specify the type of distribution (e.g., Web distribution for HTTP/HTTPS content, or RTMP for streaming media).
π‘ This tells CloudFront how to handle the content delivery.
3
Configure content delivery settings, such as redirecting HTTP to HTTPS.
π‘ Ensures secure communication and can improve search engine ranking.
4
Add custom domain names (CNAMEs) for your distribution, such as your-domain.com and www.your-domain.com.
π‘ Allows requests for your domain to be directed to the CloudFront distribution, reducing load on the S3 website and reducing costs. Also enables use of custom domains.
5
Associate an SSL certificate with the distribution.
π‘ Enables HTTPS communication, increasing security and helping with search engine ranking.
6
Specify a default root object (e.g., index.html).
π‘ This is the file that CloudFront returns when users request the root URL of your distribution.
7
Define cache behaviors and path strings to control what content is served by which origin.
π‘ Allows for specifying multiple origins for different types of content and managing caching rules granularly.
8
Create the distribution.
π‘ Initiates the deployment of the CloudFront distribution across edge locations.
9
Verify the distribution is working and disable direct S3 static website hosting if applicable.
π‘ Ensures traffic is flowing through CloudFront and prevents direct access to the origin, which can reduce costs and improve security.
CloudFront is versatile and can be applied in various scenarios to optimize content delivery, enhance security, and manage costs. Understanding these use cases helps in designing efficient architectures.
CloudFront is ideal for delivering popular static and dynamic content to geographically distributed users. This includes global media caching for confidential files, real-time and on-demand video streaming, and efficiently delivering static HTML pages (e.g., daily reports) stored in an S3 bucket with millions of global views. It should not be used if all users are at a single location or connecting through a corporate VPN, where a CDN might not offer significant benefits over direct access.
This strategy uses an S3 bucket as the origin for HTML, CSS, and code, while CloudFront caches larger files like images, videos, and code libraries. This allows for easy updates to the site while leveraging CloudFront's caching benefits for heavy assets, though HTML and CSS files might experience some latency for the first request.
In this strategy, all static content is delivered through CloudFront. This provides the best performance from a latency perspective, but requires invalidation of the CloudFront distribution for any changes to the site to ensure users receive the latest content.
For dynamic sites, dynamic pages go direct to the origin, while CloudFront is used to cache images, videos, and other large static files. This ensures the most up-to-date dynamic content is delivered with low latency, but PHP files and their traffic will still go through to the origin server, potentially incurring latency there.
This strategy routes both dynamic and static pages through CloudFront, significantly reducing the load on the web server. The main disadvantage is that the TTL needs to be carefully configured to be low enough to balance having reasonably current content with managing the load on the origin server.
CloudFront integrates with various AWS services to enhance content delivery, security, and performance. It's also important to understand its distinctions from other related services.
CloudFront caches content from Amazon S3 buckets at edge locations and integrates natively with S3. It minimizes load on S3 and offers scalability, performance, and cost efficiency for S3-backed content. CloudFront is often used with S3 for static website hosting, providing HTTPS capabilities and distributing content globally.
S3 Transfer Acceleration uses Amazon CloudFrontβs globally distributed edge locations to accelerate file transfers (uploads and downloads) to and from S3. Data arrives at an edge location and is then routed to Amazon S3 over an optimized network path. This drastically reduces latency, especially for users far from the S3 bucket's region, and mitigates the impact of slow internet connections over long distances.
CloudFront is a fast content delivery network (CDN) service that improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery). AWS Global Accelerator, on the other hand, improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases like gaming (UDP), IoT (MQTT), or Voice over IP, and for HTTP use cases requiring static IP addresses or deterministic, fast regional failover, but it does not cache content.
Glossary
CDN (Content Delivery Network)
A global service that securely delivers frequently requested content to over 100 edge locations across the globe.
Edge Location
A world-wide network of data centres, a mini data center where files are cached. CloudFront optimizes downloads by using geolocation to identify the geographical location of users, then serving and caching content at the edge location closest to each user to maximize performance.
Origin Server
The original source of Content (S3 Bucket, EC2 instance, Elastic Load Balancer). Location of content to be delivered. An origin server stores the original, definitive version of your objects.
Distribution
The setup including your origin servers and how the content from those servers is distributed via CloudFront.
Origin Access Identity (OAI)
Restricts direct access to the S3 bucket, allowing only CloudFront.
Signed URLs
Supports secure delivery of confidential content via signed URLs. Control access to whole objects.
Signed Cookies
Supports secure delivery of confidential content via signed cookies. Grant access to multiple restricted objects.
Field-Level Encryption
Encrypts specific sensitive data fields at the edge (before reaching the origin). Sensitive information remains protected throughout the application stack. Only authorized applications with the correct private key can decrypt the data.
TTL (Time To Live)
Tells CloudFront how long to keep content cached at edge locations.
RTMP (Real-Time Messaging Protocol)
Adobe Real-Time Messaging Protocol and is suitable for using S3 buckets as an origin server to serve streaming media.