AWS Cloudfront

Question 1

What is a AWS CloudFront?

Answer 1

CloudFront is a CDN but has extra functionality for dynamic content, RTMP and security such as geo-restriction..

Question 2

I need to mitigate DDOS attacks, is AWS CloudFront good mitigation and why?

Answer 2

Yes, it is because AWS CF has the ability to scale and AWS filters traffic the is not legit.

Question 3

I have an API and I want to provide caching for this API and also get the benefit of improving global performance, what options do I have?

Answer 3

Use CloudFront as it has the ability to deal with caching dynamic content from an origin, this includes API. The way it works is you set the TTL to 0, CF will perform a head request with the origin to know if the content has changed, if not it will serve the cached content if the content has changed them CF will do a get.

Question 4

What types of video stream can CF deal with?

Answer 4

On-demand
Pre-recorded
Live streaming

Question 5

From a video streaming perspective, what is the advantage of using CF.

Answer 5

You push the streaming content need the edge and users.

Question 6

How can I secure the content delivery by CloudFront?

Answer 6

• Signed URL’s

- Signed Cookies (Use Set_Cookie in request header)

Question 7

I am using HSL with CF, can I use signed URLs?

Answer 7

No, signed URLs are only good for static content, HLS is mead up of chunks and the viewer app has to keep requestion new chunks ever say 5sec, use signed cookies is the correct method.

Question 8

My company is using RTMP file and I want to make them available to users globally, what is my best option?

Answer 8

You can use s3 as the origin and CF to bring the content to the edge near the user, RTMP is supported for video streaming.

Question 9

I have an s3 origin and I request with HTTP, what will the CF to S3 be?

Answer 9

It will be HTTP as when s3 is the origin, protocol is matched. HTTP = HTTP and HTTPs = HTTPs

Question 10

I have an EC2 instance that accepts HTTP only, this is fronted by CF and the user requests HTTPS, what will happen?

Answer 10

Id HTTP only option on CF is set up the request will be sent to the origin as HTTP.

Question 11

I would like to server content for several origins, is this possible with CF?

Answer 11

Yes CF supports multiple origins.

Question 12

Can I have an on-prem as an origin for Cloudfront?

Answer 12

yes, you can point CF anywhere.

Question 13

can I invalidate CDN cache object or even everything?

Answer 13

Yes

Question 14

can I use my own SSL?

Answer 14

yes

Question 15

can I have custom error images?

Answer 15

yes?

Question 16

what HTTP methods are cached?

Answer 16

get
head
options

Question 17

For dynamic CF content, what does TTL 0 do?

Answer 17

If set to 0, CF will send a head request to see if anything in the content has changed, if it has then CF does a GET and stores the content.

Question 18

We want people from all around the world to upload files to our EC2 instances?

Answer 18

Use CF as it will allow upload and will send to EC2 over AWS backbone.

Question 19

Can we have CF send us to different origins based on the calling device?

Answer 19

Yes

Question 20

I have an S3 bucket that I want to use with CF to distribute the file, but I do not what users to be able to access directly with s3, what options do I have with CF?

Answer 20

Use origin access identity, this ensures CF is able to access the bucket.

Question 21

What is a multi-region CF origin design?

Answer 21

This is where we have multiple regions act as a origin for CloudFront.

Question 22

Can I use DNS names with CF?

Answer 22

Yes, you cna have CF look up any domain and where you use Route53, I can then have Route53 deliver based on latency-based routing.

Question 23

I want to use latency based routing with CF, what are my options.

Answer 23

You can point your CF CDN at route53 zone with latency based routing set up.

Question 24

With regard to cloudfront, what are the network benefits?

Answer 24

It reduces the number of hops

Question 25

I need to stream RTMP, what is my best option?

Answer 25

As S3 is the only supported origin for RTMP and, put the file in S3 and front with CF.

Question 26

I have to increase the security of information passing through cloudfront, I would like to encrypt fields in my data, is this possible?

Answer 26

Ye 100%, field level encryption is a feature of CF.

Question 27

I require the ability to encrypt fields send for processing of card payment transactions through CF to the origin, what options do I have?

Answer 27

We can use the encrypt fields feature of CloudFront, this will encrypt the field data sent through CF. You specify the set of fields in the post you want to encrypt.

Question 28

How many fields can I encrypt use field encryption with Cloudfront?

Answer 28

Up to 10.

Question 29

How cna I make more requests hit the cache?

Answer 29

Increase the TTL, forcing.

Question 30

How can we invalidate cached files without using invalidate to the caching server?

Answer 30

invalidate by using a different file name or a GUID attached tot he files name, this way the client is forced to go back and get the new file. You would update the file by generating a new name,

Question 31

What would happen if I added Cache-Control max-age to my origin?

Answer 31

It would set the max time available where the client would not come back to the CDN and Origan for a file until the max time was reached. This would help with the number of hits the organ is taking.

Question 32

How can I improve the hit ratio on the CDN?

Answer 32

• Cache-Control max-age
• Query string based caching
• Caching based on cookies

Question 33

I have a web application that received a query string through CF, the query string is for each language. I would like CF to cache each language page separately, what options do I have?

Answer 33

You cna use query string based caching to have CF cache ech seperta languate gage.

Question 34

What is query string based caching?

Answer 34

It enables you to have CF use the query string to cache sperate respon ces form the origan such as language file and then the next time the same querystring is used the casche will serve the content/file.

Question 35

Need to be able to clock certan counteries from accessing content, what options do i have for CF?

Answer 35

Using Geo Restrictions you can blcok cenrtan counteries.

Question 36

With S3 I need ot be able to block certan counteries from accessing content, what options do I have?

Answer 36

You cna add CF to the soliution and have CF blck certan GEOS.

Question 37

What is a CloudFront Distribution?

Answer 37

It is the entity that contains the information for,

• Origin or origin groups
• Behaviours
• Error pages
• Restrictions
• Invalidation
• Tags

Question 38

What type of streaming media is supported by CloudFront?

Answer 38

RTMP, but you can also distribute media files over HTTP and HTPPs

Question 39

I have a set of a media file and I wnat to distribute them globally and want to have my user fast access to them, what can I do?

Answer 39

You cna use CF to distribute the files.

Question 40

We are live streaming contents using HTTP and HTTPS in, I wnat to distribute this globally, what are my options?

Answer 40

You cna use CloudFront.

Question 41

I am using RTMP and I wnat to use CloudFront, can I use my on-prem origin?

Answer 41

No, you have to use S3

Question 42

What is a CloudFront distribution?

Answer 42

It is an entity that describes the functions and properties that apply to your instance of the CloudFront service.

Question 43

What origins dose CloudFront support?

Answer 43

• s3
• EC2
• On-prem (any public endpoint with compatible content)

Question 44

For CloudFront what type of distributions are supported?

Answer 44

• Web: static content, HTTP and HTTPS medial files, Update and delete objects and live to stream.
• RTMP

Question 45

I am using RTMP, I wnat to store my file on-prem, how cna I configure this?

Answer 45

You can RTMP only supports s3.

Question 46

What is the content origin?

Answer 46

It is where the data/file is living or coming from.

Question 47

What is an Origin fetch?

Answer 47

This is where CloudFront fetches the content from the origin.

Question 48

What is the viewer protocol?

Answer 48

This is the client protocol that is making requests to AWS?

Question 49

What is the Origin protocol?

Answer 49

This is the protocol used to connect with the origin during and origin fetch?

Question 50

I wnat to restrict access to the bucket and force people To access content through the CloudFront, how can do this?

Answer 50

CloudFront has a setting, you cna also set up an s3 policy on the s3 bucket to restrict any request to CloudFront.

Question 51

What option do I have when the connecting to an Origin form CloudFront?

Answer 51

These are for other origins and, not s3.

• TLS v1.2, 1.1, 1
• HTTP and HTTPs, Match viewer
• Response time out
• HTTP Port
• HTPS Port

Question 52

What viewer protocol setting can I have?

Answer 52

• HTTP + HTTPs
• Restrict HTTP to HTTPs
• HTTPs only.
• Restrict HTTP type requests like GET, HEAD, GET HEAD OPTIONS, all HEET requests.

Question 53

What are the encrypted fields?

Answer 53

This is where you get to select an option for your distribution that encrypts all the fields in your request, do data is encrypted all the way to the origin.

Question 54

For pricing on CloudFront, what are the options I have?

Answer 54

• US, Canada, Europe
• US, Canada, Europe and Afarica
• All locations.

Question 55

I wnat to add a WAF to my CloudFront is this possible?

Answer 55

Yes

Question 56

I am using CloudFront as a caching layer for my content and also as a gateway for my API, I am getting SQL injection attacks and would like to stop them, what options do I have?

Answer 56

Put a WAF in front of the CloudFront distribution.

Question 57

What is Server Name Indication (SNI)?

Answer 57

It is a TLS feature that enables a host to say what host it wnat to connect with, this is so when the host connects to an LB or CDN the LB or CDN can return the correct cert.

Question 58

For CloudFront, where do I get the cert form?

Answer 58

ACM

Question 59

What is the order the CloudFront cache is checked?

Answer 59

Edge (local) cache and then regional cache and then the origin.

Question 60

What is the Lambda edge used for?

Answer 60

It can be used to alter the request coming in or the response going back form CloudFront.

Question 61

Can I geo restrict CloudFront?

Answer 61

Yes in your distribution you have the ability to create a geo whitelist of countries you wnat to allow.

Question 62

What TLS version should you use for CloudFront?

Answer 62

TLSv1.1_2016

Question 63

I have two origins, one for jpgs and the other for MPEGs, how cna I configure CloudFront distribute both origins content?

Answer 63

Set up distribution with two behaviours pointing to the two origins. One behaviour with a path pattern of images/.jpg and the other origin of /video/.mpg

Question 64

What is a custom origin?

Answer 64

It is where you create the origin to be in

Question 65

When I am looking to use a custom origin, can this be in a private network?

Answer 65

No, the custom origin must be in a publicly accessible network.

Question 66

When I am using s3 as an origin can I access many of the origin setting such as TLS, Match viewer?

Answer 66

No.

Question 67

How can I stop CloudFront been bypassed for s3?

Answer 67

When using s3 you can use the setting “Restrict bucket access”, this will restrict bucket access to only requests coming from CloudFront.

Question 68

How can I stop CloudFront been bypassed for custom origins?

Answer 68

You cna inject header to the request been sent to the origin form CloudFront

Question 69

My organization requires me to encrypt all traffic end to end, how cna I have an end to end encryption with CloudFront CloudFront?

Answer 69

You can use HTTPS and set viewer policy to HTTPs. You can also use field-level encryption, but not on its own as fields are only encrypted from CloufFront to the origin and not from client to origin if HTTP was to be used.

Question 70

I am using S3 as an origin for CloudFront, can I force any protocol?

Answer 70

No, the client protocol type will be used when doing an origin fetch to the origin form CloudFront.

Question 71

I need an end to end encryption where I control the encryption and certs used and authenticate the server and client, can I use CloudFront?

Answer 71

CloudFront acts as a man in the middle, you connect with CloudFront and CloudFront connects with your origin client. For use cases where you have to have end to end control, CloudFront may not be suitable

Question 72

A number of bad actors are sending malformed requests to your application, I have CloudFront deployed, should I be concerned?

Answer 72

No, CloudFront will only send good requests to the origin all malformed request will be filtered out.

Question 73

Can I use a self-signed cert for my CloudFront client connections?

Answer 73

No, you have to use public trusted cert, this could be a ACM cert.

Question 74

I am creating an ELB as an origin for CloudFront, what do I need to configure?

Answer 74

You will need a public trusted cert on the ELB, this cna be an ACM cert. You need to ensure the domain name of the cert matches the origin.

Question 75

What is an OAI?

Answer 75

It is an origin access identity and is used to ensure thet users can not bypass the CloudFront.

Question 76

How does an OAI work for CloudFront?

Answer 76

You create an OAI in a CF distribution behaviour, under restrict bucket access, this identity will be used by s3 bucket policy to ensure the request is coming from CloudFront. This policy can be added automatically to s3 form CloudFront console.

Question 77

What is a pre-signed URL?

Answer 77

It is a time-limited URL that is signed by a user to enable another user to use the URL to access an object.

Question 78

Can a user that does not have permissions to access object X in an s3 bucket create a signed URL for object X?

Answer 78

Yes, but the users of the URL will not be able to access object X, the permissions of the pre-signed URL to access the object X come from the singing user, if the users do not have permission then the user of the signed URL will not be able to access object X.

Question 79

Can U use signed URL to access an origin bucket?

Answer 79

No, but signed cookie allows this but signed cookies may not be convenient to a user unless the user is using an app that hides the complexity.

Question 80

What happens when I enable ‘Restrict Viewer Access’?

Answer 80

The viewer must use signed URLs or Cookies.

Question 81

What are the trusted signers?

Answer 81

They re the people that can sign URLs or cookies, this a be self or account

Question 82

Is signed URLs or cookies applied to the CF distribution?

Answer 82

No, they are part of the behaviour

Question 83

I am using RTMP, can I use single URL’s?

Answer 83

No, only cookies.

Question 84

Is it possible to create a blacklist for CF to restrict countries?

Answer 84

Yes

Question 85

Is it possible to create a white list for CF to allow countries?

Answer 85

Yes

Question 86

I wnat to use a third party check to restrict users from some countries accessing content via CF, how cna I do this?

Answer 86

CF has geo white/blacklisting but as you wnat to use a third party check on use geo, you cna use signed URLs. This is where the request for the file/object/image arrives at your server where you perform the go check and then redirect using signed URLs.

Question 87

I need to use a private key to encrypt my CF field data and then use the same key on my custom host to decrypt the data, how can I configure this?

Answer 87

You use CF field level encryption and use you private customer key to encrypt the data at both the CF and the origin.

Question 88

What is cache hist and miss?

Answer 88

• Hist is when the content you want is present on the cache.

- Miss is when the content is not in the cache.

Question 89

How can you optimise the cache so there are fewer hits on your web server?

Answer 89

Make the TTL longer.

Question 90

I have web weather update site where updates happen every 10 seconds, I have a TTL of 5min with CF, how can I make it so the users see the content updates faster?

Answer 90

Reduce the TTL to 9sec so the content will refresh sooner.

Question 91

By default how long will an object be cached for on CF?

Answer 91

24hrs (86400)

Question 92

If an origin has a cache header will it be used or C?

Answer 92

Provided it is inside the min - mas asset in the CF behaviours if now the main and mas will be used to override the origins.

Question 93

How can you deal with invalidating CF content when you have set long TTLs?

Answer 93

You can change the name of the file you are referencing, you would do this in your application first day, set it up as part of your build version. This means that for each new version of the app you get new static content.

Question 94

By default does CloudFront pass on query strings?

Answer 94

No

Question 95

In CF, for query strings, what can I do to have CF cache based on query strings?

Answer 95

You have the option to cache on ‘all’

Question 96

In CF, I am configuring cache based on the query string, I wnat to cache on language (language=fr) but not on other query values, how cna I configure this?

Answer 96

You can use the option to whitelist the quest string parameters you do not what to be in scope.

Question 97

What re the Lambda HTTP events you can use with CF edge?

Answer 97

• Viewer request,
• Viewer response
• Origan request
• Origan responce

Question 98

I wnat to see the total cache hits and misses and status codes form CF, how cna I do this?

Answer 98

CF provides Cache stats and you can also see them on CloudWatch.

Question 99

Can I set alarms on the CloudFront?

Answer 99

Yes and also CloudWatch

Question 100

I wnat to better understand the countries that are accessing my CloudFront, how can I do this?

Answer 100

Turn on access logs, these will be stored to s3.

Question 101

I am using CF and I wnat to analyze my data, how can I do this?

Answer 101

You can enable the access logs to be exported to s3 bucket and use Atena to analyze the logs.

Question 102

What is a distribution?

Answer 102

This is the container you use to define your distribution.

Question 103

What type of CloudFront distribution can you have?

Answer 103

Web (web content)

RTMP (Adobe Video) (!!!Endo of life and discontinued 31st Dec 2020)

Question 104

What origins are supported with CloudFront?

Answer 104

• S3
• ELB
• Media package
• Media store
• Custom origin

Question 105

I have a live video that is been encoded and the stream needs to be pushed to millions of subscribers all around the world, how can I do this?

Answer 105

Use elemental media store to receive the encoded video stream as a custom origin for CloudFront. elemental media store will receive the media stream store it and act as an origin for CloudFront.

Question 106

How cna I filter CF requests?

Answer 106

You cna add a WAF and create an ACL

Question 107

Where are the SSL certs stored for CF?

Answer 107

AWS Cert Manager

Question 108

Does CF support IPv6?

Answer 108

Yes 100%, it is optional.

Question 109

Can I use RTMP with origins other than S3?

Answer 109

No, you have to use S3

Question 110

What is the viewer protocol policy?

Answer 110

This policy defines if the client can use HTTP, HTTPS or be redirected from HTTP to HTTPS or HTTPS only.

Question 111

What is the allowed method option?

Answer 111

Get, HED
GET, HEAD, OPTIONS
GET, HEAD, OPTIONS, PUT, PATCH DELETE

Question 112

Can I encrypt the data/body in an HTTP post with field-level encryption?

Answer 112

No, only the fields

Question 113

Can I encrypt 11 fields with field-level encryption?

Answer 113

No, only 10 fields

Question 114

What encryption is used for field-level encryption?

Answer 114

Asymmetric encryption, public-private.

Question 115

How does field-level encryption work for CF?

Answer 115

• App owner sets up the fields to be encrypted in CF
• App owner creates a public-private key and shared the key with CF
• CF will use this key to encrypt the field data at the edge location
• When a client makes a request to CF the edge will encrypt the data using the key supplied by the app owner.
• The app will receive the request and use its private key to decrypt the data.

Question 116

I wnat to ensure thet people can not go around CF and preform HTTP request directly to the S3 bucket?

Answer 116

You cna use the ‘Restrict bucket access’, I think this creates an S3 policy ensuring the request is coming form CF. You could alos apply this to the bucket direct.

Question 117

What are the distribution locations?

Answer 117

• US, Canada, EU
• US, Canada, EU, ASIA and Africa
• All edge locations

Question 118

Can you use your own certs, explain?

Answer 118

Yes you can import your own certs to ACM and use with CF

Question 119

How can I use different origins with CF?

Answer 119

You can use ‘behaviours’ and create a match pattern to get CF to route to any origin you wnat.

Question 120

How cna I restrict access?

Answer 120

Signed URL or Cookie

Question 121

Are signed cookies per distribution or per behaviour, explain?

Answer 121

Per behaviour, they are configured on the behaviour so we can have different requirements based on the origin.

Question 122

What is a regional cache?

Answer 122

This is wherein a region there is a larger cache node used to help edge location not have to reach all the way back to the origin for the content. What happens is the regional cache will fetch when asked by an edge cache node and if other edge nodes in the region ask for the same content it is already in the region cache so it cuts down on distance travelled for the request.

Question 123

How would I use lambda at the edge?

Answer 123

You can use lambda to modify the edge,

• Viewer requests
• Viewer response
• Origan requests
• Origan response

Question 124

I have content thet is now stale, what can I do?

Answer 124

You can invalidate the content, CF will delete the content you ask it to using ‘invalidate content’

Question 125

When you are creating and updating CF distributions, how long can it take?

Answer 125

Up to 45 min.

Question 126

What is an origin group used for?

Answer 126

It is a set of origins thet can be used as a group with failover then one or more are not available.

Question 127

Can you have more than a single origin?

Answer 127

Yes 100%, you can have many origins thet can use used with behaviours to a route request.

Question 128

How does CF decide on the certs to use for HTTPS requests?

Answer 128

There are two options here,

• Use SNI, this is where the request is sent to the edge node by Route 53 deciding on the node to use. The request arrives at the node and the SSL handshake is performed and SNI used to get the correct cert.
• Dedicated IP edge nodes are used for browsers without SNI, Older browsers.

Question 129

I have a client using browsers thet do not support SNI, what should I use with CF?

Answer 129

Dedicated IP, where edge nodes will have dedicated IP to receive requests. This costs way more.

Question 130

What is the CF security policy?

Answer 130

This is a list of cyphers and encryption used by CF,

• TLSv1
• TLSv1_2016
• TLS1.1_2016 (recommended)
• TLSv1.2_2018

Question 131

Can you select to use a different version of HTTPprotocal?

Answer 131

Yes

Question 132

Can you enable and disable distributions?

Answer 132

Yes

Question 133

Can you use custom origins with CF?

Answer 133

Yes, 100% you cna point CF at near any IP visible on the public internet.

Question 134

Can you pass custom headers to the origin?

Answer 134

Yes, there is an option to define customer headers in the distribution set up and have them passed.

Question 135

The client and the distribution are using the same origin headers, which will win out?

Answer 135

The ones defined in the CF distribution.

Question 136

When using a custom origin and we have ‘Match viewer’, explain?

Answer 136

This means the origin fetch protocol will be using the same protocol as the request?

Question 137

When it comes to security what advantages have CF got?

Answer 137

CF is filtering malformed HTTP requests at the edge.

Question 138

I wnat to add an ACL to my CF distribution, how cna I do this?

Answer 138

Add a WAF to CF and add an ACL.

Question 139

Can you use self-signed certificates with CF?

Answer 139

No, you have to use a valid public signed cert.

Question 140

I have an on-prem origin and I wnat to add a cert, what do I need to ensure

Answer 140

You need to ensure the origin domain name matches the on-prem origin cert

Question 141

I wnat to restrict people using my S3 direct without going through CF, how cna I do this?

Answer 141

Configure ‘Origin identity’

Question 142

Explain how Origin Identity works?

Answer 142

It creates an identity in CF they are sent in S3 request, S3 uses the policy to check, this way a user is unable to send a request with the origin identity and will be rejected.

Question 143

How can I give a user a way to download or upload from a bucket for a time-limited period?

Answer 143

Use a pre-signed URL, you can generate a pre-signed URL.

Question 144

What is a pre-signed URL?

Answer 144

This is a URL you generate that has a time limit and alos enables the user of the URL to upload or download.

Question 145

What permissions do you have when using a pre-signed URL?

Answer 145

you have the permission of the user thet generated the URL

Question 146

What is a CF trusted signer?

Answer 146

It means the CF behaviour is private and the origin cna only be accessed with signed URL’s, It means that the only way to get access to the content vis CF and a signed URL or cookie.

Question 147

I wnat to enable a user to access RTMP for a time period, how do I set up signed cookies?

Answer 147

Signed cookies can not be used with RTMP so you have to use signed URL’s

Question 148

Can you access whole areas in the distribution with a signed URL?

Answer 148

No, signed URLs are good for a single object, signed cookies can be used for whole areas.

Question 149

I wnat to restrict a geo country, what options do I have?

Answer 149

You have the ability to use the build-in geo-restriction on the behaviour and white or black like based on the country.

Question 150

I have a web app, I own the code, how can I ensure my app only works while the user is in one of the US cities I have licence into download content from CF?

Answer 150

You cna have you app take it geo form the mobile phone and send it as part of a request to a server-side app thet will generate not a signed URL.

Question 151

How does field-level encryption work?

Answer 151

• You generate a public and private key and give CF the private key, CF pushes the private key out to edge nodes. Edge nodes use signed key to encrypt up to 10 fields and then send the HTTP request through the system to the application, the application used the private key to unencrypt the data.

Question 152

Where cna I see the cache hits?

Answer 152

In the CloudFront stats.

Question 153

What is the Default TTL used for?

Answer 153

This is the TTL value given if the origin has not given a TTL.

Question 154

What happen in CF if the TTL is shot say 60sec?

Answer 154

A client makes a request, the edge does not have the object and reached out to the regional location and the region location reaches out to the origin and the origin responds with no TTL and the CF puts in the default and the region saves the object with the default TTL and the edge saves the object using the TTL and after 60sec the TT expires and all objects are removed from both the edge and region locations.

Question 155

How cna you override the TTL sent from an origin?

Answer 155

Use the Min and Max, they override the origin TTL.

Question 156

What is the default behaviour of the CF with query strings?

Answer 156

Not to pass the query strings on to the origin, you can change this and have query strings passed to the origin. You can also create a white list so we cache on the day the language in the query string.

Question 157

What are the way you can influence how CF caches?

Answer 157

• Cookies
• Query strings
• Headers

Question 158

Are lambda functions at the edge based on distribution?

Answer 158

No, thye are based on behaviour

Question 159

Where is the lambda function executedCF/ in reference to

Answer 159

The lambda function is pushed out to the edge.