09 Content Delivery Flashcards
Describe CloudFront.
CloudFront is a distributed Content Delivery Network (CDN) that brings content closer to users by caching it at various edge locations.
Define the term ‘Origin’ in the context of CloudFront.
The Origin is the location of the content in CloudFront, which can be either an S3 bucket or a Custom Origin.
How does a Distribution function in CloudFront?
A Distribution is the unit of configuration in CloudFront that can have multiple origins and is identified by a unique DNS name (e.g., *.cloudfront.net).
What are Edge Locations in CloudFront?
Edge Locations are local caches for data in CloudFront, while Regional Edge Caches serve multiple edge locations.
Explain the purpose of Behaviours in CloudFront.
Behaviours are attached to the distribution based on path matching and configure the origin, caching, and security settings.
How does CloudFront interact with other services?
CloudFront is a global service that interacts with other services like ACM (AWS Certificate Manager) and CloudWatch, primarily in the us-east-1 region.
What is the significance of Price Class in CloudFront Distribution settings?
Price Class allows users to select a subset of origins for their distribution, such as only those in North America and Europe.
Describe the role of WAF integration in CloudFront.
WAF integration in CloudFront allows for the implementation of web application firewall rules to protect applications from common web exploits.
What are Alternate domain names and SSL certificates used for in CloudFront?
Alternate domain names and SSL certificates are used to secure connections and provide custom domain support for CloudFront distributions.
How does Logging function in CloudFront?
Logging in CloudFront provides detailed records of requests made to the distribution, which can be used for analysis and monitoring.
Explain the concept of Path pattern in Behaviour settings.
Path pattern in Behaviour settings allows the use of wildcards to match specific request paths for routing and configuration.
What are Allowed HTTP methods in CloudFront Behaviour settings?
Allowed HTTP methods specify which types of HTTP requests (e.g., GET, POST) are permitted for a particular behaviour in CloudFront.
Describe the Viewer protocol policy options available in CloudFront.
Viewer protocol policy options include ‘HTTP and HTTPS’, ‘Redirect HTTP to HTTPS’, and ‘HTTPS Only’, determining how requests are handled.
What is Viewer Access in CloudFront?
Viewer Access restricts access to content based on user authentication, requiring a cookie or a pre-signed URL.
How does Field-level Encryption work in CloudFront?
Field-level Encryption encrypts specific fields at the edge before they are sent over HTTPS to the origin, enhancing data security.
Define the supported origin types in CloudFront.
The supported origin types in CloudFront include S3 buckets and Custom Origins.
What is the purpose of the Origin path in S3 within CloudFront?
The Origin path in S3 maps requests to a specific sub-path within the S3 bucket, allowing for more granular content delivery.
Describe the purpose of Origin Access Control in CloudFront.
Origin Access Control ensures that the S3 bucket’s contents can only be accessed via CloudFront.
How do Origin groups enhance availability in CloudFront?
Origin groups allow multiple origins to be attached to a single behavior, improving availability.
Define the role of ACM in CloudFront security.
ACM (AWS Certificate Manager) is used to manage SSL certificates for securing connections in CloudFront.
Explain the significance of Server Name Indication (SNI) in CloudFront.
SNI is required because multiple distributions will use the same CloudFront IP, and it occurs during the TLS handshake.
What is the requirement for SSL certificates used with CloudFront?
Both SSL connections must use public certificates, and the certificate must be stored in ‘us-east-1’.
How can access to CloudFront distributions be restricted?
Access can be restricted using pre-signed URLs and signed cookies.
Describe the function of Origin Access Identities (OAI) in CloudFront.
OAIs are associated with a distribution and can be referenced in S3 bucket policies to ensure origins can only be accessed through CloudFront.
What are the implications of using self-signed certificates with CloudFront?
Self-signed certificates are not supported; both connections must use public certificates.
How can custom origins be secured in CloudFront?
Custom origins can be secured using private headers and IP-based blocks.
What happens during the TLS handshake in CloudFront?
During the TLS handshake, Server Name Indication (SNI) is used to identify the hostname being connected to, allowing multiple distributions to share the same IP.
Explain the relationship between CloudFront and MediaPackage & MediaStore.
MediaPackage and MediaStore are services that can be integrated with CloudFront for media delivery.
What is the default domain used by CloudFront?
The default domain is ‘*.cloudfront.net’, which uses the default CloudFront certificate.
How can custom headers be utilized in CloudFront?
Custom headers can be added to origin fetches to provide additional context or authentication.
What is the origin protocol in CloudFront?
The origin protocol defines how CloudFront connects to the origin using HTTPS, requiring a public certificate.
How can ports be configured in CloudFront?
Ports can be configured for HTTP and HTTPS requests in custom origins.
Describe the difference between Trusted Signer and Trusted Key Groups.
Trusted Signer is the legacy approach at the account level, while Trusted Key Groups are recommended for new workloads.
How is a signed URL or cookie generated in the context of Trusted Key Groups?
A signed URL or cookie is generated using a public certificate, with the signing done by a private certificate.
Explain the limitation of pre-signed URLs.
Pre-signed URLs only allow access to a single object.
What is the purpose of cookies in relation to access control?
Cookies can be used for multiple objects, allowing broader access compared to pre-signed URLs.
Define cookie policies in the context of CloudFront.
Cookie policies can restrict access to specific paths within the distribution.
How does geo-restriction work in CloudFront?
Geo-restriction is applied to the entire distribution and can deny-list or allow-list specific countries.
Describe the caching process when a user requests data from CloudFront.
When a user requests data, they connect to a closed edge location, which responds using its local cache or the regional edge cache; if neither has the content, an origin fetch is performed.
What happens if neither the local cache nor the regional edge cache has the requested content?
An origin fetch is performed to retrieve the content.
Explain the caching behavior of CloudFront regarding write operations.
CloudFront does not cache writes; all write operations go directly to the origin.
What occurs when caching is enabled and the TTL expires?
CloudFront returns cached information until the TTL expires or an invalidation is performed; after TTL, it forwards requests to the origin.
What does a 304 Not Modified response indicate?
It indicates that the cached version of the content is still current.
How is the default TTL set in CloudFront?
The default TTL is set at the distribution level, but origins can use headers like Cache-Control: max-age to influence caching.
What are invalidations in CloudFront?
Invalidations are applied to a distribution and can be restricted to certain objects based on a pattern.
What architectural pattern is recommended for fine-grained control over caching?
Versioned file names are the recommended architectural pattern for fine-grained control over caching.
Define the cache key in the context of CloudFront requests.
The cache key of a request controls whether it matches previous requests.
Describe the role of cache policy in caching.
Cache policy controls how caching is managed, including what elements are included in the cache key such as URL, query string parameters, cookies, request headers, and compression settings.
How are query string parameters treated by default in caching?
By default, query string parameters are not considered for caching or forwarded to the origin, but specific parameters can be configured to be included.
Define the purpose of Lambda@Edge.
Lambda@Edge allows lightweight Lambda functions to run at edge locations, enabling adjustments to data between the viewer and the origin.
What runtimes are supported by Lambda@Edge?
Only Python and Node.js are supported as runtimes for Lambda@Edge.
Explain the limitations of Lambda@Edge regarding VPCs and Lambda Layers.
Lambda@Edge does not support VPCs and Lambda Layers, and it has restrictions on maximum runtime and resources.
How can Lambda functions be utilized in traffic flows?
Lambda functions can run as part of all four traffic flows: viewer request, origin request (only for cache misses), origin response (only for cache misses), and viewer response.
Describe a use case for Lambda functions in viewer requests.
Lambda functions in viewer requests can edit the request URL for A/B testing or modify content based on the user’s location.
What is the significance of request headers in caching?
Request headers can be selectively included in the cache key, but all headers cannot be used; this allows for customization based on specific headers.
How do cookies affect caching behavior?
Cookies are not considered by default in caching, but specific cookies can be added to the cache key to influence caching behavior.
What is the function of compression settings in cache policy?
Compression settings can be part of the cache policy, affecting how data is stored and transmitted in the cache.
