AWS Cloudfront & Global Accelerator Flashcards
What is Amazon CloudFront?
A Content Delivery Network (CDN) that improves the performance of content delivery by caching content at edge locations globally, reducing latency for users worldwide.
How does CloudFront improve user experience?
Caching content at edge locations near users for faster access.
Reducing latency by avoiding the need to retrieve content from the origin for repeated requests.
DDoS protection by distributing traffic globally and integrating with AWS Shield and Web Application Firewall.
What are the main types of origins CloudFront supports?
S3 Buckets: For distributing static files.
Custom HTTP Backends: Such as Application Load Balancers, EC2 instances, or S3 static websites.
S3 for Ingress: For uploading files to an S3 bucket through CloudFront.
How does CloudFront caching work?
A client requests content from an edge location.
If the content is in the cache, it is served immediately.
If not, the edge location fetches the content from the origin (e.g., S3 bucket).
The fetched content is cached locally at the edge for future requests.
What is required to secure an S3 bucket with CloudFront?
Use Origin Access Control (OAC) to ensure only CloudFront can access the S3 bucket.
Modify the S3 bucket policy to allow access only from the OAC.
What is required for CloudFront to access an EC2 instance directly?
Public EC2 instance: The instance must have a public IP because CloudFront does not have private VPC connectivity.
Security Group Configuration: The security group of the EC2 instance must allow incoming requests from the public IPs of CloudFront edge locations.
How can CloudFront access EC2 instances indirectly using an Application Load Balancer (ALB)?
Public ALB: The ALB must have a public IP to connect with CloudFront.
Private EC2 Instances: The backend EC2 instances can remain private within a VPC.
Security Group Rules:
ALB’s security group must allow traffic from CloudFront’s public IPs.
EC2 instances’ security group must allow traffic from the ALB’s security group.
Why must EC2 instances or ALBs be public for CloudFront to connect?
CloudFront edge locations do not have private VPC connectivity, so the origin (EC2 or ALB) must be publicly accessible.
What are the advantages of using an ALB with CloudFront instead of direct EC2 instance access?
Private Backend: EC2 instances can remain private within the VPC.
Load Balancing: Distribute traffic across multiple EC2 instances.
Simplified Security: Only need to allow ALB’s security group in EC2 security group.
What is CloudFront Geo Restriction?
A feature that restricts access to your CloudFront distribution based on the country of the requester’s IP address.
What are the two types of Geo Restriction lists in CloudFront?
Allowlist: Grants access only to the specified countries.
Blocklist: Denies access to the specified countries.
What is a common use case for Geo Restriction?
Enforcing copyright laws to control access to content based on geographic regions.
Why do CloudFront edge locations have different pricing?
The cost of data transfer out varies by geographic region due to differences in operational costs.
What are CloudFront Price Classes?
Price Classes allow you to choose a subset of edge locations to reduce costs.
Price Class All: Uses all edge locations globally for best performance.
Price Class 200: Excludes the most expensive regions (e.g., India, South America).
Price Class 100: Limits edge locations to the least expensive regions (e.g., North America, Europe).
What happens when CloudFront’s cache TTL expires?
When the TTL (Time-to-Live) expires, CloudFront fetches updated content from the backend origin (e.g., S3 bucket).
