A Cantrill - Global Content Delivery and Optimization (CloudFront)

Question 1

Does Cloudfront support uploads directly to the CF distribution?

Answer 1

CloudFront distributions only support downloads, Uploads of content go only to the origin.

Question 2

Where is Caching and restrict viewer access settings located for CF?

Answer 2

CF Behaviors control caching and restricting viewer access.

Question 3

How do you ensure that the load on your origin is lowered in CF?

Answer 3

Set CF to get more frequent cache HITS

Question 4

List the Origin Headers available in CF.

Answer 4

Cache-Control max-age (seconds)
Cache-Control s-maxage (seconds)
Expires (Date & Time)
Custom Origin or S3 (Via object Metadata)

Question 5

What is the Default TTL in CF?

Answer 5

24 hours is the default

Question 6

What is a cache invalidation?

Answer 6

A path based (/images/whiskers.jpeg) action performed on a distribution and applies to all edge locations. This takes time to apply.

Question 7

What is the best practice for managing files, objects in CF?

Answer 7

Use versioned file names. This way your application can manage which version of a file or object that you want the end user to see

Question 8

Can ACM (.AWS Cert Manager) be used with EC2?

Answer 8

No ACM does NOT support EC2.

Question 9

Where are ACM certs contained to? Within Subnet, within AZ, within Region, globally available?

Answer 9

ACM certs cannot leave the region they and generated or imported in.
To use a cert with an ALB in ap-southeast-2 you need a cert in ACM in ap-southeast-2

Question 10

Where is the CF distribution Region located?

Answer 10

CF distrubtions are based in us-east-1. Then the distribution sends content out to each edge location in other regions.

Question 11

For ACM, what region do you select when you want to have a cert for your CF distribution?

Answer 11

us-east-1.

Question 12

What are the two SSL based connections in a CloudFront setup?
And which ones need public certificates?

Answer 12

Viewer => CloudFront and CloudFront => Origin

Both of these connections need valid public certificated (and intermediate certs)

Question 13

Do self signed certs with CF?

Answer 13

No, self signed certs do not work. Only publicly valid certs are compatible with CF.
Certificates issued by a trusted Certificate Authority(CA) such as Comodo, DigiCert, Symantic or ACM.

Question 14

How do you ensure that viewers only use CF URLs / distributions and do NOT have access to the origins?

Answer 14

“Restrict viewer access” - viewers must use CloudFront signed URLs or signed cookies to access your content.

Question 15

If your origin is a static S3 website for your CF distribution, what option do you select to ensure that the default path is set ? and what value would likely be used?

Answer 15

likely for a Static S3 website origin, “index.html” would be indicated in “default root object” option when creating your distribution.

Question 16

How are CF distributions billed?

Answer 16

CF is billed based on invalidations .

Question 17

What AWS service is associated with Origin Access Identities (OAI) in CloudFront?

Answer 17

S3 origins can utilize OAI to ensure origins are not accessed directly

Question 18

How are Private CF distros accessed?

Answer 18

Private CF is accessed via Signed URLs or Cookies

Question 19

What private access CF method is best for one object?

Answer 19

Signed URL gives access to one object only.

Question 20

What is Lambda@Edge?

Answer 20

Lambda@Edge allows cloudfront to run lambda function at CloudFront edge locations to modify traffic between the viewer and edge location and edge locations and origins.

Question 21

Whats the difference between CF and Global Accelerator?

Answer 21

CF brings content closer to the customer.
Global Accelerator moves the AWS network closer to the customer.

Question 22

Can CloudFront cache dynamic content?

Answer 22

CloudFront can cache both static AND dynamic content.

Question 23

What features are used together to ensure S3 buckets can only be accessed via CloudFront?

Answer 23

OAI and Bucket Policies.

Question 24

What is a likely issue when requests are missing the CF cache and going directly to the origin?

Answer 24

The Cache-Control max-age directive is set to low or zero.

If its set to 0, every request will skip CF and hit the origin.