AWS Cloudfront

Question 1

What is Cloudfront

Answer 1

CloudFront is a web service that gives businesses and web application developers an easy and cost-effective way to distribute content with low latency and high data transfer speeds.

CloudFront is a good choice for distribution of frequently accessed static content that benefits from edge delivery—like popular website images, videos, media files or software downloads.

Used for dynamic, static, streaming, and interactive content.

Question 2

Amazon CloudFront provides a simple API that lets you:

Answer 2

Distribute content with low latency and high data transfer rates by serving requests using a network of edge locations around the world.

Get started without negotiating contracts and minimum commitments.

Question 3

Does Cloudfront support Zone Apex Name

Answer 3

You can use a zone apex name on CloudFront.

Question 4

Does CloudFront supports wildcard CNAME

Answer 4

YES

Question 5

What is an Edge Location

Answer 5

An edge location is the location where content is cached (separate to AWS regions/AZs).

Requests are automatically routed to the nearest edge location.

Question 6

What is a Regional Cache

Answer 6

Regional Edge Caches are located between origin web servers and global edge locations and have a larger cache.

Regional Edge Caches have larger cache-width than any individual edge location, so your objects remain in cache longer at these locations.

Regional Edge caches aim to get content closer to users.

Dynamic content goes straight to the origin and does not flow through Regional Edge caches.

Question 7

Can you write to Edge Locations

Answer 7

Edge locations are not just read only, you can write to them too.

Question 8

What is an ORIGIN ?

Answer 8

An origin is the origin of the files that the CDN will distribute.

Origins can be either an S3 bucket, an EC2 instance, an Elastic Load Balancer, or Route 53 – can also be external (non-AWS).

When using Amazon S3 as an origin you place all your objects within the bucket.

Question 9

When using EC2 for custom origins Amazon recommend:

Answer 9

• Use an AMI that automatically installs the software for a web server.
• Use ELB to handle traffic across multiple EC2 instances.
• Specify the URL of your load balancer as the domain name of the origin server.

Question 10

Static websites on Amazon S3 are considered custom origins ? T?F

Answer 10

True

Question 11

Does CloudFront keep a persistent connections open with origin servers. T/F

Answer 11

True

Question 12

Can files be uploaded via CloudFront ?

Answer 12

Files can also be uploaded to CloudFront.

Question 13

How does one Configure HA for Origin Failover

Answer 13

Can set up CloudFront with origin failover for scenarios that require high availability.

Uses an origin group in which you designate a primary origin for CloudFront plus a second origin that CloudFront automatically switches to when the primary origin returns specific HTTP status code failure responses.

Question 14

To distribute content with CloudFront you need to create a distribution.

The distribution includes the configuration of the CDN including:

Answer 14

• Content origins.
• Access (public or restricted).
• Security (HTTP or HTTPS).
• Cookie or query-string forwarding.
• Geo-restrictions.
• Access logs (record viewer activity).

Question 15

What are the two types of Distributions

Answer 15

Web Distribution or RTMP

Question 16

What does Web Distribution Contain ?

Answer 16

• Static and dynamic content including .html, .css, .php, and graphics files.
• Distributes files over HTTP and HTTPS.
• Add, update, or delete objects, and submit data from web forms.
• Use live streaming to stream an event in real time.

Question 17

What does RTMP Distribution Contain

Answer 17

Distribute streaming media files using Adobe Flash Media Server’s RTMP protocol.

Allows an end user to begin playing a media file before the file has finished downloading from a CloudFront edge location.

Files must be stored in an S3 bucket.

Question 18

Cache Behaviour

Answer 18

Allows you to configure a variety of CloudFront functionality for a given URL path pattern.

Question 19

For each cache behavior you can configure the following functionality:

Answer 19

• The path pattern (e.g. /images/*.jpg, /images*.php).
• The origin to forward requests to (if there are multiple origins).
• Whether to forward query strings.
• Whether to require signed URLs.
• Allowed HTTP methods.
• Minimum amount of time to retain the files in the CloudFront cache (regardless of the values of any cache-control headers).

Question 20

You can restrict access to content using the following methods ?

Answer 20

Restrict access to content using signed cookies or signed URLs.

Restrict access to objects in your S3 bucket.

A special type of user called an Origin Access Identity (OAI) can be used to restrict access to content in an Amazon S3 bucket.

By using an OAI you can restrict users so they cannot access the content directly using the S3 URL, they must connect via CloudFront.

Question 21

What Allowed HTTP Methods can you Define

Answer 21

• GET, HEAD.
• GET, HEAD, OPTIONS.
• GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE.

For web distributions you can configure CloudFront to require that viewers use HTTPS.

Question 22

What is Field-Level Encryption?

Answer 22

Field-level encryption adds an additional layer of security on top of HTTPS that lets you protect specific data so that it is only visible to specific applications.

Field-level encryption allows you to securely upload user-submitted sensitive information to your web servers.

The sensitive information is encrypted at the edge closer to the user and remains encrypted throughout application processing.

Question 23

How long are objects cached for ?

Answer 23

Objects are cached for the TTL (always recorded in seconds, default is 24 hours, default max is 1 year).

Only caches for GET requests (not PUT, POST, PATCH, DELETE).

Dynamic content is cached.

Question 24

Restrictions Principles

Answer 24

Blacklists and whitelists can be used for geography – you can only use one at a time.

There are two options available for geo-restriction (geo-blocking):

1. Use the CloudFront geo-restriction feature (use for restricting access to all files in a distribution and at the country level).
2. Use a 3rd party geo-location service (use for restricting access to a subset of the files in a distribution and for finer granularity at the country level).

Question 25

What is Lambda@Edge ?

Answer 25

Can be used to run Lambda at Edge Locations. Lets you run Node.js and Python Lambda functions to customize content that CloudFront delivers.

Question 26

You can use Lambda functions at the following points

Answer 26

**After** CloudFront receives a **request** from a **viewer** (viewer request). **Before** CloudFront **forwards** the request to the **origin** (origin request). **After** CloudFront **receives** the **response** from the **origin** (origin response). **Before** CloudFront **forwards** the **response** to the **viewer** (viewer response).

Question 27

Lambda@Edge can do the following ?

Answer 27

* *Inspect cookies and rewrite URLs* to perform A/B testing. * **Exam Tip:** Send specific objects to your users based on the User-Agent header. * **Implement access control** by looking for specific headers before passing requests to the origin. * **Add, drop, or modify** headers to direct users to different cached objects. * **Generate new HTTP r**esponses. * Cleanly support legacy URLs. * Modify or condense headers or URLs to improve cache utilization. * **Make HTTP requests** to other Internet resources and use the results to customize responses.

Question 28

Signed URLs and Signed Cookies

Answer 28

A signed URL includes additional information, for example, an expiration date and time, that gives you more control over access to your content. This additional information appears in a policy statement, which is based on either a canned policy or a custom policy. CloudFront signed cookies allow you to control who can access your content when you don’t want to change your current URLs or when you want to provide access to multiple restricted files, for example, all the files in the subscribers’ area of a website.

Question 29

Use signed URLs in the following cases

Answer 29

You want to restrict access to individual files, for example, an installation download for your application. Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.

Question 30

Use signed cookies in the following cases:

Answer 30

You want to provide access to multiple restricted files, for example, all the files for a video in HLS format or all the files in the subscribers’ area of website. You don’t want to change your current URLs.

Question 31

Origin Access Identity Principles

Answer 31

Used in **combination** with signed **URLs** and signed **cookies** to restrict direct access to an S3 bucket (prevents bypassing the CloudFront controls). An **origin access identity (OAI)** is a special CloudFront **user** that is associated with the distribution. Permissions must then be changed on the Amazon S3 bucket to restrict access to the OAI. If users request files **directly** by using Amazon S3 URLs, they’re **denied** access. The **origin access identity** has permission to access files in your Amazon S3 bucket, but users don’t.

Question 32

AWS WAF

Answer 32

AWS WAF is a **web application firewall** that lets you monitor HTTP and HTTPS requests that are forwarded to CloudFront and lets you control access to your content. With AWS WAF you can **shield** access to content based on conditions in a web access control list (**web ACL**) such as: * Origin IP address. * Values in query strings. CloudFront responds to requests with the requested content or an HTTP **403 status code** (forbidden). CloudFront can also be configured to deliver a custom error page. Need to **associate** the relevant **distribution** with the web ACL.

Question 33

Domain Names - CloudFront

Answer 33

CloudFront typically creates a domain name such as a232323.cloudfront.net. **Alternate** domain names can be added using an **alias record** (Route 53).

Question 34

High Availability

Answer 34

**CloudFront caches** content at **Edge Locations** around the world. The more objects served by the cache, the fewer the requests to the origin. This reduces the load on your origin server and reduces latency. You can set up CloudFront with **origin failover** for scenarios that require high availability. To set up origin failover, you must have a distribution with at least two origins. Next, you create an **origin group** for your distribution that includes **two origins**, setting one as the primary. Finally, you create or update a **cache behavior** to use the **origin group.**

Question 35

CloudFront Charges

Answer 35

**You pay for:** * Data Transfer Out to Internet. * Data Transfer Out to Origin. * Number of HTTP/HTTPS Requests. * Invalidation Requests. * Dedicated IP Custom SSL. * Field level encryption requests. **You do not pay for:** * Data transfer between AWS regions and CloudFront. * Regional edge cache. * AWS ACM SSL/TLS certificates. * Shared CloudFront certificates.